Community: Whitepapers

Community:

SANS Forensics Whitepapers

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by forensic practitioners seeking GCFA, GCFE, and GREM Gold. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Note: if you are using Google Chrome, you may experience difficulty downloading the white papers. Until we are able to resolve the issue, please use a different browser than Chrome to view these papers.

SANS Forensics Whitepapers
Paper Author Cert
Forensic analysis of a Windows 2000 computer literacy training and software development device Golden Richard GCFA
Sys Admins and Hackers/Analysis of a hacked system Lars Fresen GCFA
Forensic Analysis of a Windows 2000 server with IIS and Oracle Beth Binde GCFA
Forensic Analysis of a compromised Sun Ultra 5 workstation Carl Madzelan GCFA
Forensic analysis of a compromised Linux RedHat 7.3 system Kevin Miller GCFA
Analysis of a Linux Honeypot Tyler Hudak GCFA
Forensic Analysis Procedures of a Compromised system using Encase Jeffrey McGurk GCFA
Forensic analysis of a Compromised Windows 2000 workstation Charles Fraser GCFA
Evaluation of Crocwareis Mount Image Pro as a Forensic Tool Hugh Tower-Pierce GCFA
Forensic Tool Evaluation-MiTeC Registry File Viewer Kevin Fiscus GCFA
Safe at Home? David Perez GCFA
Binary Analysis, Forensics and Legal Issues Michael Wyman GCFA
Forensic Analysis of Shared Workstation Michael Kerr GCFA
Analyzing a Binary File and File Partitions for Forensic Evidence James Butler GCFA
Open Source Forensic Analysis - Windows 2000 Server - Andre Arnes GCFA
Forensic Analysis Think pad 600 laptop running Windows 2000 server Brad Bowers GCFA
Forensic Analysis of dual bootable Operating System (OS) running a default Red Hat 6.2 Linux server installation and Windows 98 Mohd Shukri Othman GCFA
An Examination of a Compromised Solaris Honeypot, an Unknown Binary, and the Legal Issues Surrounding Incident Investigations Robert Mccauley GCFA
Forensic analysis of a compromised RedHat Linux 7.0 system Jake Cunningham GCFA
Validation of Norton Ghost 2003 John Brozycki GCFA
Analysis of a Suspect Red Hat Linux 6.2 System Ray Strubinger GCFA
Validation of Process Accounting Records Jim Clausing GCFA
Analysis of a Honeypot running Red Hat Linux 6.2 Keven Murphy GCFA
Analysis and Comparison of Red Hat Linux 6.2 Honeypots With & Without LIDS-enabled Kernels Greg Owen GCFA
Validation of ISObuster v1.0 Steven Dietz GCFA
Analysis of a Potentially Misused Windows 95 System Gregory Leibolt GCFA
Validation of Restorer 2000 Pro v1.1 (Build 110621) Denis Brooker GCFA
Analysis of a Suspect Red Hat Linux 6.1 System James Fung GCFA
Analysis of a Commercial Keylogger installed on multiple systems Merlin Namuth GCFA
HONORS-Analysis of a USB Flashdrive Image Raul Siles GCFA
Analyze an Unknown Image and Forensic Tool Validation: Sterilize Steven Becker GCFA
Camouflaged and Attacked? Bertha Marasky GCFA
CC Terminals Harassment Case Dean Farrington GCFA
Forensic with Open-Source Tools and Platform: USB Flash Drive Image Forensic Analysis Leonard Ong GCFA
CC Terminals, Inc.Forensic Examination Report: Examination of a USB Hard Drive Brent Duckworth GCFA
Forensic Analysis of a Compromised NT Server(Phishing) Andres Velazquez GCFA
Forensic Analysis of a USB Flash Drive Norrie Bennie GCFA
Analysis of an unknown USB JumpDrive image Roger Hiew GCFA
Lessons from a Linux Compromise John Ritchie GCFA
Forensic Analysis of a Compromised Intranet Server Roberto Obialero GCFA
Discovery Of A Rootkit: A simple scan leads to a complex solution John Melvin GCFA
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler GCFA
Reverse Engineering the Microsoft exFAT File System Robert Shullich GCFA
Mac OS X Malware Analysis Joel Yonts GCFA
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Terrence OConnor GCFA
Computer Forensic Timeline Analysis with Tapestry Derek Edwards GCFA
A Regular Expression Search Primer for Forensic Analysts Timothy Cook GCFA
Windows Logon Forensics Sunil Gupta GCFA
Windows Logon Forensics Sunil Gupta GCFA
Indicators of Compromise in Memory Forensics Chad Robertson GCFA
Dead Linux Machines Do Tell Tales James Fung GCFA
Live Response Using PowerShell Sajeev Nair GCFA
Repurposing Network Tools to Inspect File Systems Andre Thibault GCFA
Enhancing incident response through forensic, memory analysis and malware sandboxing techniques Wylie Shanks GCFA
Windows ShellBag Forensics in Depth Vincent Lo GCFA
Automation of Report and Timeline-file based file and URL analysis Florian Eichelberger GCFA
A Journey into Litecoin Forensic Artifacts Daniel Piggott GCFA
Creating a Baseline of Process Activity for Memory Forensics Gordon Fraser GCFA
Straddling the Next Frontier Part 2: How Quantum Computing has already begun impacting the Cyber Security landscape Eric Jodoin GCFA
Forensic Images: For Your Viewing Pleasure Sally Vandeven GCFA
Forensicator FATE - From Artisan To Engineer Barry Anderson GCFA
Intelligence-Driven Incident Response with YARA Ricardo Dias GCFA
Using Sysmon to Enrich Security Onion's Host-Level Capabilities Joshua Brower GCFA
IDS File Forensics George Khalil GCFA
Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification David Fletcher GCFA
Forensic Analysis of Industrial Control Systems Lewis Folkerth GCFA
A Forensic Look at Bitcoin Cryptocurrency Michael Doran GCFA
Using Virtualization in Internal Forensic Training and Assessment Courtney Imbert GCFA
Tech Refresh for the Forensic Analysis Toolkit Derek Edwards GCFA
Filesystem Timestamps: What Makes Them Tick? Tony Knutson GCFA
Portable System for Network Forensics Data Collection and Analysis Don Murdoch GCFA
Tor Browser Artifacts in Windows 10 Aron Warren GCFA
Artificial Intelligence and Law Enforcement John Wulff GCFA
Digital Forensic Analysis of Amazon Linux EC2 Instances Kenneth Hartman GCFA
Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity Michael Long II GCFA
Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools Rick Kiper GCFA
Windows 10 as a Forensic Platform Ferenc Kovacs GCFA
Using Image Excerpts to Jumpstart Windows Forensic Analysis John Brown GCFA
Forensic analysis of a Windows 98 system Jerry Shenk GCFA
Forensic Analysis on a compromised Windows 2000 Honeypot Peter Hewitt GCFA
How not to use a rootkit Mike Wilson GCFA
Analysis of a Red Hat Honeypot James Shewmaker GCFA
Forensic Validity of Netcat Michael Worman GCFA
Forensic Analysis on a Windows 2000 Pro Workstation David Cragg GCFA
Forensic Analysis of an EBay acquired Drive Daniel Wesemann GCFA
Becoming a Forensic Investigator/Use of Forensic Toolkit Mark Maher GCFA
Investigative Forensic Workflow-based Case Study for Vectra and Cyphort Jennifer Mellone GCFE
Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud Tom Arnold GCFE
Forensication Education: Towards a Digital Forensics Instructional Framework Rick Kiper GCFE
Detection of Backdating the System Clock in Windows Xiaoxi Fan GCFE
Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi Scott Perry GCFE
Building an Automated Behavioral Malware Analysis Environment using Open Source Software Jim Clausing GREM
Building a Malware Zoo Joel Yonts GREM
Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads Anthony Cheuk Tung Lai GREM
Clash of the Titans: ZeuS v SpyEye Harshit Nayyar GREM
GIAC GREM Assignment - Pass James Balcik GREM
GIAC GREM Assignment - Pass Gregory Leibolt GREM
GIAC GREM Assignment - Pass Lorna Hutcheson GREM
GIAC GREM Assignment - Pass James Shewmaker GREM
GIAC GREM Assignment - Pass David Chance GREM
GIAC GREM Assignment - Pass Joe Fresch GREM
A Detailed Analysis of an Advanced Persistent Threat Malware Frankie Fu Kay Li GREM
Using IOC (Indicators of Compromise) in Malware Forensics Hun Ya Lock GREM
Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI) Jean Agneessens GREM
Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise Kenneth Zahn GREM
An Opportunity In Crisis Harshit Nayyar GREM
MalwareD: A study on network and host based defenses that prevent malware from accomplishing its goals Dave Walters GREM
XtremeRAT - When Unicode Breaks Harri Sylvander GREM
Analyzing a Backdoor/Bot for the MIPS Platform Muhammad Junaid Bohio GREM
On the x86 Representation of Object Oriented Programming Concepts for Reverse Engineers Jason Batchelor GREM
Automated Analysis of “abuse” mailbox for employees with the help of Malzoo Niels Heijmans GREM
The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it Deepak Bellani GREM
Loki-Bot: Information Stealer, Keylogger, & More! Rob Pantazopoulos GREM
Automating Static File Analysis and Metadata Collection Using Laika BOSS Charles DiRaimondi IV GREM
Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules Hirokazu Murakami GREM
Malware Adventure Russell Elliott GREM
Reverse Engineering msrll.exe Rick Wanner GREM
Top
Get an iPad Pro with Online Training Courses
Latest Blog Posts

Inhibiting Malicious Macros by Blocking Risky API Calls
April 15, 2018 - 4:21 PM

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training th [...]
April 13, 2018 - 4:51 PM

SANS Threat Hunting and Incident Response Summit 2018 Call for Speakers - D [...]
January 29, 2018 - 4:02 PM

Latest Tweets @sansforensics

TWO days left to SAVE up to $400! #ThreatHuntingSummit 2018 [...]
July 21, 2018 - 8:10 PM

Can't make it to the #ThreatHuntingSummit ? Get the LIVE exp [...]
July 21, 2018 - 5:30 PM

Advance your career & SAVE $200! Register by 7/25 #Malwa [...]
July 21, 2018 - 5:30 PM

Latest Papers

Using Image Excerpts to Jumpstart Windows Forensic Analysis
By John Brown

Windows 10 as a Forensic Platform
By Ferenc Kovacs

Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules
By Hirokazu Murakami

"This is awesome! We're seeing details that most people don't even know exist."
- John Wright, Info Tech, Inc.

"Rob Lee's enthusiasm method of delivery made the class excellent and a great environment to learn. He knows his stuff, without a doubt."
- Tim Moniot, Las Vegas Metro P.D.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."
- Nathon Heck, Purdue