SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Triage Collection and Timeline Generation with KAPE

As a follow up to my SANSwebcast, which you can view here, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push button forensics", once you get KAPE up and running, it really is … Continue reading Triage Collection and Timeline Generation with KAPE


A few Ghidra tips for IDA users, part 4 - function call graphs

One of the features of IDA that we use in FOR610 that can be helpful for detecting malicious patterns of API calls is the feature for creating a graph of all function calls called from the current function and any functions that it calls. The graph itself isn't all that pretty to look at, but … Continue reading A few Ghidra tips for IDA users, part 4 - function call graphs


Finding Registry Malware Persistence with RECmd

If you have been keeping your forensic toolkit up to date, you have undoubtedly used Registry Explorer, a game-changing tool for performing Windows registry analysis. RECmd is the command line component of Registry Explorer and opens up a remarkable capability to script and automate registry data collection. My interest in this tool was recently … Continue reading Finding Registry Malware Persistence with RECmd


A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments

In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra. The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss … Continue reading A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments


Offline Autoruns Revisited - Auditing Malware Persistence

I was digging through the archives recently and stumbled upon my old post, Autoruns and Dead Computer Forensics. Autoruns is an indispensable tool from Sysinternals that extracts data from hundreds of potential auto-start extensibility points (ASEPs), a fancy Microsoft term for locations that can grant persistence to malicious code. We leverage live Autoruns collection in … Continue reading Offline Autoruns Revisited - Auditing Malware Persistence