homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Artifact Timeline Creation and Analysis - part 2
Kristinn Guðjónsson

Artifact Timeline Creation and Analysis - part 2

August 14, 2009

In the last post I talked about the tool log2timeline, and mentioned a hypothetical case that we are working on. Let's explore in further detail how we can use the tool to assist us in our analysis.

How do we go about collecting all the data that we need for the case? In this case we know that the we were called to investigate the case only hours after the alleged policy violation, so timeline can be a very valuable source. Therefore we decide to construct a timeline, using artifacts found in the system to start our investigation, so that we can examine the evidence with respect to time. By doing that we both get a better picture of the events that occurred as well as to possibly lead us to other artifacts that we need to examine closer using other tools and techniques.

To begin with you start by imaging the drive. You take an image of the C drive (first partition) and start working on the image on your analysis workstation. The first step is to create a traditional filesystem timeline you can refer to the already posted blog here. 

Or for a quick reference, you can execute the following commands to get the filesystem timeline (assuming that the image name is suspect_drive.dd):

After creating the traditional filesystem timeline we need to incorporate artifacts into it. To do that we need to mount the suspect drive, for instance by issuing this command:

mkdir /mnt/analyzemount.ntfs-3g -o ro,nodev,noexec,show_sys_files,loop /analyze/suspect_drive.dd /mnt/analyze

Now the suspect drive is mounted as a read-only so we can inspect some of the artifacts found on the system.

cd /mnt/analyze/WINDOWS/Prefetchlog2timeline -f prefetch . >> /tmp/bodyfile

We start by navigating to the Prefetch directory, which stores information about recently started programs (created to speed up boot time of those processes) and run the tool against the Prefetch directory. The output is then stored in the same bodyfile as the traditional file system timeline. Then we navigate to the user that we are taking a closer look at to examine the UserAssist (stores information about recently run processes by that user) part of the user's registry.

cd /mnt/analyze/Documents and Settings/joelog2timeline -f userassist NTUSER.DAT >> /tmp/bodyfile

Now we have incorporated information found inside a particular user in the bodyfile. Next we examine the recycle bin

cd /mnt/analyze/RECYCLERlog2timeline -f recycler INFO2 >> /tmp/bodyfile

We also want to examine restore information, that is information found inside the restore points (creation time of restore points):

cd /mnt/analyze/System Volume Information/_restore{A4195436-6BCB-468A-8B2F-BEE5EB150433}/log2timeline -f restore . >> /tmp/bodyfile

Since we are suspecting that the user Joe opened few documents we also want to examine the recent document folder of the user, so we incorporate information found inside Windows shortcut files into our case:

cd /mnt/analyze/Documents and Settings/joe/Recentls -b *.lnk | while read d; do log2timeline -f win_link "$d"; done

We also find out by examining "Program Files" folder (or by examining registry) that the Firefox browser is installed on the workstation (which is not allowed according to corporate policies). So we add Firefox history into our timeline as well.

cd /mnt/analyze/Documents and Settings/joe/Application Data/Mozilla/Firefox/Profiles/dgml8g3t.default/log2timeline -f firefox3 places.sqlite >> /tmp/bodyfile

Now we are ready to examine the timeline a little bit closer. To modify the bodyfile into a useful timeline we use the tool mactime from TSK (The SleuthKit):

mactime -b /tmp/bodyfile 2009-08-01..2009-08-05 > /tmp/timeline

And now we can start examining the timeline itself. If we look at August 04 (which is the date that the HR department gave up as a possible date) we see from the information gathered in UserAssist that the user Joe ran the browser Internet Explorer at 15:13:42, which is confirmed by update of the access time of IEXPLORE.EXE file one second later.

At 15:13:53 a Prefetch file is created for Internet Explorer and as indicated inside the Prefetch file Internet Explorer was last run at 15:13:43 (and has been run 11 times on this machine). This can be seen on the timeline below:

The tool log2timeline does not support index.dat files (at the time of this writing, although it will very soon), so for timeline analysis we have to rely on traditional file system analysis. We can see that the cookie joe@mozilla[1].txt was created at 15:14:48, suggesting that the user Joe visited the size Mozilla.org.

We then see that the user joe created the file "joe@download.mozilla[1].txt" at 15:14:49, indicating that the user may have downloaded Mozilla browser (or Firefox).

This can then be confirmed by looking in the timeline from 15:16:10 where we see that Firefox is being set up on the machine. We can then say that the user Joe has most likely installed Firefox on the machine.

Out suspicion that the user Joe had installed Firefox is then further strengthen when we see that a Firefox user profile is created at 15:16:11 inside Joe's user directory.

And if we take a look at the Prefetch folder we see that Firefox was indeed set up on this machine, since we see that "FIREFOX SETUP 3.5.2[2].EXE" was run. Firefox setup was run at 15:16:08 according to information found inside the Prefetch file.

We can then see that the Firefox browser was being run at 15:16:56 (last time it was run) and that it has been run three times. This can be seen from the Prefetch part of the timeline.

Next in the timeline we can see Firefox 3 history, glanced from the places.sqlite file. We see that when the user Joe opened up Firefox the default start page was run (the default page is Google, and since the language of the suspect machine is Icelandic, we are using the Icelandic version of Google, google.is)

We then see that the user Joe ran a Google search at 15:17:43. The search terms were: "how to delete files", hmm this might be interesting.. We then see that the user navigated to the site: "www.cybertechhelp.com/tutorial/article/how-to-delete-files-and-folders". This site has the title "How to delete files and folders" and the user navigated to this site from the site www.google.is. This can all be seen in the timeline as shown below:

We then see that the user Joe continues to read up on "how-to delete files" sites:

And some more sites (how to delete files for good):

At 15:18:27 the user Joe starts reading up on wiping software

And some more from the same site:

The user then goes to a page that seems to be related to downloading of the tool (the URL includes /download and the title of the page indicates a download site)

We then see that the user Joe has started some other activity on the machine. At 15:19:20 we see that the Windows shortcut (LNK) file "C:/Documents and Settings/joe/Recent/Very secret document.lnk". This is one of the documents that we were supposed to look for, one of the documents that the user Joe was not supposed to examine. The creation of this link indicates that the document had been opened by the user, so we examine the timeline furhter. We see from the information found inside the link file that the file points to: "C:/Documents and Settings/Administrator/My Documents/Very secret document.txt", which again strengthens our case, since this seems to be really the document in question. For further confirmation we see that the access time for this particular document was also updated at the same time as the other files were created.

We can then see from the UserAssist part of the timeline that the user Joe opened up NOTEPAD.EXE at 15:19:23 (the last time it was opened), and that the user had used this program twice. At the same time, that is at 15:19:23 we also see that the document: "C:/Documents and Settings/joe/Recent/Not to be seen document.lnk" was created. This is the other document that the HR department suspected Joe to open. The information gathered from the LNK file indicates that this file points to the document "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt", suggesting that the user Joe opened this document as well (most likely using Notepad). Then finally we see that the Prefetch file for NOTEPAD.EXE was created at 15:19:25, indicating that notepad had been run five times on the machine, last time at 15:19:23 (the same time that the documents were opened).

We see in the Prefetch file that Notepad had been opened five times, yet the UserAssist part of Joe's registry indicates that he only opened it twice. This indicates that other users must have used Notepad as well (the other three times).

At 15:19:26 we see that a new file has been created inside the recycle bin, file called Dc1.txt. To gain further information about this file we examine the recycle bin information inside the timeline. We then see that the file (according to INFO2) "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt" had been deleted at 15:19:29 (three seconds after the file Dc1.txt was created). Since the file Dc1.txt is created inside the folder "C:/RECYCLER/S-1-5-21-...-1004" we can be fairly certain that the user with the RID 1004 (RID is the last part of the SID, a unique ID for each user in Windows) deleted this file. If we then examine the content of the SAM file (C:/WINDOWS/system32/config/SAM) with tools such as RegRipper we see that the user joe has the user id of 1004, suggesting that the user Joe deleted the file "Not to be seen document.txt". The picture below shows the timeline from this part:

After this activity with the secret documents we see that the user Joe continued to use Firefox, now clear indications that the user is in fact downloading a wiping software (instead of just visiting sites containing download section). The user visits the site: "http://.....wipe3.exe" and the visit type is DOWNLOAD, indicating that this is in fact a download that is taking place.

We can then further confirm this suspicion by examining the timeline straight after the download took place. We then see that the file ..wipe3.exe was created inside the folder: "C:/Documents and Settings/joe/My Documents/Niðurhal/bcwipe3.exe" (Niðurhal is the Icelandic word for Download). This further suggests that it was in fact the user joe that downloaded the wiping software.

We can then see indications that the wiping software was indeed installed on the machine from the filesystem timeline.

We can then see from the Prefetch file that the software BCWIPE3.EXE was run on the machine, further suggesting that the file that the user Joe seems to have downloaded was in deed run on the machine. We can then see some temporary files created by the installation program that reside inside joe's user directory, further indicating that the user Joe really installed the software in question (there were other temporary files created inside joe's folder as well that belonged to the software bcwipe3.exe)

The final line in the timeline indicating that the user Joe installed the wiping software can be found inside the UserAssist part of the registry. We can se that the user Joe did run the lnk file: "BCWipe 3.0/BCWipe Task Manager.lnk", indicating that he ran a part of the software after installation (a task manager that comes with the software).

To sum up this little example we found out, by examining the timeline (using artifacts inside the timeline), all events take place on the 4th of August this year:

  • 15:13:43: Internet Explorer is started
  • 15:14:48: Internet Explorer is used by the user joe to visit the site "mozilla.org"
  • 15:14:49: Internet Explorer is used by the user joe to visit the site "download.mozilla.org"
  • 15:16:08: The browser Firefox is installed on the machine
  • 15:16:11: A Firefox user profile is created for the user joe
  • 15:16:56: Firefox browser is started
  • 15:17:00: User joe visits the start page of Firefox (using Firefox)
  • 15:17:43: User joe searches for "how to delete files", using Google search engine
  • User joe then reads few web pages which clearly indicate direction on how to delete files and folders
  • 15:16:11: User joe starts reading about tools that wipe files
  • 15:19:20: A shortcut file is created inside recent document history of user Joe, indicating that the file "Very secret document.txt" had been opened by the user
  • 15:19:23. The last time that the user Joe opened NOTEPAD.EXE
  • 15:19:23: A shortcut is created inside recent document history of user Joe, indicating that the file "Not to be seen document.txt" had been opened by the user joe
  • 15:19:26: The file Dc1.txt was created inside the recycle bin (inside a folder that belongs to the user joe). This file used to be named "Not to be seen document.txt" before it was moved to the recycle bin
  • 15:19:37: A wiping software is downloaded from the Internet, using Firefox (and by the user Joe)
  • 15:21:16: The wiping software is installed, leaving temporary files inside Joe's user directory, indicating that the user Joe is in fact the user that is installing the software
  • 15:21:44: The user Joe runs a software that belongs to the wiping software (UserAssist)

Although this case is very simple, and we managed to image the computer few minutes after the alleged breach of policy we can clearly see that correlating different information found inside log files and other OS artifacts can prove to very helpful in our investigations and at least point us to data that we need to examine using other techniques.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
DFIR_-_Advise_from_the_Trenches_-_340x340_Thumb.jpg
Digital Forensics and Incident Response
March 22, 2023
What is In a Name?
In digital forensics, the highlights come from the cases where incident response teams have proven that the threat actors were caught red-handed.
370x370_Kevin-Ripa.jpg
Kevin Ripa
read more
Blog
DFIR_-_DFIR_Origin_Stories_-_340x340_Thumb.jpg
Digital Forensics and Incident Response
March 20, 2023
DFIR Origin Stories - Kat Hedley
Digital Forensics and Incident Response (DFIR) called to Kat Hedley as soon as she first entered the workforce.
DFIR_ICON_(1).PNG
SANS DFIR
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
370x370-person-placeholder.png
Emily Blades
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn