SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

DFIR Hero — David Cowen Interview

David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015. Sign up now to take this course with David. We interviewed David so you can get to know him a bit better — he is one of the best in the industry. A leader. An astonishing analyst and visionary. He is … Continue reading DFIR Hero — David Cowen Interview


Call For Presenters — DFIR Prague 2015 #DFIRPrague

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject "SANS DFIR Europe Summit." Dates: Summit Date: - 11 October, 2015 Pre-Summit Training Course Dates: 5-10 October, 2015 Post-Summit Training Course Dates: 12-17 October, 2015 Summit Venue: Angelo Hotel Prague Radlicka 1-G, Prague 5 Prague, CZ Phone: +420 234 … Continue reading Call For Presenters — DFIR Prague 2015 #DFIRPrague


Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)

In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it … Continue reading Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)


Detecting DLL Hijacking on Windows

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … Continue reading Detecting DLL Hijacking on Windows


How Miscreants Hide From Browser Forensics

Scammers, intruders and other miscreants often aim to conceal their actions from forensic investigators. When analyzing an IT support scam, I interacted with the person posing as the help desk technician. He brought up a web page on the victim's system to present payment form, so the person would supply contact and credit card details. He did this in a surprising manner, designed to conceal the destination URL. Continue reading How Miscreants Hide From Browser Forensics