SANS Digital Forensics and Incident Response Blog: Tag - artifact analysis

Digital Forensics - Automotive Infotainment and Telematics Systems

Paul A. Henry - SeniorSans Instructor - phenry@sans.org MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, GICSP, GCED, GPPA, VCP4/5, VCP-DCV (5.5), vExpert Powerful Features There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 - Source), including … Continue reading Digital Forensics - Automotive Infotainment and Telematics Systems


Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for analyzing the actions taken by malware when infecting a laboratory system. ProcDOT supports plugins, which could extend the tool's built-in capabilities. This article looks at two plugins that help examine contents of the network capture file loaded into ProcDOT. Continue reading Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware


Forensically mining new nuggets of Google Chrome

I was recently creating some slides on Chrome forensics for a class I'm teaching, when I really discovered for the first time just how popular it's actually become. As of last month, according to http://www.w3schools.com/browsers/browsers_stats.asp, Chrome is not only 50% more popular than internet Explorer, but is actually neck and neck with Firefox (36.6% vs. … Continue reading Forensically mining new nuggets of Google Chrome


Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline


3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

  • Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke newcharacteristics. To perform this work, theinvestigatortypically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor,