SANS Digital Forensics and Incident Response Blog: Category - Incident Response

Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … Continue reading Detecting Shellcode Hidden in Malicious Files


How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how. Continue reading How to Install SIFT Workstation and REMnux on the Same Forensics System


Call For Presenters — DFIR Prague 2015 #DFIRPrague

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject "SANS DFIR Europe Summit." Dates: Summit Date: - 11 October, 2015 Pre-Summit Training Course Dates: 5-10 October, 2015 Post-Summit Training Course Dates: 12-17 October, 2015 Summit Venue: Angelo Hotel Prague Radlicka 1-G, Prague 5 Prague, CZ Phone: +420 234 … Continue reading Call For Presenters — DFIR Prague 2015 #DFIRPrague


Monitoring for Delegation Token Theft

Delegation is a powerful feature of Windows authentication which allows one remote system to effectively forward a user's credentials to another remote system. This is sometimes referred to as the "double-hop". This great power does not come without great risk however, as the delegation access tokens used for this purpose can be stolen by attackers … Continue reading Monitoring for Delegation Token Theft


Detecting DLL Hijacking on Windows

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … Continue reading Detecting DLL Hijacking on Windows