SANS Digital Forensics and Incident Response Blog: Tag - stuxnet

Why Stuxnet Isn't APT

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry naval-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same. Continue reading Why Stuxnet Isn't APT

Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Our focus this week, albeit loosely, is on Incident Response. There has been much news of late regarding the Stuxnet malware, and a couple of the more interesting perspectives are linked in the "Good Reads" section below. As forensicators and incident responders, the advent of such "weapons-grade" malware raises the stakes significantly, and we have to step up our game to match. Memory forensics becomes far more crucial when dealing with advanced threats, and Mandiant offers some help in this area with an update to their Memoryze tool. But our ability to learn from the incidents we investigate and share that information also becomes vastly more important. To help us in this area, Verizon has provided their VERIS Framework, which is a tool for gathering metrics from incident investigations so that we can begin to share and learn from the breaches that inevitably occur. The VERIS Framework isn't all that new, but deserves more attention. So read on for these and other interesting

... Continue reading Digital Forensics Case Leads: Stuxnet, Cyber Weapons and Incident Response

Digital Forensics Case Leads: SQLite changes may impact your processes

I don't know if it's the time of year, the heat or what, but there's been so much going on over the last couple weeks that this post almost didn't make it out. Gasp! Thanks to the efforts of Ira Victor and Mark McKinnon (yay crowd-sourcing), we pulled it off. Speaking of crowd-sourcing, this post is meant to be a weekly round-up of things we've found that may be of interest to digital forensics and incident response practitioners, as such, please drop us a line at if you have an item that you feel should be included in the weekly post. We appreciate it.


  • Paraben's P2 Explorer is a great little free tool that mounts a variety of popular disk image formats, allowing the investigator to easily run a variety of tools against the mounted file system (e.g. anti-virus/malware scans).
  • Digital