NEW! - Eric Zimmerman's tools Cheat Sheet - SANS FOR508 Digital Forensics, Incident Response & Threat Hunting course Instructor and Former FBI Agent Eric Zimmerman has provided several open source command line tools free to the DFIR Community. These open source tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Eric's first Cheat Sheet contains usage for tools for lnk files, jump lists, prefetch, and other artifacts related to evidence of execution. This suite of tools allows for displaying relevant forensic data including exporting data to many commonly used formats.
To download Eric's free tools visit: https://ericzimmerman.github.io/Download Here
NEW! - Threat Intelligence Consumption Poster - Cyber Threat Intelligence is a wide and specialized field that goes far beyond indicators and threat feeds. This SANS poster covers the essentials you need to know while highlighting models such as the Kill Chain, Diamond Model, Active Cyber Defense Cycle, and the process used in the new FOR578 - Cyber Threat Intelligence course. Empower your organization to generate and consume threat intelligence to counter the adversary.
SIFT Workstation & REMnux Poster - SANS faculty members maintain two popular Linux distributions for digital forensics and incident response (DFIR) work. SIFT Workstation™ is a powerful toolkit for examining forensic artifacts related to file system, registry, memory, and network investigations. REMnux® focuses on malware analysis and reverse-engineering tasks. This poster provides a reference to getting started with these freely available toolkits, so you can create your own ultimate forensication machine.
Rekall Cheat Sheet - The Rekall Memory Forensic Framework has unique syntax and plugin options specific to its features and capabilities. This cheatsheet provides a quick reference for memory analysis operations in Rekall, covering acquisition, live memory analysis and parsing plugins used in the 6-Step Investigative Process. For more information on this tool, visit rekall-forensic.com. Download Here
DFIR "Memory Forensics" Poster - Analysts armed with memory analysis skills have a better chance to detect and stop a breach before you become the next news headline. This poster shows some of the structures analyzed during memory forensic investigations. Just as those practicing disk forensics benefit from an understanding of file systems, memory forensic practitioners also benefit from an understanding of OS internal structures. Download Here
DFIR "Advanced Smartphone Forensics" Poster- Forensic investigations often rely on data extracted from smartphones and tablets. Smartphones are the most personal computing device associated to any user, and can therefore provide the most relevant data per gigabyte examined. Commercial tools often miss digital evidence on smartphones and associated applications, and improper handling can render the data useless. Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. Download Here
DFIR "Evidence of..." Poster- The "Evidence of..." categories were originally created by SANS Digital Forensics ad Incidence Response faculty for the SANS course FOR408 - Windows Forensics. The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber crimes.Download Here
DFIR "Find Evil" Poster - In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information below as a reference for locating anomalies that could reveal the actions of an attacker. Download Here
DFIR SIFT 3.0 Cheat Sheets and Brochure - Inside our DFIR course catalog you will find two critical cheat sheets. SIFT 3.0 guide and the Memory Forensics cheat sheets. Download Here
SIFT Cheat Sheet - Looking to use the SIFT workstation and need to know your way around the interface? No problem, this cheat sheet will give you the basic commands to get cracking open your case using the latest cutting edge forensic tools. Download Here
Evidence Collection Cheat Sheet - This sheet covers the various locations where evidence to assist in an investigation may be located. Download Here
Linux Shell Survival Guide - This guide is a supplement to SANS FOR572: Advanced Network Forensics and Analysis. It covers some of what we consider the more useful Linux shell primitives and core utilities. These can be exceedingly helpful when automating analysis processes, generating output that can be copied and pasted into a report or spreadsheet document, or supporting quick-turn responses when a full tool kit is not available. Download Here
Windows to Unix Cheat Sheet - It helps to know how to translate between windows and unix. This handy reference guide ties together many well known Unix commands with their Windows command line siblings. A great way to get Windows users familiar with the command line quickly. Download Here
Volatility Memory Forensics Cheat - Covering the popular memory suite Volatility, this cheat sheet will empower each investigator the key knowledge to quickly step through the 6 step memory analysis process using key commands from the plugins. This reference guide is very useful to have near you for those just starting out in memory forensics or those who are experts who need to quickly remember plugin syntax. Download Here
Hex and Regex Forensics Cheat Sheet - Quickly become a master of sorting through massive amounts of data quickly using this useful guide to knowing how to use simple Regex capabilities built into the SIFT workstation. Download Here
Developing Process for Mobile Device Forensics (Det. Cynthia A. Murphy)- With the growing demand for examination of cellular phones and other mobile devices, a need has also developed for the development of process guidelines for the examination of these devices. While the specific details of the examination of each device may differ, the adoption of consistent examination processes will assist the examiner in ensuring that the evidence extracted from each phone is well documented and that the results are repeatable and defensible. Download Here
SANS FOR518 Reference Sheet - This cheat sheet is used to describe the core functions and details of the HFS+ Filesystem. Download Here