SANS Offensive Operations West 2021 features 10+ Live Online courses, Core NetWars, and Coin-A-Palooza! Register now.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Free and Open Source Software

Featuring 12 Papers as of May 6, 2021

  • ExcavationPack: A Framework for Processing Data Dumps Graduate Student Research
    by TJ Nicholls - May 6, 2021 

    Data dumped online from breaches is rich with information but can be challenging to process. The data is often unstructured and littered with different data types. This research presents a framework using Docker containers to process unstructured data. The container-focused approach enables flexible data processing strategies, horizontal scaling of resources, the efficacy of processing strategies, and future growth. Security professionals utilizing this framework will be able to identify points of interest in data dumps.

  • Improving Analyst Efficiency in Office365 Business Email Compromise Investigation Scenarios Through the Implementation of Open Source Tools Graduate Student Research
    by Aaron Elyard - June 25, 2020 

    Working within Microsoft’s browser-based O365 Graphical User Interface (GUI) can be challenging for DFIR practitioners when time is of the essence. PowerShell-based cmdlets are often preferred due to their flexibility, speed, and efficiency compared to a browser-based approach. However, in his professional career, the author has observed that more junior analysts may not feel comfortable using command line tools. Additionally, they may not have devoted the appropriate time to learning the various options needed to obtain the data they need for their investigations. This paper explores a tool the author created to bridge the gap between the browser-based GUI and raw PowerShell. It examines the impact of the use of such a tool on the analyst’s efficiency, measured in the number of interactive actions an analyst must take.

  • PyFunnels: Data Normalization for InfoSec Workflows Graduate Student Research
    by TJ Nicholls - February 1, 2019 

    Information security professionals cannot afford delays in their workflow due to the challenge of integrating data. For example, when data is gathered using multiple tools, the varying output formats must be normalized before automation can occur. This research details a Python library to normalize output from industry standard tools and act as a consolidation point for that functionality. Information security professionals should collaborate using a centralized resource that facilitates easy access to output data. Doing so will bypass extraneous tasks and jump straight to the application of practical data.

  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.

  • Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation Graduate Student Research
    by Jeremiah Hainly - March 15, 2017 

    Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). With automation becoming a reality for a growing number of companies, there will also be an increased demand for open-sourced scripts to get started. This paper will provide a framework for prioritizing and developing security automation and will demonstrate this process by creating a script to automate a common information security response procedure - the reimaging of an infected endpoint. The primary function of the script will be to access the application program interface (API) of various enterprise software solutions to speed up the manual tasks involved in performing a reimage.

  • Full Packet Capture Infrastructure Based on Docker Containers Graduate Student Research
    by Mauricio Espinosa Gomez - May 6, 2016 

    In today’s world, it is common to hear news about organizations being breached by malicious actors, even in highly protected environments; the risk of being exploited is always present, when an incident has already occurred, a full packet capture provides invaluable information to effectively backtrack the event in question.

  • ISE6100 GIAC Enterprises Final Lessons Learned Graduate Student Research
    by - April 29, 2016 

    The following is Lessons Learned from the ISE 6100 project which commenced on March 22nd 2016. The objective of this project was to evaluate, select, and implement an open source Security Information and Event Management (SIEM) solution for the fictional corporation known as GIAC Enterprises. GIAC Enterprises is in the business of collecting fortunes from direct employees and contractors. These fortunes are GIAC Enterprises intellectual property. The ideal SIEM will enhance the detective capacity of GIAC Enterprises.

  • ISE6100 GIAC Enterprises Final Presentation Graduate Student Research
    by - April 29, 2016 


  • ISE6100 GIAC Enterprises Final Step By Step Description Graduate Student Research
    by Alyssa Robinson, David Fletcher, and Wes Whitteker - April 29, 2016 

    GIAC Enterprises, a small to medium size business, has grown to a point where their current manual log analysis process is no longer efficient or effective. As such, GIAC Enterprises was forced to look for a SIEM solution that automates the correlation and analysis of system logs. GIAC Enterprises had a significant financial constraint, which required them to focus their investigation on several open source solution options. After investigation, GIAC Enterprises settled on AlienVault’s OSSIM product for their solution. The result of this research is the following OSSIM implementation guide.

  • ISE6100 GIAC Enterprises - Open Source SIEM - Read Me First Graduate Student Research
    by - April 29, 2016 

    Forward by Stephen Northcutt. Three students from the SANS Technology Institute, (Alyssa Robinson, David Fletcher, and Wes Whitteker) were assigned the following project for their ISE-M 6100 coursework. There are three files, a Step by Step, a presentation, and a Lessons Learned document.

  • Security through Configuration Control at Scale – An Introduction to Ansible Graduate Student Research
    by Patrick Neise - February 4, 2016 

    As new technologies and concepts are developed there is usually a noticeable change in the use and employment of existing technologies. For example, there is a current growth trend of concepts such as cloud computing, the merging of development and operations (DevOps), microservice based architectures, agile development, and continuous integration.

  • Security Systems Engineering Approach in Evaluating Commercial and Open Source Software Products Graduate Student Research
    by Jesus Abelarde - January 29, 2016 

    Almost all systems currently in development leverage some type of commercial and/or free open source software (FOSS), either in the development environment or integrated into the system.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.