SANS Digital Forensics and Incident Response Blog: Tag - Network

Protecting Privileged Domain Accounts: Network Authentication In-Depth

[Author's Note: This is the 5th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.] To coincide … Continue reading Protecting Privileged Domain Accounts: Network Authentication In-Depth

3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

  • Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke newcharacteristics. To perform this work, theinvestigatortypically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor,

NDIFF for incident detection

A good way to see changes to the network is with a tool called ndiff.

Ndiff is a tool that utilizes nmap output to identify the differences, or changes that have occurred in your environment. Ndiff can be downloaded from The application requires that perl is installed in addition to nmap. The fundamental use of ndiff entails combining ndiff with a baseline file. This is achieved by using the "-b" option to select the file that is the baseline with the file to be tested using the "-o" option. The "-fmt" option selects the reporting format.

Ndiff can query the system's port states or even test for types of hosts and Operating Systems using the "-output-ports" or "-output-hosts" options.

The options offered in ndiff include:

ndiff [-b|-baseline ] [-o|-observed ]

[-op|-output-ports ] [-of|-output-hosts ]

... Continue reading NDIFF for incident detection