SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Acquiring a Memory Dump from Fleeting Malware

Introduction The acquisition of process memory during behavioural analysis of malware can provide quick and detailed insight. Examples of where it can be really useful include packed malware, which may be in a more accessible state while running, and malware, which receives live configuration updates from the internet and stores them in memory. Unfortunately the … Continue reading Acquiring a Memory Dump from Fleeting Malware


TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11

BLOG ORIGINALLY POSTED SEPTEMBER 30, 2017 HEATHER MAHALIK This is going to be a series of blog posts due to the limited amount of free time I have to allocate to the proper research and writing of an all-inclusive blog post on iOS 11. More work is needed to make sure nothing drastic is missing … Continue reading TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11


Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They've mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that … Continue reading Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!


4 Cheat Sheets for Malware Analysis

DFIR professionals have much to remember. Conveniently, 4 of Lenny Zeltser's cheat sheets summarize key tools and techniques for analyzing and reverse-engineering malicious software. Continue reading 4 Cheat Sheets for Malware Analysis


WannaCry Ransomware Threat : What we know so far - WEBCAST slides

The WannaCry ransomware worm is unprecedented for two reasons. First, it's a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams' firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of … Continue reading WannaCry Ransomware Threat : What we know so far - WEBCAST slides