SANS Digital Forensics and Incident Response Blog: Category - Malware Analysis

Four Focus Areas of Malware Analysis

Malware analysis and the forensic artifacts involved are made up of four areas of focus. The four areas of focus are behavior, code, memory, and intelligence analysis. Each has its own techniques which will be covered briefly. An analyst is in the middle of a case and finds an executable artifact. In searching the hash … Continue reading Four Focus Areas of Malware Analysis


Looking at Mutex Objects for Malware Discovery and Indicators of Compromise

Mutex (a.k.a. mutant) objects, which are frequently used by legitimate software, can also help defenders discover the presence of malicious programs on the system. Incident responders can examine the infected host or reverse-engineer malware to identify mutex names used by the specimen, which will allow them to define the signs of the infection (a.k.a. indicators of compromise). Let's take a look at how mutex objects are used and what tools are available to identify them on a system. Continue reading Looking at Mutex Objects for Malware Discovery and Indicators of Compromise


Digital Forensic Case Leads: Is the Chinese Government Backdooring Networks Globally? Large Breach at Yahoo Impacts Gmail, MSN and More. Anonymous Sends Warning To Central Bank?

This week's Digital Forensic Case Leads takes us around the world. From a possible Anonymous waring in Latin America, to the report that the Chinese Government may be building in backdoors to networks across the globe. In the last few weeks there have been many announcements about the use of Near Field Communications (NFC) in … Continue reading Digital Forensic Case Leads: Is the Chinese Government Backdooring Networks Globally? Large Breach at Yahoo Impacts Gmail, MSN and More. Anonymous Sends Warning To Central Bank?


An Overview Of Protocol Reverse-Engineering

JOIN SANS FOR A 1-DAY CYBER THREAT INTELLIGENCE SUMMIT headed by Mike Cloppert - 22 Mar 2013-http://www.sans.org/event/what-works-cyber-threat-2013 With this post I'm kicking off a series designed to help analysts reverse engineer undocumented - or poorly documented - network protocols. It is fairly common for incident responders to be presented with a network packet capture (PCAP) … Continue reading An Overview Of Protocol Reverse-Engineering


Digital Forensics Case Leads: Your Password Is Out There, again...

Data breaches at LinkedIn, eHarmony, and Last.fm exposed millions of account passwords, and probably other data that the attackers haven't made public. also a wealth of interesting new and updated tools. Among these are HexDive, SquirrelGripper, ShadowKit, and a Report Writing cheat sheet from Girl,Unallocated. Also worthy of particular note is Corey Harrell's Compromise Root Cause Analysis Model Continue reading Digital Forensics Case Leads: Your Password Is Out There, again...