SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Help Improve EDD - Encrypted Disk Detector!

Device acquisition may not be the sexiest phase of digital forensics, but it has the most number of pitfalls and can result in catastrophic loss. If a practitioner makes a mistake during acquisition, the investigation may simply be over, with nothing left to examine. Establishing an acquisition process is important, and a critical part of … Continue reading Help Improve EDD - Encrypted Disk Detector!


Protecting Privileged Domain Accounts: Network Authentication In-Depth

[Author's Note: This is the 5th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] To coincide … Continue reading Protecting Privileged Domain Accounts: Network Authentication In-Depth


Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned

This week's Digital Forensic Case Leads is chock full of forensics nuggets. Links to great forensics tools for encryption detection and memory extraction, plus a how-to for breaking/auditing the OS X Keychain. You will also find an analysis of the Samsung v. Apple patent case from a digital forensics perspective, with IP Attorney Ben Langlotz. … Continue reading Digital Forensic Case Leads: Anon Strikes Again, and Again. Groupon Litigation Threats. DarkMarket Motivations Revealed. The Tutu Has Been Donned


New Advanced Persistent Threat Based - FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems. You are compromised by the APT. Most organizations are left speechless as 90% of all intrusions are … Continue reading New Advanced Persistent Threat Based - FOR508 Released in On-Demand


Four Focus Areas of Malware Analysis

Malware analysis and the forensic artifacts involved are made up of four areas of focus. The four areas of focus are behavior, code, memory, and intelligence analysis. Each has its own techniques which will be covered briefly. An analyst is in the middle of a case and finds an executable artifact. In searching the hash … Continue reading Four Focus Areas of Malware Analysis