SANS Digital Forensics and Incident Response Blog

Design it. DFIR it. Win it. Wear it!

Design it. DFIR it. Win it. Wear it! Are you excited about going to the DFIR Summit this July? Of course you are! We have worked hard to bring you an amazing Agenda, Networking opportunities and a bunch of other fun activities at the event. If you have attended before, you know how much fun … Continue reading Design it. DFIR it. Win it. Wear it!


Finding Registry Malware Persistence with RECmd

If you have been keeping your forensic toolkit up to date, you have undoubtedly used Registry Explorer, a game-changing tool for performing Windows registry analysis. RECmd is the command line component of Registry Explorer and opens up a remarkable capability to script and automate registry data collection. My interest in this tool was recently … Continue reading Finding Registry Malware Persistence with RECmd


A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments

In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra. The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss … Continue reading A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments


Offline Autoruns Revisited - Auditing Malware Persistence

I was digging through the archives recently and stumbled upon my old post, Autoruns and Dead Computer Forensics. Autoruns is an indispensable tool from Sysinternals that extracts data from hundreds of potential auto-start extensibility points (ASEPs), a fancy Microsoft term for locations that can grant persistence to malicious code. We leverage live Autoruns collection in … Continue reading Offline Autoruns Revisited - Auditing Malware Persistence


A few Ghidra tips for IDA users, part 2 - strings and parameters

Continuing with my preliminary exploration of Ghidra. If we continue with the call to RegOpenKeyExA from last time (yes, I know this code is unreachable as we discussed last time, but let's keep going anyway). Continue reading A few Ghidra tips for IDA users, part 2 - strings and parameters