SANS Digital Forensics and Incident Response Blog

FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis

The FOR408: Windows Forensic Analysis course was renumbered to FOR500: Windows Forensic Analysis. SANS renumbered the course to better reflect the course's intermediate-level material. The content of the course will remain basically the same, although it will be constantly updated to reflect changes in the field. FREQUENTLY ASKED QUESTIONS Why change the course … Continue reading FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis


Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis

System snapshots are a core component when conducting forensic analysis on a live machine. They provide critical insight intowhat was going on at the time they were taken, but this is also their limitation: your view is limited to a precise moment in time, without context and the opportunity to observe changes as they … Continue reading Turning a Snapshot into a Story: Simple Method to Enhance Live Analysis


Mass Triage Part 3: Processing Returned Files - At Jobs

Our story so far... Frank, working with Hermes, another security analyst, goes to work to review the tens of thousands of files retrieved by FRAC. They start off by reviewing the returned AT jobs. AT Job Used by Actors AT jobs are scheduled tasks created using the at.exe command. At jobs take the filename format … Continue reading Mass Triage Part 3: Processing Returned Files - At Jobs


Rapid Provisioning of a Malware Analysis Environment

The preparation of a malware analysis environment can often be a lengthy and repetitive process. I am not referring to setting up a virtual machine which contains all of your tools, but rather recognising that each sample you analyse may have very specific environmental requirements before it is willing to execute fully. For example, it … Continue reading Rapid Provisioning of a Malware Analysis Environment


Digital Forensics - Automotive Infotainment and Telematics Systems

Paul A. Henry - SeniorSans Instructor - phenry@sans.org MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, GICSP, GCED, GPPA, VCP4/5, VCP-DCV (5.5), vExpert Powerful Features There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 - Source), including … Continue reading Digital Forensics - Automotive Infotainment and Telematics Systems