SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Signature Detection with CrowdResponse

CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows … Continue reading Signature Detection with CrowdResponse


The Importance of Command and Control Analysis for Incident Response

Understanding how malicious software implements command and control (C2) is critical to incident response. Malware authors could use C2 to execute commands on the compromised system, obtain the status of the infection, commandeer numerous hosts to form a bot network, etc. This article explains how malware performs C2 functions and clarifies how this information can aid responders in detecting, analyzing, and remediating malware incidents. Continue reading The Importance of Command and Control Analysis for Incident Response


Stream-based Memory Analysis Case Study

Based on FOR526 Memory Forensics In Depth content I recently worked an investigation that involved anomalous network traffic occurring inside a customer's network between a handful of workstations and the internal DNS server. I was given memory images collected by the customer from two of the offending systems. Following the memory analysis methodology we teach … Continue reading Stream-based Memory Analysis Case Study


FOR610 Malware Analysis Course Toolkit Expansion

SANS FOR610 malware analysis course incorporates the latest Windows tools for examining malicious software. Students now receive a toolkit based on a pre-built Windows virtual machine. This toolkit supplements the Linux-based REMnux virtual machine that has been a staple of malware analysts' arsenal of utilities. Continue reading FOR610 Malware Analysis Course Toolkit Expansion


Tools for Analyzing Static Properties of Suspicious Files on Windows

Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables. Continue reading Tools for Analyzing Static Properties of Suspicious Files on Windows