SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Beats and Bytes - Striking the Right Chord in Digital Forensics       

There is geometry in the humming of the strings, there is music in the spacing of the spheres. - Pythagoras DOWNLOAD PAPER HEREand see them perform at the DFIR SUMMIT and TRAINING 2017 in AUSTIN TX. Curiosity is a personality trait that tends to draw me towards others in a way that forms lasting and … Continue reading Beats and Bytes - Striking the Right Chord in Digital Forensics


WannaCry Ransomware Threat : What we know so far - WEBCAST slides

The WannaCry ransomware worm is unprecedented for two reasons. First, it's a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams' firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of … Continue reading WannaCry Ransomware Threat : What we know so far - WEBCAST slides


FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis

The FOR408: Windows Forensic Analysis course was renumbered to FOR500: Windows Forensic Analysis. SANS renumbered the course to better reflect the course's intermediate-level material. The content of the course will remain basically the same, although it will be constantly updated to reflect changes in the field. FREQUENTLY ASKED QUESTIONS Why change the course … Continue reading FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis


Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis

System snapshots are a core component when conducting forensic analysis on a live machine. They provide critical insight intowhat was going on at the time they were taken, but this is also their limitation: your view is limited to a precise moment in time, without context and the opportunity to observe changes as they … Continue reading Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis


Mass Triage Part 3: Processing Returned Files - At Jobs

Our story so far... Frank, working with Hermes, another security analyst, goes to work to review the tens of thousands of files retrieved by FRAC. They start off by reviewing the returned AT jobs. AT Job Used by Actors AT jobs are scheduled tasks created using the at.exe command. At jobs take the filename format … Continue reading Mass Triage Part 3: Processing Returned Files - At Jobs