SANS Digital Forensics and Incident Response Blog: Category - Windows IR

Mass Triage Part 3: Processing Returned Files - At Jobs

Our story so far... Frank, working with Hermes, another security analyst, goes to work to review the tens of thousands of files retrieved by FRAC. They start off by reviewing the returned AT jobs. AT Job Used by Actors AT jobs are scheduled tasks created using the at.exe command. At jobs take the filename format … Continue reading Mass Triage Part 3: Processing Returned Files - At Jobs


Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

FRAC is a GPLv2 project that can run remote commands across a Windows enterprise network. It consists of a Perl script, basic configuration files, and an SMB share. It uses PAExec or Winexe to connect to the remote machines, and then runs the commands required. It doesn't require a powerful system to run from, but does require lots of disk space if it has been configured to collect files. FRAC can run on the Linux, *NIX, and OSX using Winexe to connect to the remote Windows machines. Continue reading Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2


Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive. Continue reading Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1


DFIR Summit 2016 - Call for Papers Now Open

The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas. The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of … Continue reading DFIR Summit 2016 - Call for Papers Now Open


Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … Continue reading Detecting Shellcode Hidden in Malicious Files