SANS Digital Forensics and Incident Response Blog: Tag - forensics

A Technical Autopsy of the Apple - FBI Debate using iPhone forensics

The technical basics of the case is that FBI is trying to compel Apple Inc. to help create a new capability installed on the suspect's iPhone that would enable with the following degraded security mechanisms: Allow the FBI to submit passcode "electronically via the physical device port" Will not wipe underlying data after 10 incorrect … Continue reading A Technical Autopsy of the Apple - FBI Debate using iPhone forensics


How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how. Continue reading How to Install SIFT Workstation and REMnux on the Same Forensics System


Using Sysinternals System Monitor (Sysmon) in a Malware Analysis Lab

System Monitor (Sysmon) is a new tool from Microsoft, designed to run in the Windows system's background, logging details related to process creation, network connections, and changes to file creation time. This information can assist in troubleshooting and forensic analysis of the host where the tool was installed prior to the incident that's being investigated. This article explores the role that System Monitor might play in a malware analysis lab, possibly supplementing tools such as Process Monitor. Continue reading Using Sysinternals System Monitor (Sysmon) in a Malware Analysis Lab


Dominando las 4 etapas del Análisis de Malware

(This is a Spanish translation of the article Mastering 4 Stages of Malware Analysis. Este artculo fue traducido del ingls.) El anlisis de software malicioso o malware involucra una variedad de tareas, algunas ms simples que otras. Estas tareas pueden ser agrupadas en etapas basadas en la naturaleza de las tcnicas de anlisis de software malicioso. Agrupadas como capas, una encima de otra, estas etapas forman una pirmide que va creciendo conforme complejidad. Continue reading Dominando las 4 etapas del Anlisis de Malware


SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time. Continue reading SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros