Featuring 50 Papers as of September 25, 2015
Forensic Analysis of Industrial Control Systems
by Lewis Folkerth - September 25, 2015
Industrial Control Systems (ICS) contribute to our safety and convenience every day, yet remain unseen and unnoticed. From oil refineries to traffic lights, from the elevators we ride to the electric power plants that keep our lights on, they provide the control and monitoring for our essential services. ICS have served reliably for decades, but a changing technological environment is exposing them to risks they were not designed to handle. Internet connectivity, vulnerability assessment tools, and attacks by criminal and nation-state organizations are part of this changing picture. Along with this higher-risk environment comes the certainty that some of our ICS will be compromised. In order to prevent recurring attacks, security professionals must be able to discover where the compromise originated, how it was carried out, and, if possible, who was responsible. Many types of ICS run on proprietary hardware, so commonly accepted forensic techniques must be adapted for use in an ICS environment. In order to detect a compromise, baseline configurations should be documented. Networks should be monitored for unauthorized access and activity. In addition, a response plan should be in place to maintain service and streamline recovery. Techniques for forensic analysis were adapted and tested on live ICS, resulting in recommendations for successful detection and recovery after an incident. With adequate preparation and the appropriate response planning and execution, it is possible to successfully perform a forensic analysis for an ICS compromise.
A Network Analysis of a Web Server Compromise
by Kiel Wadner - September 8, 2015
Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From the initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is assumptions about the attackers reasons are avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.
Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification
by David Fletcher - August 10, 2015
The objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.
Coding For Incident Response: Solving the Language Dilemma
by Shelly Giesbrecht - July 28, 2015
Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.
Using windows crash dumps for remote incident identification
by Zong Fu Chua - June 16, 2015
With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it.
IDS File Forensics
by George Khalil - May 13, 2015
Attackers usually follow an attack framework in order to breach an organization's computer network infrastructure. In response, forensic analysts are tasked with identifying files, data and tools accessed during a breach.
Using Sysmon to Enrich Security Onion's Host-Level Capabilities
by Josh Brower - March 27, 2015
In 2003, Gartner declared Intrusion Detection Systems as a market failure primarily because of the high false positives and negatives, and the significant amount of time and resources needed to monitor and validate alerts.
Windows Phone 8 Forensic Artifacts
by Cynthia Murphy, Adrian Leong, Maggie Gaffney, Shafik G. Punja, JoAnn Gibb, Brian McGarry - February 20, 2015
Because of the fast pace of change of mobile device technologies and operating systems, there are times when a newer mobile device which is unsupported or only partially supported by commercial mobile forensic tools for data extraction and parsing must be examined in the course of a criminal investigation, with the end goal being the extraction of digital evidence for use in court.
Analyzing Man-in-the-Browser (MITB) Attacks
by Chris Cain - January 12, 2015
Malware today has become the method of choice to attack financial institutions. With the ease of use and ability for criminals to cover their tracks, this has been the way to rob banks without the need for a getaway car. Attackers are finding new and complex methods in which to carry out attacks. One of these vectors is a Man-in-the-Browser (MITB) attack.
Let's face it, you are probably compromised. What next?
by Jonathan Thyer - December 15, 2014
Over the past several years, the information technology industry has dramatically shifted from a desktop workstation centric, corporate owned computing asset model to a model of performing business processing tasks from anywhere with any capable device. This is evident through the dramatic increase in tablet, and smartphone use by organizational employees, and demand of employees to be able to use their own devices to manage daily business tasks.
Intelligence-Driven Incident Response with YARA
by Ricardo Dias - October 20, 2014
The concept of threat intelligence is gaining momentum in the cyber-security arena. As targeted attacks increase in number and sophistication, organizations are beginning to develop and integrate the concept of threat intelligence into their cyber-defensive strategies. By doing so, organizations are taking the next step forward to respond to cyber-attacks. Recent threat reports reveal promising results.
Reducing the Catch: Fighting Spear-Phishing in a Large Organization
by Joel Anderson - October 20, 2014
The phishing problem isn't new. Over 150 years ago, Charles Dickens wrote a passionate and witty letter about fraudsters of his day who, like Nigerian 419 scammers today, preyed upon the generosity and gullibility of well-meaning folk. The differences in our time are that of scale and scope, as the perpetrators have taken on seven league boots and covered continents with their shameless appeals.
An Analysis of Meterpreter during Post-Exploitation
by Kiel Wadner - October 14, 2014
Much has been written about using the Metasploit Framework to gain access to systems, utilizing exploits, and the post-exploitation modules. What has received less attention is how they work, what they actually do on the system and how it can be detected. That is the focus of this research paper.
Forensicator FATE - From Artisan To Engineer
by Barry Anderson - October 13, 2014
The SANS Investigative Forensic Toolkit (SIFT) is an awesome set of (free!) tools for the forensics professional. Using these tools effectively however can be overwhelming, especially in the case of a large complex case such as an APT intrusion.
Forensic Images: For Your Viewing Pleasure
by Sally Vandeven - September 19, 2014
Digital forensic investigations often involve creating and examining disk images. A disk image is a bit-for-bit copy of a full disk or a single partition from a disk. Because the contents of a disk are constantly changing on a running system, disk images are often created following an intrusion or incident to preserve the state of a disk at a particular point in time.
Creating a Baseline of Process Activity for Memory Forensics
by Gordon Fraser - August 27, 2014
SANS's Advanced Forensic Analysis and Incident Response course (Lee & Tilbury, 2013) defines a process for the examination of memory to identify indicators of compromise.
A Journey into Litecoin Forensic Artifacts
by Daniel Piggott - June 3, 2014
Litecoin is a virtual peer-to-peer currency.
Automation of Report and Timeline-file based file and URL analysis
by Florian Eichelberger - May 6, 2014
The proposed solution tries to lessen the burden of manually processing timeline-based logfiles and automating the classification of both files and URLs.
Windows ShellBag Forensics in Depth
by Vincent Lo - April 14, 2014
Microsoft Windows records the view preferences of folders and Desktop.
Repurposing Network Tools to Inspect File Systems
by Andre Thibault - February 27, 2014
Digital forensics can be a laborious and multi-step process. Some of the initial steps in digital forensics include: Data Reduction, Anti-Virus checks, and an Indicator of Compromise (IOC) search.
Review of Windows 7 as a Malware Analysis Environment
by Adam Kramer - January 9, 2014
The SANS course "FOR610: Reverse Engineering of Malware" is designed using Windows XP as the malware analysis environment (SANS Institute, 2013).
Live Response Using PowerShell
by Sajeev Nair - August 19, 2013
Organizations today handle more sensitive personal data than ever before. As the amount of sensitive personal data increases, the more they are susceptible to security incidents and breaches (AICPA, n.d).
The SANS Survey of Digital Forensics and Incident Response
by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013
- Associated Webcasts: Digital Forensics in Modern Times: A SANS Survey
- Sponsored By: Guidance Software FireEye Bit9 + Carbon Black Cellebrite
2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.
Dead Linux Machines Do Tell Tales
by James Fung - May 15, 2013
A summary study of a compromised Linux network and the incident handling procedures that followed.
by Joaquin Moreno - April 29, 2013
During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.
Using IOC (Indicators of Compromise) in Malware Forensics
by Hun-Ya Lock - April 17, 2013
In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.
Indicators of Compromise in Memory Forensics
by Chad Robertson - March 21, 2013
There has been a recent increase in the availability of intelligence related to malware.
Windows Logon Forensics
by Sunil Gupta - March 12, 2013
Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Forensic Analysis on iOS Devices
by Tim Proffitt - January 25, 2013
Technology in smart phones and tablets is advancing in a feverish pace.
A Regular Expression Search Primer for Forensic Analysts
by Tim Cook - April 24, 2012
This paper introduces some of the powerful ASCII pattern identification and manipulation tools that are available to Forensic Analysts from the command line of the Linux Operating System of the SANS Investigative Forensic Toolkit (SIFT) Workstation.
What's in a Name: Uncover the Meaning behind Windows Files and Processes
by Larisa Long - February 7, 2012
When a system has been compromised, forensic analysts have to be part researcher and part investigator. They must be able to parse out known or healthy files to eliminate them as possible clues. Like the old saying goes: know what you don‟t know, but know where to find the answers.
iPhone Backup Files. A Penetration Tester's Treasure
by Darren Manners - February 7, 2012
One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.
Computer Forensic Timeline Analysis with Tapestry
by Derek Edwards - November 29, 2011
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
Identifying Malicious Code Infections Out of Network
by Ken Dunham - August 29, 2011
Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.
Wireless Networks and the Windows Registry - Just where has your computer been?
by Jonathan Risto - May 6, 2011
The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis
by T.J. OConnor - September 13, 2010
Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.
Integrating Forensic Investigation Methodology into eDiscovery
by Colin Chisholm - September 7, 2010
The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.
Remotely Accessing Sensitive Resources
by Jason Ragland - February 18, 2010
Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email is often easily provided via a secure website and a password, for example. If the resource consists of gigabytes of research data, it isnt as simple.
Reverse Engineering the Microsoft exFAT File System
by Robert Shullich - February 18, 2010
As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has been published about exFAT's internals. Yet in order to perform a full and proper digital forensics examination of the media, the file system layout and organization must be known. This paper takes a look under the hood of exFAT and demystifies the file system structure in order to be an aid in the performance of a digital investigation.
Mac OS X Malware Analysis
by Joel Yonts - September 2, 2009
As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.
Techniques and Tools for Recovering and Analyzing Data from Volatile Memory
by Kristine Amari - March 26, 2009
There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.
Data Carving Concepts
by Antonio Merola - November 19, 2008
The idea behind this paper is to help people become familiar with data carving concepts and analysis techniques.
Mobile Device Forensics
by Andrew Martin - September 5, 2008
This research paper will document in detail the methodology used to examine mobile electronic devices for the data critical to security investigations. The methodology encompasses the tools, techniques and procedures needed to gather data from a variety of common devices.
A Forensic Primer for Usenet Evidence
by Mark Lachniet - June 25, 2008
This document is intended to provide an overview of the Usenet on the Internet, including the NNTP protocol and types of evidence of Usenet abuse that may be present on permanent storage devices such as hard disks and flash drives.
Ex-Tip: An Extensible Timeline Analysis Framework in Perl
by Michael Cloppert - May 21, 2008
Digital forensic investigative needs extend well beyond the capabilities provided by classic timeline generation and analysis tools. In this paper, a simple, extensible, and portable timeline framework is discussed in detail. Dubbed Ex-Tip, it is shown that this tool can be used to provide basic timeline capabilities to any variety of input sources, with customizable output for human or programmatic consumption.
Taking advantage of Ext3 journaling file system in a forensic investigation
by Gregorio Narvaez - December 11, 2007
The Ext3 file system has become the default for most Linux distributions and thus is of great importance for any practitioner of forensics to understand how Ext3 handles files differently from the previous standard (Ext2) and how the knowledge of these differences can be applied to recover evidence as deleted files, and file activity.
Forensic Analysis of a SQL Server 2005 Database Server
by Kevvie Fowler - September 28, 2007
In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.
Forensic Analysis of a Compromised Intranet Server
by Roberto Obialero - June 8, 2006
This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.
Becoming a Forensic Investigator
by Mark Maher - August 15, 2004
One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.
A Case for Forensics Tools in Cross-Domain Data Transfers
by Dwane Knott - July 14, 2003
Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.