SANS Digital Forensics and Incident Response Blog: Category - Registry Analysis

Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices

This week's edition of Case Leads features a number of new tools and updates for a few of the old standbys. We have a collection of tools designed for studying malware found on Windows or Android platforms and a couple of new applications for registry analysis. Virtual machine technology is heading for Android based devices … Continue reading Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices


Ultimate Windows Timelining

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado... First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might … Continue reading Ultimate Windows Timelining


Computer Forensic Artifacts: Windows 7 Shellbags

As Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration … Continue reading Computer Forensic Artifacts: Windows 7 Shellbags


Digital Forensics Case Leads: Intruder Alert! Intruder Alert!

Seven years ago, in the Preface to his TheTao of Network Security Monitoring, Richard Bejtlich wrote: Three words sum up my attitude toward stopping intruders:prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Fast forward to 2011, and we find McAfee saying, in the executive … Continue reading Digital Forensics Case Leads: Intruder Alert! Intruder Alert!


Computer Forensics How-To: Microsoft Log Parser

As any incident responder will agree, you can never have too many logs. That is, of course, until you have to analyze them! I was recently on an engagement where our team had to review hundreds of gigabytes of logs looking for evidence of hacking activity. I was quickly reminded of how much I love … Continue reading Computer Forensics How-To: Microsoft Log Parser