SANS InfoSec Reading Room - Forensics

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Entrust Unified Communications Cert

Featuring 26 papers as of May 22, 2013
PDF Log2Pcap
By: Joaquin Moreno (posted on May 1, 2013)
During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.
PDF Using IOC (Indicators of Compromise) in Malware Forensics
By: Hun-Ya Lock (posted on April 22, 2013)
In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.
PDF Indicators of Compromise in Memory Forensics
By: Chad Robertson (posted on March 25, 2013)
There has been a recent increase in the availability of intelligence related to malware.
PDF Windows Logon Forensics
By: Sunil Gupta (posted on March 15, 2013)
Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
PDF Forensic Analysis on iOS Devices
By: Tim Proffitt (posted on January 25, 2013)
Technology in smart phones and tablets is advancing in a feverish pace.
PDF A Regular Expression Search Primer for Forensic Analysts
By: Tim Cook (posted on April 24, 2012)
This paper introduces some of the powerful ASCII pattern identification and manipulation tools that are available to Forensic Analysts from the command line of the Linux Operating System of the SANS Investigative Forensic Toolkit (SIFT) Workstation.
PDF iPhone Backup Files. A Penetration Tester's Treasure
By: Darren Manners (posted on February 7, 2012)
One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.
PDF What's in a Name: Uncover the Meaning behind Windows Files and Processes
By: Larisa Long (posted on February 7, 2012)
When a system has been compromised, forensic analysts have to be part researcher and part investigator. They must be able to parse out known or healthy files to eliminate them as possible clues. Like the old saying goes: know what you don&#8223;t know, but know where to find the answers.
PDF Computer Forensic Timeline Analysis with Tapestry
By: Derek Edwards (posted on November 29, 2011)
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
PDF Identifying Malicious Code Infections Out of Network
By: Ken Dunham (posted on August 29, 2011)
Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.
PDF Wireless Networks and the Windows Registry - Just where has your computer been?
By: Jonathan Risto (posted on May 6, 2011)
The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.
PDF Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis
By: T.J. OConnor (posted on September 13, 2010)
Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.
PDF Integrating Forensic Investigation Methodology into eDiscovery
By: Colin Chisholm (posted on September 8, 2010)
The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.
PDF Reverse Engineering the Microsoft exFAT File System
By: Robert Shullich (posted on February 18, 2010)
As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has been published about exFAT's internals. Yet in order to perform a full and proper digital forensics examination of the media, the file system layout and organization must be known. This paper takes a look under the hood of exFAT and demystifies the file system structure in order to be an aid in the performance of a digital investigation.
PDF Remotely Accessing Sensitive Resources
By: Jason Ragland (posted on February 18, 2010)
Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email is often easily provided via a secure website and a password, for example. If the resource consists of gigabytes of research data, it isn’t as simple.
PDF Mac OS X Malware Analysis
By: Joel Yonts (posted on September 8, 2009)
As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.
PDF Techniques and Tools for Recovering and Analyzing Data from Volatile Memory
By: Kristine Amari (posted on March 26, 2009)
There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.
PDF Data Carving Concepts
By: Antonio Merola (posted on November 19, 2008)
PDF Mobile Device Forensics
By: Andrew Martin (posted on September 5, 2008)
PDF A Forensic Primer for Usenet Evidence
By: Mark Lachniet (posted on June 25, 2008)
PDF Ex-Tip: An Extensible Timeline Analysis Framework in Perl
By: Michael Cloppert (posted on May 21, 2008)
PDF Taking advantage of Ext3 journaling file system in a forensic investigation
By: Gregorio Narvaez (posted on December 11, 2007)
PDF Forensic Analysis of a SQL Server 2005 Database Server
By: Kevvie Fowler (posted on September 28, 2007)
PDF Forensic Analysis of a Compromised Intranet Server
By: Roberto Obialero (posted on June 8, 2006)
This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.
PDF Becoming a Forensic Investigator
By: Mark Maher (posted on August 15, 2004)
One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.
PDF A Case for Forensics Tools in Cross-Domain Data Transfers
By: Dwane Knott (posted on October 31, 2003)
Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.
SANS Reading Room
Fight Crime.
Unravel Incidents.... One Byte at a Time.

Visit the NEW Forensics & E-Discovery Site >>

The instructor changed the way I, a network engineer, thought about questions.
-Mike Dye, PTG

Forensics 526

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

New Blog Post: SANS EU #DFIR Summit in Prague - Call for Spe [...]
May 16, 2013 - 12:33 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU