SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Looking at Mutex Objects for Malware Discovery and Indicators of Compromise

Mutex (a.k.a. mutant) objects, which are frequently used by legitimate software, can also help defenders discover the presence of malicious programs on the system. Incident responders can examine the infected host or reverse-engineer malware to identify mutex names used by the specimen, which will allow them to define the signs of the infection (a.k.a. indicators of compromise). Let's take a look at how mutex objects are used and what tools are available to identify them on a system. Continue reading Looking at Mutex Objects for Malware Discovery and Indicators of Compromise


An Overview Of Protocol Reverse-Engineering

JOIN SANS FOR A 1-DAY CYBER THREAT INTELLIGENCE SUMMIT headed by Mike Cloppert - 22 Mar 2013-http://www.sans.org/event/what-works-cyber-threat-2013 With this post I'm kicking off a series designed to help analysts reverse engineer undocumented - or poorly documented - network protocols. It is fairly common for incident responders to be presented with a network packet capture (PCAP) … Continue reading An Overview Of Protocol Reverse-Engineering


Digital Forensics Case Leads: Your Password Is Out There, again...

Data breaches at LinkedIn, eHarmony, and Last.fm exposed millions of account passwords, and probably other data that the attackers haven't made public. also a wealth of interesting new and updated tools. Among these are HexDive, SquirrelGripper, ShadowKit, and a Report Writing cheat sheet from Girl,Unallocated. Also worthy of particular note is Corey Harrell's Compromise Root Cause Analysis Model Continue reading Digital Forensics Case Leads: Your Password Is Out There, again...


The APT is already in your network. Time to go hunting — Learn how in new training course SANS FOR508

The Advanced Persistent Threat is already in your network. Time to go hunting. It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don't ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are … Continue reading The APT is already in your network. Time to go hunting — Learn how in new training course SANS FOR508


How to Extract Flash Objects From Malicious MS Office Documents

Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose. Continue reading How to Extract Flash Objects From Malicious MS Office Documents