SANS Digital Forensics and Incident Response Blog: Category - Reporting

How to Disrupt a Botnet

The following note is inspired by the steps the folks at FireEye Malware Intelligence Lab took to disable the Mega-d/Ozdok bot network. People often wonder what it takes to shut down a botnet. Here are the key steps, which apply to "traditional" botnets, which don't rely heavily on peer-to-peer protocols for their command and control (C&C) implementation; the number of hosts and domains that such botnets use can be sufficiently small that a group or an individual can disrupt the botnet by getting these IPs or domain names shut down.

Note that attempting to interfere with operations of a profitable botnet can be dangerous, as your actions may cause attackers to retaliate. Therefore, consider these steps as informational thoughts, rather than an encouragement to follow FireEye's footsteps.

  1. Obtain a copy of the bot through forensic analysis of a compromised system.

...


Using mind maps in forensics

by Jeff Bryner

I've been playing with mind mapping software lately, mostly using the wonderfully open source freemind.I'm definitely not the first one to consider using this for forensic analysis, but hopefully I can help spread the meme and help us all organize our thoughts.

Just for fun, here's a sample starting point for a fake embezzlement case if you've not seen a mind map before:
basic mind map

I've posted it here in case it's easier to start

...


Why I Chose Not To Post My Interview With The Twitter Attacker

by Ira Victor

The blogosphere was atweet this weekend with news of a DarkWeb attack on Twitter users. As co-host of the Data Security Podcast, I believe I was the first to contact the man who claims to be the creator of the attack.

We thought better of using his voice on our podcast, though, when we realized he's only 17 years old. That makes him too young to consent legally to a globally-distributed interview. He may also be too immature to be a reliable source. The jury's out on that.

At this point, we've decided to sit on the tape, even though the young man's identity and his claims of responsibility for the Twitter hack have been widely

...


Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that

...


NCS vs DRN - Taking Notes

Intro to Notes

If computer forensics is to be taken as a science, a key requirement is that results be repeatable. A key part of repetition is the quality of your notes.

Notes are an important aspect of an investigation. No matter how good of a memory you have, something is bound to slip through the cracks at some point. Take the size of some investigations, the length of time it may take before anyone takes action on your report, and the size of many case loads and a lack of notes can be a recipe for disaster. On the other hand, note taking style is a big matter of personal preference with no industry standard way of approaching the situation. I thought we might talk a bit about different options and problems that come from note taking, and hope that some others will chime in with how they approach the problem.

Format

First question that comes up with note taking, is where do you want to do it? Low tech has some

... Continue reading NCS vs DRN - Taking Notes