SANS Digital Forensics and Incident Response Blog: Category - eDiscovery

Detecting DLL Hijacking on Windows

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … Continue reading Detecting DLL Hijacking on Windows


Case Leads: A Forensicator's take on BlackHat/DefCon/BSides

It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las … Continue reading Case Leads: A Forensicator's take on BlackHat/DefCon/BSides


When Cases Involve SSNs and Credit Card Data: "Sensitive Data Search and Baseline" Python Script

A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive (http://www.reyrey.com/regulations/). In general, social security and credit card numbers are at the top of … Continue reading When Cases Involve SSNs and Credit Card Data: "Sensitive Data Search and Baseline" Python Script


Cloud Forensics with F-Response

Like many great inventions, the idea behind F-Response is so simple and elegant it is hard not to punish yourself for not thinking of it. Using the iSCSI protocol to provide read-only mounting of remote devices opens up a wealth of options for those of us working in geographically dispersed environments. I have used it … Continue reading Cloud Forensics with F-Response


Caseleads: South Korea Attack Forensics; Google Glass Brings Discoverable Evidence To Litigation; The Post Data Breach Boom; Fighting Insider Fraudsters

Mark this date: On March 20th 2013, the non-technical managers may finally start to understand what a digital forensics professional actually does. With the massive cyber attacks on South Korean banks, media outlets, and ISPs, the role of forensicators is put front and center. The attack(s) resulted in widespread ATM outages, online banking and mobile … Continue reading Caseleads: South Korea Attack Forensics; Google Glass Brings Discoverable Evidence To Litigation; The Post Data Breach Boom; Fighting Insider Fraudsters