Digital Forensics Training | Incident Response Training

SANS Forensics Whitepapers

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by forensic practitioners seeking GCFA, GCFE, and GREM Gold. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Note: if you are using Google Chrome, you may experience difficulty downloading the white papers. Until we are able to resolve the issue, please use a different browser than Chrome to view these papers.

SANS Forensics Whitepapers

Paper	Author	Cert
A Forensic Look at Bitcoin Cryptocurrency	Michael Doran	GCFA
Using Virtualization in Internal Forensic Training and Assessment	Courtney Imbert	GCFA
Filesystem Timestamps: What Makes Them Tick?	Tony Knutson	GCFA
Portable System for Network Forensics Data Collection and Analysis	Don Murdoch	GCFA
Tor Browser Artifacts in Windows 10	Aron Warren	GCFA
Artificial Intelligence and Law Enforcement	John Wulff	GCFA
Digital Forensic Analysis of Amazon Linux EC2 Instances	Kenneth Hartman	GCFA
Bug Bounty Programs: Enterprise Implementation	Jason Pubal	GCFA
Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity	Michael Long II	GCFA
Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools	Rick Kiper	GCFA
Windows 10 as a Forensic Platform	Ferenc Kovacs	GCFA
Using Image Excerpts to Jumpstart Windows Forensic Analysis	John Brown	GCFA
Hunting for Ghosts in Fileless Attacks	Buddy Tancio	GCFA
ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis	Andy Piazza	GCFA
Threat Hunting and Incident Response in a post-compromised environment	Rukhsar Khan	GCFA
Analysis on a compromised Linux RedHat 8.0 Honeypot	Jeff Bryner	GCFA
Forensic analysis of a Windows 98 system	Jerry Shenk	GCFA
Forensic Analysis on a compromised Windows 2000 Honeypot	Peter Hewitt	GCFA
How not to use a rootkit	Mike Wilson	GCFA
Analysis of a Red Hat Honeypot	James Shewmaker	GCFA
Forensic Validity of Netcat	Michael Worman	GCFA
Forensic Analysis on a Windows 2000 Pro Workstation	David Cragg	GCFA
Forensic Analysis of an EBay acquired Drive	Daniel Wesemann	GCFA
Forensic analysis of a Windows 2000 computer literacy training and software development device	Golden Richard	GCFA
Sys Admins and Hackers/Analysis of a hacked system	Lars Fresen	GCFA
Forensic Analysis of a Windows 2000 server with IIS and Oracle	Beth Binde	GCFA
Forensic Analysis of a compromised Sun Ultra 5 workstation	Carl Madzelan	GCFA
Forensic analysis of a compromised Linux RedHat 7.3 system	Kevin Miller	GCFA
Analysis of a Linux Honeypot	Tyler Hudak	GCFA
Forensic Analysis Procedures of a Compromised system using Encase	Jeffrey McGurk	GCFA
Forensic analysis of a Compromised Windows 2000 workstation	Charles Fraser	GCFA
Evaluation of Crocwareis Mount Image Pro as a Forensic Tool	Hugh Tower-Pierce	GCFA
Safe at Home?	David Perez	GCFA
Binary Analysis, Forensics and Legal Issues	Michael Wyman	GCFA
Analyzing a Binary File and File Partitions for Forensic Evidence	James Butler	GCFA
Open Source Forensic Analysis - Windows 2000 Server -	Andre Arnes	GCFA
Forensic Analysis Think pad 600 laptop running Windows 2000 server	Brad Bowers	GCFA
Forensic Analysis of dual bootable Operating System (OS) running a default Red Hat 6.2 Linux server installation and Windows 98	Mohd Shukri Othman	GCFA
Validation of Norton Ghost 2003	John Brozycki	GCFA
Analysis of a Suspect Red Hat Linux 6.2 System	Ray Strubinger	GCFA
Validation of Process Accounting Records	Jim Clausing	GCFA
Analysis of a Honeypot running Red Hat Linux 6.2	Keven Murphy	GCFA
Analysis and Comparison of Red Hat Linux 6.2 Honeypots With & Without LIDS-enabled Kernels	Greg Owen	GCFA
Analysis of a Potentially Misused Windows 95 System	Gregory Leibolt	GCFA
Validation of Restorer 2000 Pro v1.1 (Build 110621)	Denis Brooker	GCFA
Analysis of a Suspect Red Hat Linux 6.1 System	James Fung	GCFA
Analysis of a Windows XP Professional compromised system	Manuel Humberto Santander Pelaez	GCFA
Analysis of a Commercial Keylogger installed on multiple systems	Merlin Namuth	GCFA
HONORS-Analysis of a USB Flashdrive Image	Raul Siles	GCFA
Analyze an Unknown Image and Forensic Tool Validation: Sterilize	Steven Becker	GCFA
Report on the Forensic Analysis of a recovered Floppy Disk	Steve Armstrong	GCFA
Camouflaged and Attacked?	Bertha Marasky	GCFA
CC Terminals Harassment Case	Dean Farrington	GCFA
Forensic with Open-Source Tools and Platform: USB Flash Drive Image Forensic Analysis	Leonard Ong	GCFA
CC Terminals, Inc.Forensic Examination Report: Examination of a USB Hard Drive	Brent Duckworth	GCFA
Forensic Analysis of a Compromised NT Server(Phishing)	Andres Velazquez	GCFA
Forensic Analysis of a USB Flash Drive	Norrie Bennie	GCFA
Analysis of an unknown USB JumpDrive image	Roger Hiew	GCFA
Lessons from a Linux Compromise	John Ritchie	GCFA
Forensic Analysis of a Compromised Intranet Server	Roberto Obialero	GCFA
Discovery Of A Rootkit: A simple scan leads to a complex solution	John Melvin	GCFA
Forensic Analysis of a SQL Server 2005 Database Server	Kevvie Fowler	GCFA
Taking advantage of Ext3 journaling file system in a forensic investigation	Gregorio Narvaez	GCFA
Reverse Engineering the Microsoft exFAT File System	Robert Shullich	GCFA
Mac OS X Malware Analysis	Joel Yonts	GCFA
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis	Terrence OConnor	GCFA
A Regular Expression Search Primer for Forensic Analysts	Timothy Cook	GCFA
Windows Logon Forensics	Sunil Gupta	GCFA
Windows Logon Forensics	Sunil Gupta	GCFA
Indicators of Compromise in Memory Forensics	Chad Robertson	GCFA
Dead Linux Machines Do Tell Tales	James Fung	GCFA
Live Response Using PowerShell	Sajeev Nair	GCFA
Repurposing Network Tools to Inspect File Systems	Andre Thibault	GCFA
Enhancing incident response through forensic, memory analysis and malware sandboxing techniques	Wylie Shanks	GCFA
Windows ShellBag Forensics in Depth	Vincent Lo	GCFA
Automation of Report and Timeline-file based file and URL analysis	Florian Eichelberger	GCFA
A Journey into Litecoin Forensic Artifacts	Daniel Piggott	GCFA
Creating a Baseline of Process Activity for Memory Forensics	Gordon Fraser	GCFA
Straddling the Next Frontier Part 2: How Quantum Computing has already begun impacting the Cyber Security landscape	Eric Jodoin	GCFA
Forensic Images: For Your Viewing Pleasure	Sally Vandeven	GCFA
Forensicator FATE - From Artisan To Engineer	Barry Anderson	GCFA
Intelligence-Driven Incident Response with YARA	Ricardo Dias	GCFA
Using Sysmon to Enrich Security Onion's Host-Level Capabilities	Joshua Brower	GCFA
IDS File Forensics	George Khalil	GCFA
Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification	David Fletcher	GCFA
Forensic Analysis of Industrial Control Systems	Lewis Folkerth	GCFA
Investigative Forensic Workflow-based Case Study for Vectra and Cyphort	Jennifer Mellone	GCFE
Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud	Tom Arnold	GCFE
Forensication Education: Towards a Digital Forensics Instructional Framework	Rick Kiper	GCFE
Detection of Backdating the System Clock in Windows	Xiaoxi Fan	GCFE
Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi	Scott Perry	GCFE
Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers	Seth Enoka	GCFE
Putting it all together through Automation	Kenneth Ray	GCFE
Reverse Engineering msrll.exe	Rick Wanner	GREM
Building an Automated Behavioral Malware Analysis Environment using Open Source Software	Jim Clausing	GREM
Building a Malware Zoo	Joel Yonts	GREM
Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads	Anthony Cheuk Tung Lai	GREM
Clash of the Titans: ZeuS v SpyEye	Harshit Nayyar	GREM
GIAC GREM Assignment - Pass	James Balcik	GREM
GIAC GREM Assignment - Pass	Gregory Leibolt	GREM
GIAC GREM Assignment - Pass	Lorna Hutcheson	GREM
GIAC GREM Assignment - Pass	James Shewmaker	GREM
GIAC GREM Assignment - Pass	David Chance	GREM
GIAC GREM Assignment - Pass	Joe Fresch	GREM
A Detailed Analysis of an Advanced Persistent Threat Malware	Frankie Fu Kay Li	GREM
Using IOC (Indicators of Compromise) in Malware Forensics	Hun Ya Lock	GREM
Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI)	Jean Agneessens	GREM
Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise	Kenneth Zahn	GREM
An Opportunity In Crisis	Harshit Nayyar	GREM
MalwareD: A study on network and host based defenses that prevent malware from accomplishing its goals	Dave Walters	GREM
On the x86 Representation of Object Oriented Programming Concepts for Reverse Engineers	Jason Batchelor	GREM
Automated Analysis of �abuse� mailbox for employees with the help of Malzoo	Niels Heijmans	GREM
The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it	Deepak Bellani	GREM
Loki-Bot: Information Stealer, Keylogger, & More!	Rob Pantazopoulos	GREM
Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules	Hirokazu Murakami	GREM
Unpacking & Decrypting FlawedAmmyy	Michael Downey	GREM
Analysis of a Multi-Architecture SSH Linux Backdoor	Angel Alonso-Parrizas	GREM
Leveraging the PE Rich Header for Static M alware D etection and Linking	Maksim Dubyk	GREM

Top

Community: Whitepapers

SANS Forensics Whitepapers

Latest Blog Posts

Latest Tweets @sansforensics

Latest Papers