SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … Continue reading Detecting Shellcode Hidden in Malicious Files


DFIR Hero — Cindy Murphy Interview

Cindy Murphy is teaching our Advanced Smartphone Forensics Course in McLean, VA in February 2016 . Sign up now to take this course with Cindy. We interviewed Cindy so you can get to know her a bit better. Cindy's real world experience working in law enforcement and cyber security communities combined with her unending knowledge … Continue reading DFIR Hero — Cindy Murphy Interview


How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how. Continue reading How to Install SIFT Workstation and REMnux on the Same Forensics System


New Windows Forensics Evidence of Poster Released

Link for new poster ->http://dfir.to/GET-FREE-DFIR-POSTER The "Evidence of..." categories were originally created by SANS Digital Forensics and Incidence Response faculty for the SANS course FOR408: Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you … Continue reading New Windows Forensics Evidence of Poster Released


ESE Databases are Dirty!

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored. The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven "JET Blue" Extensible Storage Engine (ESE) database format. While many forensic examiners have remained blissfully unaware of the … Continue reading ESE Databases are Dirty!