SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Protecting Privileged Domain Accounts: Disabling Encrypted Passwords

[Author's Note: This is the 3rd in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] Update: I have … Continue reading Protecting Privileged Domain Accounts: Disabling Encrypted Passwords


Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly

[Author's Note: This is the 2nd in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] I realize the … Continue reading Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly


Protecting Privileged Domain Accounts: Safeguarding Password Hashes

Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so … Continue reading Protecting Privileged Domain Accounts: Safeguarding Password Hashes


Thoughts on Malware, Digital Forensics and Data Breaches by Hal Pomeranz

Hal Pomeranz shares his insights on malicious software in the context of data breaches, incident response and digital forensics. Hal's expertise spans several areas of information security, and most recently and most recently has focused on forensics. He teaches several courses at SANS Institute, including Reverse-Engineering Malware. Continue reading Thoughts on Malware, Digital Forensics and Data Breaches by Hal Pomeranz


Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below: … Continue reading Digital Forensics: UID and GID distributions