SANS Digital Forensics and Incident Response Blog: Category - Incident Response

How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how. Continue reading How to Install SIFT Workstation and REMnux on the Same Forensics System


Call For Presenters — DFIR Prague 2015 #DFIRPrague

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject "SANS DFIR Europe Summit." Dates: Summit Date: - 11 October, 2015 Pre-Summit Training Course Dates: 5-10 October, 2015 Post-Summit Training Course Dates: 12-17 October, 2015 Summit Venue: Angelo Hotel Prague Radlicka 1-G, Prague 5 Prague, CZ Phone: +420 234 … Continue reading Call For Presenters — DFIR Prague 2015 #DFIRPrague


Monitoring for Delegation Token Theft

Delegation is a powerful feature of Windows authentication which allows one remote system to effectively forward a user's credentials to another remote system. This is sometimes referred to as the "double-hop". This great power does not come without great risk however, as the delegation access tokens used for this purpose can be stolen by attackers … Continue reading Monitoring for Delegation Token Theft


Detecting DLL Hijacking on Windows

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … Continue reading Detecting DLL Hijacking on Windows


How Miscreants Hide From Browser Forensics

Scammers, intruders and other miscreants often aim to conceal their actions from forensic investigators. When analyzing an IT support scam, I interacted with the person posing as the help desk technician. He brought up a web page on the victim's system to present payment form, so the person would supply contact and credit card details. He did this in a surprising manner, designed to conceal the destination URL. Continue reading How Miscreants Hide From Browser Forensics