SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time. Continue reading SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros


Managing and Exploring Malware Samples with Viper

Keeping track of all the samples on your plate can become cumbersome and at times, next to impossible; that's where projects like Viper come in. Viper is "a framework to store, classify and investigate binary files." The following article, contributed by David Westcott, explains how to get started with this tool. Continue reading Managing and Exploring Malware Samples with Viper


#FOR526 #MemoryForensics Course - Special Deal for Online Training and Capital City in July

FOR526 - 10% Off for vLive (Online Live Training)orCapital City in July. Use code = m3mory FOR526 - 10% Off forvLive(Online Live Training)orCapital City in July. Use code = m3mory Continue reading #FOR526 #MemoryForensics Course - Special Deal for Online Training and Capital City in July


HeartBleed Links, Simulcast, etc.

At SANS 2014 last night, I gave a quick briefing on the HeartBleed vulnerability that impacts the security of the Internet. I wanted to post a few links in the interim (until the webcast itself is published, which I'm told will be by 3PM EDT). The slides are available here. I have built a server … Continue reading HeartBleed Links, Simulcast, etc.


Signature Detection with CrowdResponse

CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows … Continue reading Signature Detection with CrowdResponse