SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Protecting Privileged Domain Accounts: Safeguarding Password Hashes

Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so … Continue reading Protecting Privileged Domain Accounts: Safeguarding Password Hashes


Thoughts on Malware, Digital Forensics and Data Breaches by Hal Pomeranz

Hal Pomeranz shares his insights on malicious software in the context of data breaches, incident response and digital forensics. Hal's expertise spans several areas of information security, and most recently and most recently has focused on forensics. He teaches several courses at SANS Institute, including Reverse-Engineering Malware. Continue reading Thoughts on Malware, Digital Forensics and Data Breaches by Hal Pomeranz


Digital Forensics: UID and GID distributions

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below: … Continue reading Digital Forensics: UID and GID distributions


Digital Forensics SIFT'ing: Cheating Timelines with log2timeline

Hopefully at one point in time everyone has experienced the enjoyment of a teacher that allowed them to use a "cheat sheet" on a test. For the unfamiliar, the concept is simple; take an 8.5 x 11" piece of paper, cram as much information as you can on both sides, and use it as an … Continue reading Digital Forensics SIFT'ing: Cheating Timelines with log2timeline


Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline