Last Day to Save $400 on SANS Pen Test Austin 2015

Reading Room


Featuring 44 Papers as of March 27, 2015

  • Using Sysmon to Enrich Security Onion's Host-Level Capabilities by Josh Brower - March 27, 2015 

    In 2003, Gartner declared Intrusion Detection Systems as a market failure primarily because of the high false positives and negatives, and the significant amount of time and resources needed to monitor and validate alerts.

  • Windows Phone 8 Forensic Artifacts by Cynthia Murphy, Adrian Leong, Maggie Gaffney, Shafik G. Punja, JoAnn Gibb, Brian McGarry - February 20, 2015 

    Because of the fast pace of change of mobile device technologies and operating systems, there are times when a newer mobile device which is unsupported or only partially supported by commercial mobile forensic tools for data extraction and parsing must be examined in the course of a criminal investigation, with the end goal being the extraction of digital evidence for use in court.

  • Analyzing Man-in-the-Browser (MITB) Attacks Masters
    by Chris Cain - January 12, 2015 

    Malware today has become the method of choice to attack financial institutions. With the ease of use and ability for criminals to cover their tracks, this has been the way to rob banks without the need for a getaway car. Attackers are finding new and complex methods in which to carry out attacks. One of these vectors is a Man-in-the-Browser (MITB) attack.

  • Let's face it, you are probably compromised. What next? by Jonathan Thyer - December 15, 2014 

    Over the past several years, the information technology industry has dramatically shifted from a desktop workstation centric, corporate owned computing asset model to a model of performing business processing tasks from anywhere with any capable device. This is evident through the dramatic increase in tablet, and smartphone use by organizational employees, and demand of employees to be able to use their own devices to manage daily business tasks.

  • Intelligence-Driven Incident Response with YARA by Ricardo Dias - October 20, 2014 

    The concept of threat intelligence is gaining momentum in the cyber-security arena. As targeted attacks increase in number and sophistication, organizations are beginning to develop and integrate the concept of threat intelligence into their cyber-defensive strategies. By doing so, organizations are taking the next step forward to respond to cyber-attacks. Recent threat reports reveal promising results.

  • Reducing the Catch: Fighting Spear-Phishing in a Large Organization by Joel Anderson - October 20, 2014 

    The phishing problem isn't new. Over 150 years ago, Charles Dickens wrote a passionate and witty letter about fraudsters of his day who, like Nigerian 419 scammers today, preyed upon the generosity and gullibility of well-meaning folk. The differences in our time are that of scale and scope, as the perpetrators have taken on seven league boots and covered continents with their shameless appeals.

  • An Analysis of Meterpreter during Post-Exploitation Masters
    by Kiel Wadner - October 14, 2014 

    Much has been written about using the Metasploit Framework to gain access to systems, utilizing exploits, and the post-exploitation modules. What has received less attention is how they work, what they actually do on the system and how it can be detected. That is the focus of this research paper.

  • Forensicator FATE - From Artisan To Engineer by Barry Anderson - October 13, 2014 

    The SANS Investigative Forensic Toolkit (SIFT) is an awesome set of (free!) tools for the forensics professional. Using these tools effectively however can be overwhelming, especially in the case of a large complex case such as an APT intrusion.

  • Forensic Images: For Your Viewing Pleasure Masters
    by Sally Vandeven - September 19, 2014 

    Digital forensic investigations often involve creating and examining disk images. A disk image is a bit-for-bit copy of a full disk or a single partition from a disk. Because the contents of a disk are constantly changing on a running system, disk images are often created following an intrusion or incident to preserve the state of a disk at a particular point in time.

  • Creating a Baseline of Process Activity for Memory Forensics Masters
    by Gordon Fraser - August 27, 2014 

    SANS's Advanced Forensic Analysis and Incident Response course (Lee & Tilbury, 2013) defines a process for the examination of memory to identify indicators of compromise.

  • A Journey into Litecoin Forensic Artifacts by Daniel Piggott - June 3, 2014 

    Litecoin is a virtual peer-to-peer currency.

  • Automation of Report and Timeline-file based file and URL analysis by Florian Eichelberger - May 6, 2014 

    The proposed solution tries to lessen the burden of manually processing timeline-based logfiles and automating the classification of both files and URLs.

  • Windows ShellBag Forensics in Depth by Vincent Lo - April 14, 2014 

    Microsoft Windows records the view preferences of folders and Desktop.

  • Repurposing Network Tools to Inspect File Systems by Andre Thibault - February 27, 2014 

    Digital forensics can be a laborious and multi-step process. Some of the initial steps in digital forensics include: Data Reduction, Anti-Virus checks, and an Indicator of Compromise (IOC) search.

  • Review of Windows 7 as a Malware Analysis Environment by Adam Kramer - January 9, 2014 

    The SANS course "FOR610: Reverse Engineering of Malware" is designed using Windows XP as the malware analysis environment (SANS Institute, 2013).

  • Live Response Using PowerShell by Sajeev Nair - August 19, 2013 

    Organizations today handle more sensitive personal data than ever before. As the amount of sensitive personal data increases, the more they are susceptible to security incidents and breaches (AICPA, n.d).

  • The SANS Survey of Digital Forensics and Incident Response Analyst Paper
    by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013 

    2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.

  • Dead Linux Machines Do Tell Tales by James Fung - May 15, 2013 

    A summary study of a compromised Linux network and the incident handling procedures that followed.

  • Log2Pcap by Joaquin Moreno - April 29, 2013 

    During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.

  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

  • Indicators of Compromise in Memory Forensics by Chad Robertson - March 21, 2013 

    There has been a recent increase in the availability of intelligence related to malware.

  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

  • Forensic Analysis on iOS Devices Masters
    by Tim Proffitt - January 25, 2013 

    Technology in smart phones and tablets is advancing in a feverish pace.

  • A Regular Expression Search Primer for Forensic Analysts by Tim Cook - April 24, 2012 

    This paper introduces some of the powerful ASCII pattern identification and manipulation tools that are available to Forensic Analysts from the command line of the Linux Operating System of the SANS Investigative Forensic Toolkit (SIFT) Workstation.

  • What's in a Name: Uncover the Meaning behind Windows Files and Processes by Larisa Long - February 7, 2012 

    When a system has been compromised, forensic analysts have to be part researcher and part investigator. They must be able to parse out known or healthy files to eliminate them as possible clues. Like the old saying goes: know what you don‟t know, but know where to find the answers.

  • iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012 

    One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Identifying Malicious Code Infections Out of Network by Ken Dunham - August 29, 2011 

    Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

  • Wireless Networks and the Windows Registry - Just where has your computer been? Masters
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Masters
    by T.J. OConnor - September 13, 2010 

    Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.

  • Integrating Forensic Investigation Methodology into eDiscovery by Colin Chisholm - September 7, 2010 

    The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.

  • Remotely Accessing Sensitive Resources by Jason Ragland - February 18, 2010 

    Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email is often easily provided via a secure website and a password, for example. If the resource consists of gigabytes of research data, it isnt as simple.

  • Reverse Engineering the Microsoft exFAT File System by Robert Shullich - February 18, 2010 

    As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has been published about exFAT's internals. Yet in order to perform a full and proper digital forensics examination of the media, the file system layout and organization must be known. This paper takes a look under the hood of exFAT and demystifies the file system structure in order to be an aid in the performance of a digital investigation.

  • Mac OS X Malware Analysis by Joel Yonts - September 2, 2009 

    As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.

  • Techniques and Tools for Recovering and Analyzing Data from Volatile Memory by Kristine Amari - March 26, 2009 

    There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.

  • Data Carving Concepts by Antonio Merola - November 19, 2008 

    The idea behind this paper is to help people become familiar with data carving concepts and analysis techniques.

  • Mobile Device Forensics by Andrew Martin - September 5, 2008 

    This research paper will document in detail the methodology used to examine mobile electronic devices for the data critical to security investigations. The methodology encompasses the tools, techniques and procedures needed to gather data from a variety of common devices.

  • A Forensic Primer for Usenet Evidence by Mark Lachniet - June 25, 2008 

    This document is intended to provide an overview of the Usenet on the Internet, including the NNTP protocol and types of evidence of Usenet abuse that may be present on permanent storage devices such as hard disks and flash drives.

  • Ex-Tip: An Extensible Timeline Analysis Framework in Perl by Michael Cloppert - May 21, 2008 

    Digital forensic investigative needs extend well beyond the capabilities provided by classic timeline generation and analysis tools. In this paper, a simple, extensible, and portable timeline framework is discussed in detail. Dubbed Ex-Tip, it is shown that this tool can be used to provide basic timeline capabilities to any variety of input sources, with customizable output for human or programmatic consumption.

  • Taking advantage of Ext3 journaling file system in a forensic investigation by Gregorio Narvaez - December 11, 2007 

    The Ext3 file system has become the default for most Linux distributions and thus is of great importance for any practitioner of forensics to understand how Ext3 handles files differently from the previous standard (Ext2) and how the knowledge of these differences can be applied to recover evidence as deleted files, and file activity.

  • Forensic Analysis of a SQL Server 2005 Database Server by Kevvie Fowler - September 28, 2007 

    In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.

  • Forensic Analysis of a Compromised Intranet Server by Roberto Obialero - June 8, 2006 

    This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.

  • Becoming a Forensic Investigator by Mark Maher - August 15, 2004 

    One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.

  • A Case for Forensics Tools in Cross-Domain Data Transfers by Dwane Knott - July 14, 2003 

    Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.