Community: Posters

Community:

DFIR "Hunt Evil" Poster - The DFIR "Hunt Evil" poster has two sides.

The first side "Find Evil - Know Normal" focuses on what's normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information on the first side as a reference to know what's normal in Windows and to focus your attention on the outliers.

The second side is the "Hunt Evil: Lateral Movement" During incident response and threat hunting, it is critical to understand how attackers move around your network. Lateral movement is an inescapable requirement for attackers to stealthily move from system to system and accomplish their objectives. Every adversary, including the most skilled, will use some form of lateral movement technique described here during a breach. Understanding lateral movement tools and techniques allows responders to hunt more efficiently, quickly perform incident response scoping, and better anticipate future attacker activity.

This poster was created by FOR500 Windows Forensics Analysis | FOR508 Advanced Digital Forensics, Incident Response & Threat Hunting course author and SANS DFIR Curriculum Lead, Rob Lee and Certified Instructor Mike Pilkington with support from the SANS DFIR Faculty.

Please note, the DFIR "Hunt Evil" Poster has replaced the DFIR "Find the Evil" Poster.

Download Here

Network Forensic Poster - Network communications are a critical component to most forensic casework and threat hunting operations. This poster helps bring clarity to the types and sources of network-based evidence, how to convert full-packet data to other, more rapidly examined formats, the tools used to query that evidence, and general use cases for network data in typical DFIR operations.

The Network Forensics & Analysis Poster was created by FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response course author and SANS Certified Instructor Phil Hagen with support from the SANS DFIR Faculty.

Download Here

Threat Intelligence Consumption Poster - Cyber Threat Intelligence is a wide and specialized field that goes far beyond indicators and threat feeds. This SANS poster covers the essentials you need to know while highlighting models such as the Kill Chain, Diamond Model, Active Cyber Defense Cycle, and the process used in the FOR578 - Cyber Threat Intelligence course. Empower your organization to generate and consume threat intelligence to counter the adversary.

The Threat Intelligence Consumption Poster was created by FOR578 Cyber Threat Intelligence course author and SANS Certified Instructor Robert M. Lee with support from the SANS DFIR Faculty.

Download Here

SIFT Workstation & REMnux Poster - SANS faculty members maintain two popular Linux distributions for digital forensics and incident response (DFIR) work. SIFT Workstation™ is a powerful toolkit for examining forensic artifacts related to file system, registry, memory, and network investigations. REMnux® focuses on malware analysis and reverse-engineering tasks. This poster provides a reference to getting started with these freely available toolkits, so you can create your own ultimate forensication machine.

The SIFT & REMnux Poster was created by FOR610 Reverse-Engineering Malware: Analysis Tools and Techniques course author and SANS Certified Instructor Lenny Zeltser and FOR500 Windows Forensics Analysis | FOR508 Advanced Digital Forensics, Incident Response & Threat Hunting course co-author and SANS DFIR Curriculum Lead, Rob Lee with support from the SANS DFIR Faculty.

Download Here

DFIR "Memory Forensics" Poster - Memory is the new battleground between attackers and defenders. Advanced attackers are increasingly operating completely in memory and NOT writing files to disk. Running tools against your memory dumps gives you data, but what does that data mean?! The SANS memory forensics poster offers analysts a jumping off point for analyzing incidents using our intuitive six-step analysis process. It provides a layout of the most important structures in Windows kernel memory, which are critical for piecing together advanced analysis tasks. Finally, the poster highlights a variety of advancements in Windows kernel protections that have fundamentally changed the way analysts must perform memory forensics.

The Memory Forensics Analysis Poster was created by FOR526 Memory Forensics In-Depth course authors, SANS Certified Instructor Alissa Torres and SANS Senior Instructor Jake Williams with support from the SANS DFIR Faculty.

Download Here

DFIR "Advanced Smartphone Forensics" Poster- Forensic investigations often rely on data extracted from smartphones and tablets. Smartphones are the most personal computing device associated to any user, and can therefore provide the most relevant data per gigabyte examined. Commercial tools often miss digital evidence on smartphones and associated applications, and improper handling can render the data useless. Use this poster as a cheat-sheet to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets.

The Advanced Smartphone Forensics Poster was created by FOR585 Advanced Smartphone Forensics course author, Certified Instructors Heather Mahalik, Cindy Murphy and SANS Instructor Domenica "Lee" Crognale with support from the SANS DFIR Faculty.

Download Here

DFIR "Evidence of..." Poster- Finding unknown malware is an intimidating process to many, but can be simplified by following some simple steps to help narrow your search. By using the techniques in this Poster's chart, you will learn how to narrow the thousands of files on a typical machine down to the 1-4 files that are possible malware. This process of "malware funneling" is key to your quick and efficient analysis of compromised hosts.

The Windows Analysis Poster was created by FOR500 Windows Forensics Analysis and FOR508 Advanced Digital Forensics, Incident Response & Threat Hunting course author and SANS DFIR Curriculum Lead, Rob Lee with support from the SANS DFIR Faculty.

Download Here