SANS Digital Forensics and Incident Response Blog: Category - Malware Analysis

Malware Can Hide, But It Must Run

Article originally posted in forensicfocus.com Author: Alissa Torres It's October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price. Investigators who do not … Continue reading Malware Can Hide, But It Must Run


DFIR Summit 2016 - Call for Papers Now Open

The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas. The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of … Continue reading DFIR Summit 2016 - Call for Papers Now Open


Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for analyzing the actions taken by malware when infecting a laboratory system. ProcDOT supports plugins, which could extend the tool's built-in capabilities. This article looks at two plugins that help examine contents of the network capture file loaded into ProcDOT. Continue reading Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware


Update for DensityScout

There's a new build of DensityScout available (https://cert.at/downloads/software/densityscout_en.html). For the new build a scenario has been addressed where DensityScout could start to hang/loop during file computation. Happy DensityScout-ing ... Christian Continue reading Update for DensityScout


Hindering Exploitation by Analysing Process Launches

Malware can do some nasty things to your system, but it needs to get on there first. Thankfully, users have become more suspicious of files named FunnyJokes.doc.exe and so malware authors have had to become more innovative, using a mix of social engineering and the constant stream of 0-day browser exploits to land evil code … Continue reading Hindering Exploitation by Analysing Process Launches