SANS Digital Forensics and Incident Response Blog

Leaving the Backdoor Open: Risk of Remotely Hosted Web Scripts

Many websites leverage externally hosted scripts to add a broad range of functionality, from user interaction tracking to reactive design. However, what you may not know is that by using them you are effectively handing over full controlof your content to the other party, and could be putting your users at risk of having … Continue reading Leaving the Backdoor Open: Risk of Remotely Hosted Web Scripts


Your Cyber Threat Intelligence Questions Answered

As we prepare for the sixth year of the SANS Cyber Threat Intelligence (CTI) Summit, advisory board membersRebekah Brown,Rick Holland, andScott Robertsdiscuss some of the most frequently asked questions about threat intelligence. This blog will give you a bit of a preview of what you can expect during the CTI Summit on January 29th … Continue reading Your Cyber Threat Intelligence Questions Answered


Automated Hunting of Software Update Supply Chain Attacks

Software that automatically updates itself presents an attack surface, which can be leveraged en masse through the compromise of the vendor's infrastructure. This has been seen multiple times during 2017, with high profile examples includingNotPetya and CCleaner. Most large organisations have built robust perimeter defences for incoming and outgoing traffic, but this threat vector … Continue reading Automated Hunting of Software Update Supply Chain Attacks


Updated Memory Forensics Cheat Sheet

Just in time for the holidays, we have a new update to the Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for those … Continue reading Updated Memory Forensics Cheat Sheet


Acquiring a Memory Dump from Fleeting Malware

Introduction The acquisition of process memory during behavioural analysis of malware can provide quick and detailed insight. Examples of where it can be really useful include packed malware, which may be in a more accessible state while running, and malware, which receives live configuration updates from the internet and stores them in memory. Unfortunately the … Continue reading Acquiring a Memory Dump from Fleeting Malware