SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Device Profiling With Windows Prefetch

It wasn't that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools toeasily parse and provide it … Continue reading Device Profiling With Windows Prefetch


A Threat Intelligence Script for Qualitative Analysis of Passwords Artifacts

The Verizon Data Breach Report has consistently said, over the years, passwords are a big part of breach compromises. Dr. Lori Cranor, and her team, at CMU has done extensive research on how to choose the best password policies verses usability. In addition, Alison Nixon's research describes techniques to determine valid password of an organization … Continue reading A Threat Intelligence Script for Qualitative Analysis of Passwords Artifacts


Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … Continue reading Detecting Shellcode Hidden in Malicious Files


DFIR Hero — Cindy Murphy Interview

Cindy Murphy is teaching our Advanced Smartphone Forensics Course in McLean, VA in February 2016 . Sign up now to take this course with Cindy. We interviewed Cindy so you can get to know her a bit better. Cindy's real world experience working in law enforcement and cyber security communities combined with her unending knowledge … Continue reading DFIR Hero — Cindy Murphy Interview


How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how. Continue reading How to Install SIFT Workstation and REMnux on the Same Forensics System