SANS Digital Forensics and Incident Response Blog: Tag - Incident Response

SANS Digital Forensics and Incident Response Blog:

A Threat Intelligence Script for Qualitative Analysis of Passwords Artifacts

The Verizon Data Breach Report has consistently said, over the years, passwords are a big part of breach compromises. Dr. Lori Cranor, and her team, at CMU has done extensive research on how to choose the best password policies verses usability. In addition, Alison Nixon's research describes techniques to determine valid password of an organization you are not a part of ("Vetting Leaks Finding the Truth when the Adversary Lies"). What about passwords leaked in the organization you are defending? This post will be about such a scenario.

According to former Deputy Director, of The Center for The Studies of Intelligence, Ms. Carmen Medina says "analysis in essence is putting things correctly into categories" "insight is when you come


Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances.

There are a number of techniques available to try and identify embedded shellcode, for example searching for patterns (NOP sleds, GetEIP etc), however as attackers update their methods to overcome our protections it becomes more difficult to find the code without having the exact version of the vulnerable software targeted, and allowing the exploit to successfully execute.

In this post, I will discuss a new technique I have been experimenting with, which approaches this issue from a different perspective, forcing the execution of the exploit code, no matter what software you have installed. It is based on two core principles:

  1. If you try and execute something that isn't code (e.g. a text string), the ...

How to Install SIFT Workstation and REMnux on the Same Forensics System

Combine SIFT Workstation and REMnux on a single system to create a supercharged Linux toolkit for digital forensics and incident response tasks. Here's how.

Call For Presenters -- DFIR Prague 2015 #DFIRPrague


Submit your submissions to by 5 pm BST on 1 June, 2015 with the subject "SANS DFIR Europe Summit."


  • Summit Date: - 11 October, 2015

  • Pre-Summit Training Course Dates: 5-10 October, 2015

  • Post-Summit Training Course Dates: 12-17 October, 2015

Summit Venue:

SANS' annual dedicated Digital Forensics and Incident Response (DFIR) Summit & Training event returns for 13 days of intensive ...

Monitoring for Delegation Token Theft

Delegation is a powerful feature of Windows authentication which allows one remote system to effectively forward a user's credentials to another remote system. This is sometimes referred to as the "double-hop". This great power does not come without great risk however, as the delegation access tokens used for this purpose can be stolen by attackers and used for lateral movement. As such, it's important to be aware of this ability and to increase monitoring for malicious use of delegation.

In order to monitor delegation activity, you need to identify where delegation is occurring. Then from those in-scope systems where delegation occurs, look for suspicious activity, and potentially identify which users' accounts were actually delegated. I'll take you through these identification steps, but first let's start with a quick refresher on delegation. This should give you most of the background you need, although you can get even more details about the delegation process in