2 Days Left to Save $400 on SANS Albuquerque 2014

Reading Room

Sorry! The requested paper could not be found.

Forensics

Featuring 34 Papers as of June 17, 2014


  • A Journey into Litecoin Forensic Artifacts by Daniel Piggott - June 3, 2014 

    Litecoin is a virtual peer-to-peer currency.

  • Automation of Report and Timeline-file based file and URL analysis by Florian Eichelberger - May 6, 2014 

    The proposed solution tries to lessen the burden of manually processing timeline-based logfiles and automating the classification of both files and URLs.

  • Windows ShellBags Forensics in Depth by Vincent Lo - April 14, 2014 

    Microsoft Windows records the view preferences of folders and Desktop.

  • Repurposing Network Tools to Inspect File Systems by Andre Thibault - February 27, 2014 

    Digital forensics can be a laborious and multi-step process. Some of the initial steps in digital forensics include: Data Reduction, Anti-Virus checks, and an Indicator of Compromise (IOC) search.

  • Review of Windows 7 as a Malware Analysis Environment by Adam Kramer - January 9, 2014 

    The SANS course "FOR610: Reverse Engineering of Malware" is designed using Windows XP as the malware analysis environment (SANS Institute, 2013).

  • Live Response Using PowerShell by Sajeev Nair - August 19, 2013 

    Organizations today handle more sensitive personal data than ever before. As the amount of sensitive personal data increases, the more they are susceptible to security incidents and breaches (AICPA, n.d).

  • The SANS Survey of Digital Forensics and Incident Response Analyst Paper
    by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013 

    2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.

  • Dead Linux Machines Do Tell Tales by James Fung - May 15, 2013 

    A summary study of a compromised Linux network and the incident handling procedures that followed.

  • Log2Pcap by Joaquin Moreno - April 29, 2013 

    During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.

  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

  • Indicators of Compromise in Memory Forensics by Chad Robertson - March 21, 2013 

    There has been a recent increase in the availability of intelligence related to malware.

  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

  • Forensic Analysis on iOS Devices Masters
    by Tim Proffitt - January 25, 2013 

    Technology in smart phones and tablets is advancing in a feverish pace.

  • A Regular Expression Search Primer for Forensic Analysts by Tim Cook - April 24, 2012 

    This paper introduces some of the powerful ASCII pattern identification and manipulation tools that are available to Forensic Analysts from the command line of the Linux Operating System of the SANS Investigative Forensic Toolkit (SIFT) Workstation.

  • What's in a Name: Uncover the Meaning behind Windows Files and Processes by Larisa Long - February 7, 2012 

    When a system has been compromised, forensic analysts have to be part researcher and part investigator. They must be able to parse out known or healthy files to eliminate them as possible clues. Like the old saying goes: know what you don‟t know, but know where to find the answers.

  • iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012 

    One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Identifying Malicious Code Infections Out of Network by Ken Dunham - August 29, 2011 

    Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

  • Wireless Networks and the Windows Registry - Just where has your computer been? Masters
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Masters
    by T.J. OConnor - September 13, 2010 

    Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.

  • Integrating Forensic Investigation Methodology into eDiscovery by Colin Chisholm - September 7, 2010 

    The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.

  • Remotely Accessing Sensitive Resources by Jason Ragland - February 18, 2010 

    Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email is often easily provided via a secure website and a password, for example. If the resource consists of gigabytes of research data, it isnt as simple.

  • Reverse Engineering the Microsoft exFAT File System by Robert Shullich - February 18, 2010 

    As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has been published about exFAT's internals. Yet in order to perform a full and proper digital forensics examination of the media, the file system layout and organization must be known. This paper takes a look under the hood of exFAT and demystifies the file system structure in order to be an aid in the performance of a digital investigation.

  • Mac OS X Malware Analysis by Joel Yonts - September 2, 2009 

    As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.

  • Techniques and Tools for Recovering and Analyzing Data from Volatile Memory by Kristine Amari - March 26, 2009 

    There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.

  • Data Carving Concepts by Antonio Merola - November 19, 2008 

    The idea behind this paper is to help people become familiar with data carving concepts and analysis techniques.

  • Mobile Device Forensics by Andrew Martin - September 5, 2008 

    This research paper will document in detail the methodology used to examine mobile electronic devices for the data critical to security investigations. The methodology encompasses the tools, techniques and procedures needed to gather data from a variety of common devices.

  • A Forensic Primer for Usenet Evidence by Mark Lachniet - June 25, 2008 

    This document is intended to provide an overview of the Usenet on the Internet, including the NNTP protocol and types of evidence of Usenet abuse that may be present on permanent storage devices such as hard disks and flash drives.

  • Ex-Tip: An Extensible Timeline Analysis Framework in Perl by Michael Cloppert - May 21, 2008 

    Digital forensic investigative needs extend well beyond the capabilities provided by classic timeline generation and analysis tools. In this paper, a simple, extensible, and portable timeline framework is discussed in detail. Dubbed Ex-Tip, it is shown that this tool can be used to provide basic timeline capabilities to any variety of input sources, with customizable output for human or programmatic consumption.

  • Taking advantage of Ext3 journaling file system in a forensic investigation by Gregorio Narvaez - December 11, 2007 

    The Ext3 file system has become the default for most Linux distributions and thus is of great importance for any practitioner of forensics to understand how Ext3 handles files differently from the previous standard (Ext2) and how the knowledge of these differences can be applied to recover evidence as deleted files, and file activity.

  • Forensic Analysis of a SQL Server 2005 Database Server by Kevvie Fowler - September 28, 2007 

    In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.

  • Forensic Analysis of a Compromised Intranet Server by Roberto Obialero - June 8, 2006 

    This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.

  • Becoming a Forensic Investigator by Mark Maher - August 15, 2004 

    One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.

  • A Case for Forensics Tools in Cross-Domain Data Transfers by Dwane Knott - July 14, 2003 

    Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.