SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Digital Forensics Case Leads: Using VMWare for Forensic Analysis

I have a lot of students ask me about different options for case management/forensic analysis tools besides commercial based products. As we know,VMWare Desktop is not free, you can download a free trial copy for 30 days and utilize the SIFT Workstation (for example). I also recommend the bootable Knoppix-like CDs for live analysis and contain case management as well. Here is a great tutorial from Forensic Focus on using VMWare as a forensic tool.


  • VMWare and SANS Sift Workstation. The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format


Digital Forensics Practitioners Take Note: MS DLL Hijacking

DLL Hijacking Issue Gets Out Of Band Fix / Work Around From Microsoft

Though not as simple to pull-off for the bad guys as today's drive-by hacking exploits; successful exploitation requires a user first be tricked into visiting an untrusted WebDAV server in the Internet Zone and then double-click on any type of file, this enables attackers to cause a malicious file to be executed on the user's PC.

Because this is not an enabler of traditional drive-by hacking, many dismissed the severity of this vulnerability. However, given the recent publication of a Microsoft Advisory, Insecure Library Loading Could Allow Remote Code Execution, an initial work around published last week and a new tool released


Digital Forensics Case Leads: Reverse Engineer Malware, Analyze Timelines and Report Findings

This week, we have a wealth of information about REMnux, Lenny Zeltser's Linux distribution for analyzing malware, Kristinn Gudjonsson's paper on Super Timeline Analysis, and some interesting report-writing posts that I wanted to recall attention to. There's a lot of interesting reading ahead, so without further ado...

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to

Reverse Engineering Malware:

Since he released his REMnux distribution for analyzing malware, our friend Lenny Zeltser has gotten quite a bit of attention for his distribution and for his SANS class, Reverse Engineering Malware.


Toronto - Network Forensics 558

SANS is pleased to announce Community SANS Toronto 2010, running
November 22 - 27. We will offer two of our most popular courses,
in our signature bootcamp style with plenty of hands-on exercises. For
complete course details and to register, please visit

Register by October 13 and save $400 on tuition fees. Please note that
SANS Forensics 558, Network Forensics, has sold out in every location we
have offered it in 2010, so register early to avoid disappointment.

WHEN: November 22 - 27, 2010

Forensics 558: SANS Network Forensics
Instructor: Guy Bruneau, Ottawa
30 CPEs

$3,160 through October 13, 2010

New York-Reverse-Engineering Malware - Forensics 610

SANS is pleased to announce the Community SANS New York City 2010. Presenting our one of our most popular courses, New York will be getting one of our top SANS Instructors Lenny Zeltser.

Please note that Forensics 610, has sold out at several SANS events since June. Now is your opportunity to take this essential SANS Forensics course now.

- October 25 - 29, 2010
SANS Forensics New York City
Forensics 610: Reverse-Engineering Malware: Malware Analysis Tools
and Techniques
Tuition fee: Save $400 when you register by September 8
Instructor: LENNY ZELTSER, Course author and SANS Certified Instructor

Please note that there is a special 10% discount available to all
InfraGard members for this course and 50 other SANS courses
available at (