SANS Digital Forensics and Incident Response Blog: Category - Windows IR

Protecting Privileged Domain Accounts: Safeguarding Access Tokens

[Author's Note: This is the 4th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] I've previously written … Continue reading Protecting Privileged Domain Accounts: Safeguarding Access Tokens


Protecting Privileged Domain Accounts: Disabling Encrypted Passwords

[Author's Note: This is the 3rd in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] Update: I have … Continue reading Protecting Privileged Domain Accounts: Disabling Encrypted Passwords


Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly

[Author's Note: This is the 2nd in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] I realize the … Continue reading Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly


Protecting Privileged Domain Accounts: Safeguarding Password Hashes

Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so … Continue reading Protecting Privileged Domain Accounts: Safeguarding Password Hashes


Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline