SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

What is New in Windows Application Execution?

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts. Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system. Why was FTP run on this workstation? Is it normal to see execution of … Continue reading What is New in Windows Application Execution?


Mastering Malware Analysis Skills - The Power of a Capture-the-Flag Tournament

Here at SANS, we've worked hard to deliver a Reverse Engineering Malware course packed with technical knowledge, hands-on exercises, and our insights from years of experience. Just as attackers and their tools continue to evolve, so has this course to arm participants with relevant skills they can apply immediately. As both an instructor and a … Continue reading Mastering Malware Analysis Skills - The Power of a Capture-the-Flag Tournament


Examining Shellcode in a Debugger through Control of the Instruction Pointer

During the examination of malicious files, you might encounter shellcode that will be critical to your understanding of the adversary's intentions or capabilities. One way to examine this malicious code is to execute it using a debugger after setting up the runtime environment to allow the shellcode to achieve its full potential. In such circumstances, … Continue reading Examining Shellcode in a Debugger through Control of the Instruction Pointer


Analyzing Shellcode Extracted from Malicious RTF Documents

During the analysis of malicious documents designed to exploit vulnerabilities in the programs which load them (thereby allowing the running of arbitrary code), it is often desirable to review any identified shellcode in a debugger. This allows an increased level of control and flexibility during the discovery of it's capabilities and how it implements the … Continue reading Analyzing Shellcode Extracted from Malicious RTF Documents


Was DPRK behind the Sony hack?

UPDATE:While this post was embargoed, various news outlets have claimed that sources in the US Government are confirming North Korea's involvement in the Sony hack. I don't have the intelligence they have access to and North Korea has already denied participation in the hack publicly. If North Korea was behind the attack, then it heralds … Continue reading Was DPRK behind the Sony hack?