SANS InfoSec Reading Room - Forensics

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 11 papers as of Nov 22, 2009

Mac OS X Malware Analysis

By: Joel Yonts (posted on September 8, 2009)

As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.

Techniques and Tools for Recovering and Analyzing Data from Volatile Memory

By: Kristine Amari (posted on March 26, 2009)

There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.

Data Carving Concepts

By: Antonio Merola (posted on November 19, 2008)

Mobile Device Forensics

By: Andrew Martin (posted on September 5, 2008)

A Forensic Primer for Usenet Evidence

By: Mark Lachniet (posted on June 25, 2008)

Ex-Tip: An Extensible Timeline Analysis Framework in Perl

By: Michael Cloppert (posted on May 21, 2008)

Taking advantage of Ext3 journaling file system in a forensic investigation

By: Gregorio Narvaez (posted on December 11, 2007)

Forensic Analysis of a SQL Server 2005 Database Server

By: Kevvie Fowler (posted on September 28, 2007)

Becoming a Forensic Investigator

By: Mark Maher (posted on August 15, 2004)

One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.

A Case for Forensics Tools in Cross-Domain Data Transfers

By: Dwane Knott (posted on October 31, 2003)

Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.

Forensic Analysis of a Compromised Intranet Server

By: Roberto Obialero (posted on )

This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.