SANS Digital Forensics and Incident Response Blog: Tag - security

Overview of Microsoft`s "Best Practices for Securing Active Directory"

As incident responders, we are often called upon to not only supply answers regarding "Who, What, When, Where, and How" an incident occurred, but also how does the organization protect itself against future attacks of a similar nature? In other words, what are the lessons learned and recommendations based on the findings? A new paper … Continue reading Overview of Microsoft`s "Best Practices for Securing Active Directory"

Professional Development in Digital Forensics and Incident Response

Professionals looking to enter and grow in the field of digital forensics and incident response (DFIR) face many challenges. Organizations often focus their recruitment efforts on experienced forensicators, rather than investing into personnel who could mature as part of the group. Individuals who found a way to enter this field often struggle to identify mentors … Continue reading Professional Development in Digital Forensics and Incident Response

SANS Institute Fall Events 2010

Can't make SANS Network Security 2010 in Vegas but still want to take advantage of a SANS event this fall? Here's what is on the horizon for Regional trainings during October and November. These are some great locations with excellent courses and top instructors.

Fall 2010 SANS Information Security Training Line-up

October 25 - 30 - Chicago 2010

Chicago. Chi-Town. The Windy City. And SANS... You'll experience fun in one of America's favorite cities while having the opportunity to build skill in your choice of curricula: Security, Management, Forensics, or Developer. That's just the beginning, since we are bringing a star line-up, including Dr. Eric Cole, Rob Lee, Jason Lam, and Jim Shewmaker. Now's not the time to be shy... Stick around for a day or two after the event


Arbitrary Code Execution on Examiner Systems via File Format Vulnerabilities

I attended ThotCon 0x1 on Friday, April 23rd, and watched a talk where the presenters disclosed and demonstrated an exploit embedded in a disk image that triggered arbitrary code execution when the same malicious file was examined using either EnCase or FTK. I'd like to talk a bit about this and it's implications, as well as a few things that we, as a community, might want to do in response.

The specific vulnerability in question appeared to actually exist in the Outside-In component, and was not triggered until the malicious file was actually viewed inside EnCase or FTK. The presenters stated that the vulnerability had been initially reported to Guidance and Access Data more than 3 versions of EnCase ago. Thinking back now, I was assuming they meant they had notified before 6.14, but it's possible that they were counting point releases.

When triggered, the exploit seemed