SANS Digital Forensics and Incident Response Blog: Tag - Incident Response

SANS Digital Forensics and Incident Response Blog:

DFIR Summit 2016 - Call for Papers Now Open


The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Presentations- Now Open
More information


Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for analyzing the actions taken by malware when infecting a laboratory system. ProcDOT supports plugins, which could extend the tool's built-in capabilities. This article looks at two plugins that help examine contents of the network capture file loaded into ProcDOT.

Threat Hunting and Incident Response Summit - CFP - Closing 12 Oct


dfir (1)

The inaugural Threat Hunting and Incident Response Summit will be held in New Orleans, LA on April 12- 13, 2016.

The Threat Hunting & Incident Response Summit 2016 focuses on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. Attend this summit to learn these skills directly from incident response and detection experts who are uncovering and stopping the most recent, sophisticated, and dangerous attacks against organizations.

Call for Speakers Now Open

The Call for Speakers is now open. If you are interested in delivering a presentations or participating in a panel, we'd be ...

Timeline analysis with Apache Spark and Python

This blog post introduces a technique for timeline analysis that mixes a bit of data science and domain-specific knowledge (file-systems, DFIR).

Analyzing CSV formatted timelines by loading them with Excel or any other spreadsheet application can be inefficient, even impossible at times. It all depends on the size of the timelines and how many different timelines or systems we are analyzing.

Looking at timelines that are gigabytes in size or trying to correlate data between 10 different system's timelines does not scale well with traditional tools.

One way to approach this problem is to leverage some of the open source data analysis tools that are available today. Apache Spark is a fast and general engine for big data processing. PySpark is its Python API, which in combination with Matplotlib, Pandas and NumPY, will allow you to drill down and analyze large amounts of data using SQL-syntax statements. This can come in handy for things like filtering, combining


Cloak Your Incident Investigation with Confidentiality

Summary: When an enterprise investigates a data security incident, it is often wise to involve legal counsel early. Counsel may be able to ensure the details of the investigation are kept confidential by law.

Infosec Law and Politics Are Dangerous.

The law and politics surrounding data security are highly adversarial. Legal and political adversaries have incentive to prove that an enterprise like a corporation or a government agency made a mistake (e.g., suffered a breach).

Plaintiff lawyers these days make a lot of money suing enterprises for breaches of patient or customer data.

And, politicians like state attorneys general attract a lot of media attention by hollering at local companies or healthcare entities that have lost personal data.

There is nothing inherently wrong with lawyers bringing lawsuits or politicians complaining in the media.

But an enterprise does not want