1 Day Left to Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 107 Papers as of May 6, 2021

  • Staying Invisible: Analyzing Private Browsing and Anti-forensics on Mac OS X SANS.edu Graduate Student Research
    by Rick Schroeder - May 6, 2021 

    The increasing desire to protect personal information has resulted in enhanced privacy features in web browsers. Private browsing modes combined with the growing popularity of disk cleaning tools present a problem for forensic analysts. The increase in privacy features results in a reduction of forensic evidence on the suspect system. This added complexity makes it difficult for an investigator to determine which websites were browsed by the suspect. When the primary sources of forensic evidence are tampered with, it is necessary to identify secondary sources. In Windows-based investigations, secondary evidence is often discovered within hibernation files, operating system artifacts, or error logs. Digital forensic analysts require similar files in macOS. They need to understand how and when logs are written. Identifying and understanding secondary sources of evidence is essential for an analyst to support the details of their case.

  • Identifying the Android Operating System Version thru UsageStats by Alexis Brignoni - April 28, 2021 

    Locating the Android operating system version within a digital forensic extraction is necessary to properly apply operating system specific domain knowledge when parsing the data for forensic artifacts. Most automated tools that parse Android full file system extractions depend on the /system/build.prop file to determine the Android version among other device identifiers. Due to how variable Android implementations are regarding access to the data source a build.prop file might not be available in a particular forensic extraction. Is there a way to determine the Android version of an extraction by only looking at the userdata directory? The answer is yes. This was useful to me since some of my digital forensics tooling for Android extractions would benefit from programmatically identifying the Android version when a build.props file is not available.

  • Contextualizing the MITRE ATT&CK Framework Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 27, 2021 

    Getting the right data to test security controls effectively is easier said than done. Too often, organizations are testing attacker techniques without the context necessary to build effective security control tests. While the MITRE ATT&CK framework provides useful information, when used in conjunction with threat intel reports it can provide a deeper understanding of how, why, and when attackers may abuse a technique. Using real-world examples, this paper shows you how to build efficient, life cycle-appropriate tests that identify visibility gaps and more in order to improve your defenses.

  • Missing SQLite Records Analysis by Shafik G. Punja and Ian Whiffin - March 12, 2021 

    This article will specifically discuss the identification of missing records, within the SQLite database in its use as an application file format. The various analysis tools that will be used to analyze missing records within SQLite databases will be noted throughout the article. The authors are working from the premise that recovery of deleted, partially recoverable, or wholly intact recoverable records, is no longer viable. What will not be covered is the explanation on the various methods to recover deleted records. For that we direct you to the only textbook on this subject authored in 2018 by Paul Sanderson, titled, SQLite Forensics.

  • Insider Threat The Theft of Intellectual Property in Windows 10 by Eduard Du Plessis - March 11, 2021 

    The prevalence of the theft of intellectual property investigations has grown over the past years and when investigated it will most likely be on a Windows 10 machine. It is important to have a clear framework on how to approach and execute such an investigation accurately and timeously. In this paper we will identify and analyse important Windows 10 artefacts that will reveal the user, the file and folders opened, applications used and the location of the files and folders. These artefacts are LNK (Link) Files, Jump Lists, Shell Bags, Prefetch files, USB connections and Network Mappings. We will demonstrate how to acquire and analyse these artefacts using a set of lightweight and powerful digital forensic software tools that are also affordable. The reader will find that by systematically analysing and correlating artefact events a timeline can be build that tells a story.

  • A Forensic Analysis of the Encrypting File System by Ramprasad Ramshankar - February 24, 2021 

    EFS or the Encrypting File System is a feature of the New Technology File System (NTFS). EFS provides the technology for a user to transparently encrypt and decrypt files. Since its introduction in Windows 2000, EFS has evolved over the years. Today, EFS is one of the building blocks of Windows Information Protection (WIP) - a feature that protects against data leakage in an enterprise environment (DulceMontemayor et al., 2019). From the attacker's perspective, since EFS provides out-of-the-box encryption capabilities, it can also be leveraged by ransomware. In January 2020, SafeBreach labs demonstrated that EFS could be successfully used by ransomware to encrypt files and avoid endpoint detection software (Klein A., 2020). The purpose of this paper is to provide security professionals with a better understanding of artifacts generated by EFS and recovery considerations for EFS encrypted files.

  • Practical Process Analysis – Automating Process Log Analysis with PowerShell by Matthew Moore - December 29, 2020 

    Windows event log analysis is an important and often time-consuming part of endpoint forensics. Deep diving into user logins, process analysis, and PowerShell/WMI activity can take significant time, even with current tools. Additionally, while utilities exist to automatically parse out various Windows Logs, most of them do not include any native analytical functionality outside of the ability to manually filter on certain strings or event IDs. Window’s native scripting solution, PowerShell, combined with Microsoft’s Log Parser utility allowed for several scripts to be created with a focus on Process Creation and analysis. These scripts can detect processes spawning from unusual locations, processes that exist outside of a baseline ‘Allow List’, or processes that might otherwise appear to be normal, but are actually anomalous. These scripts complement other current tools such as Kape or Kansa, allowing for automated analysis of the data gathered.

  • Automating Google Workspace Incident Response SANS.edu Graduate Student Research
    by Megan Roddie - December 16, 2020 

    Incident responders require a toolset and resources that allow them to efficiently investigate malicious activity. In the case of Google Workspace, there are an increasing number of subscribers, but resources to assist in the analysis of security incidents are lacking. The goal of this research is to develop a tool that expands on Google’s default administrative capabilities with the intent of providing value to incident responders. Through providing both additional context and purposeful views, incident responders can more quickly identify malicious activity and respond accordingly.

  • Ubuntu Artifacts Generated by the Gnome Desktop Environment SANS.edu Graduate Student Research
    by Brian Nishida - December 16, 2020 

    This research identifies Gnome Desktop Environment (GDE) artifacts and demonstrates their utility in Linux forensic examinations. The classic Linux forensic examination is tailored to computer intrusions of victim servers because the enterprise's critical Linux systems are typically web servers, mail servers, and database servers. However, the emphasis on intrusions and servers has two shortcomings. First, in addition to network intrusions, digital forensic labs examine specimens from various investigations: e.g., child exploitation, homicide, and financial crimes, to name a few. Second, the majority of Linux users run GUI-based desktop versions rather than command-line server versions. In these cases, the GDE may be used to install applications, run applications, open files, join Wi-Fi networks, and upload files. These point-and-click actions have been overlooked in the classic Linux examination; therefore, they will be explored in this research. Lastly, the importance of these GDE artifacts will be demonstrated in three practical scenarios.

  • Is it Ever Really Gone? The Impact of Private Browsing and Anti-Forensic Tools SANS.edu Graduate Student Research
    by Rick Schroeder - December 9, 2020 

    Digital forensics analysts are tasked with identifying which websites a user visited. Several factors determine the level of difficulty this poses for the forensic analyst. Network-based security tools, such as web content filters, provide a quick and easy look at a user’s browsing history. When network-based tools aren’t available forensic analysts rely on artifacts that reside on the hard drive to paint the picture of user activity and answer questions involving browsing history. These artifacts can be deleted or tampered with, removing key pieces of evidence from the system. Although this adds a layer of complexity to the investigation, it does not end the investigation. Analysts should employ multiple methods to recover evidence. Information from web browsing sessions is often written to more than one location. Knowing where to find that data and how to interpret it will add value and credibility to an investigation. Digital forensic analysts need to think outside the box and perform in-depth analysis to complete an investigation involving a private browsing mode.

  • Reverse Engineering Virtual Machine File System 6 (VMFS 6) SANS.edu Graduate Student Research
    by Michael Smith - November 19, 2020 

    Virtual Machine File System (VMFS) 6 is a proprietary file system. The file system’s proprietary nature means that many forensic applications are unable to parse the file system. There is a lack of support because proprietary file systems do not have to follow an accepted standard and can make modifications that break forensic tools with any release. This instability means that maintaining parsers for these file systems can become costly very quickly. This vacuum of support for proprietary file systems has created an opportunity for open-source utilities to grow in ways that support parsing these file systems. Skilled forensic examiners scour the open-source community and publicly available research for parsers and digital artifacts analyses when they encounter file systems or files unsupported by large forensic applications. The goal of this research is two-fold. First, to increase the understanding of VMFS 6 with its myriad digital artifacts. Second, to conclusively determine the recoverability of a deleted file.

  • Examining Sysmon's Effectiveness as an EDR Solution SANS.edu Graduate Student Research
    by Christian Vrescak - July 17, 2020 

    In today’s cyber threat landscape, investigators and incident responders are often outmatched against their adversaries due to a lack of endpoint visibility. This deficiency leads to false negatives leaving defenders and organizations at the mercy of attackers. To solve this problem, Endpoint Detection & Response (EDR) tools were created to provide endpoint visibility and arm defenders against their attackers (CrowdStrike, 2019). While these tools are a difference-maker for defenders, the cost of commercial offerings can put them out of reach for many organizations (Infocyte, 2020). Microsoft Sysinternals Sysmon, a free EDR tool, collects detailed information about system activity, including process creations, network connections, file creations, and much more (Russinovich, M. & Garnier, T., 2020). This paper examines the effectiveness of Sysmon as a free EDR tool in providing sufficient visibility into Windows endpoint activity to detect and forensicate attacker techniques such as those listed in MITRE’s ATT&CK knowledge base.

  • Mission Implausible: Defeating Plausible Deniability with Digital Forensics SANS.edu Graduate Student Research
    by Michael Smith - April 2, 2020 

    The goal of plausible deniability is to hide potentially sensitive information while maintaining the appearance of compliance. In simple terms, it is granting someone access to a safe but keeping items of real value successfully hidden in a false bottom. Encryption platforms such as VeraCrypt and TrueCrypt achieve this goal in the digital realm using nested encryption. This nesting typically takes one of two forms; a deniable file system or a deniable operating system (OS). The deniable file system uses the interior of an encrypted container to mask its presence, akin to the false bottom to the safe analogy. The deniable operating system uses an encrypted bootable partition to mask the presence of a second OS, much like a safe that reveals a different compartment based on how a key turns in the lock. The use of encryption to create a scenario for plausible deniability presents a significant threat to the success of law enforcement and digital forensic professionals. Performing registry analysis and digital forensics is the metaphorical equivalent of using a magnifying glass to look for clues inside the safe with a false bottom or a key-based compartment. When forensics is successful in revealing clues of a deniable file system, it effectively defeats the case for plausible deniability. The goal of this research is to explore the digital forensics metaphorical equivalent of such clues.

  • Threat Hunting and Incident Response in a post-compromised environment by Rukhsar Khan - December 3, 2019 

    If you give an attacker 100 days to move freely in your compromised environment, the evidence is reasonably strong that your organization is pretty bad at Security Operations (The future of Security Operations). However, repeatedly sending false positives breach escalation to the forensic team is also problematic. It happens in a lot of large organizations, banks and, government institutions across the globe. This paper starts with an overview of current significant problems identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and reasons behind them. Then, we will discuss on the solution that encompasses the MITRE ATT&CK framework (MITRE ATT&CK) along with a robust Cyber Threat Intelligence (CTI). Appropriate data collection sources for data enrichment, including all Cyber Security threat information expressed in the STIX language, will also be covered. Although the solution includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favor of any. The core implementation of the MITRE ATT&CK framework, however, is performed in the IBM Resilient Security Orchestration, Automation, and Response (SOAR) product.

  • How to Perform a Security Investigation in AWS A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - October 30, 2019 

    Because the technologies that enable investigations in the cloud differ from those on premises, as do the levels of responsibility, organizations need to put in place a cloud-specific incident response plan. By planning out how they will perform investigations using solutions such as AWS, organizations can validate that any obligations they may have as a security organization can be met as effectively in cloud environments as they did in-house.

  • BITS Forensics SANS.edu Graduate Student Research
    by Roberto Nardella - October 14, 2019 

    The “Background Intelligent Transfer Service” (BITS) is a technology developed by Microsoft in order to manage file uploads and downloads, to and from HTTP servers and SMB shares, in a more controlled and load balanced way. If the user starting the download were to log out the computer, or if a network connection is lost, BITS will resume the download automatically; the capability to survive reboots makes it an ideal tool for attackers to drop malicious files into an impacted Windows workstation, especially considering that Microsoft boxes do not have tools like “wget” or “curl” installed by default, and that web browsers (especially those in Corporate environments) may have filters and plugins preventing the download of bad files. In recent years, BITS has been increasingly used not only as a means to place malicious files into targets but also to exfiltrate data from compromised computers. This paper shows how BITS can be used for malicious purposes and examines the traces left by its usage in network traffic, hard disk and RAM. The purpose of this research is also to compare the eventual findings that can surface from each type of examination (network traffic examination, hard disk examination and RAM examination) and highlight the limitation of each analysis type.

  • The Value of Contemporaneous Notes and Why They Are a Requirement for Security Professionals by Seth Enoka - September 30, 2019 

    Contemporaneous notes, or notes taken as soon as practicable after an event or action takes place, are invaluable to analysts in security roles performing activities such as digital forensics and incident response. There are various situations where contemporaneous notes provide a disproportionate return on time invested. However, there is no standard which defines the minimum information to record or indicates why every analyst should create some form of contemporaneous notes, whether in the civil or criminal domain. Timestamping, “write-once” versus write-many modalities, and how to edit or amend contemporaneous notes are important considerations. Additionally, including enough information such that the analyst, or any analyst, can follow the notes after time has elapsed and still achieve the same results and conclusions is essential when taking contemporaneous notes. The evidentiary value of contemporaneous notes should be defined and understood by every security professional.

  • The Foundation of Continuous Host Monitoring Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 2, 2019 

    Without the right architecture, continuous monitoring can cause more headaches than it cures. This paper examines some of the difficulties organizations face when trying to improperly scale forensic tools and/or concepts, and provides guidance on architectural decisions to help improve continuous monitoring implementations.

  • PDF Metadata Extraction with Python by Christopher A. Plaisance - February 5, 2019 

    This paper explores techniques for programmatically extracting metadata from PDF files using Python. It begins by detailing the internal structure of PDF documents, focusing on the internal system of indirect references and objects within the PDF binary, the document information dictionary metadata type, and the XMP metadata type contained in the file’s metadata streams. Next, the paper explores the most common means of accessing PDF metadata with Python, the high-level PyPDF and PyPDF2 libraries. This examination discovers deficiencies in the methodologies used by these modules, making them inappropriate for use in digital forensics investigations. An alternative low-level technique of carving the PDF binary directly with Python, using the re module from the standard library is described, and found to accurately and completely extract all of the pertinent metadata from the PDF file with a degree of completeness suitable for digital forensics use cases. These low-level techniques are built into a stand-alone open source Linux utility, pdf-metadata, which is discussed in the paper’s final section.

  • Shell Scripting for Reconnaissance and Incident Response by Mark Gray - January 25, 2019 

    It has been said that scripting is a process with three distinct phases that include: identification of a problem and solution, implementation, and maintenance. By applying an analytical mindset, anyone can create reusable scripts that are easily maintainable for the purpose of automating redundant and tedious tasks of a daily workflow. This paper serves as an introduction to the common structure and the various uses of shell scripts and methods for observing script execution, how shells operate, and how commands are found and executed. Additionally, this paper also covers how to apply functions, and control structure and variables to increase readability and maintainability of scripts. Best practices for system and network reconnaissance, as well as incident response, are provided; the examples of employment demonstrate the utilization of shell scripting as an alternative to applying similar functionality in more intricate programming languages.

  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity SANS.edu Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.

  • Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers by Seth Enoka - August 6, 2018 

    The use of application containerisation is on the rise due to the lightweight, portable nature of applications developed with this technology, and the ease with which containers can be administered. Instead of deploying an entire virtual machine to run applications separately from one another, users are now able to create modular, insulated software packages which are not necessarily integrated with the host operating system. This means the packages are able to be configured once, then deployed to many servers, many times, instantiated and then removed without affecting the host in the same way traditional applications would. Because of the portability of the applications, they are more versatile and less resource expensive to deploy and maintain. This also means that containerised applications are somewhat ethereal, and can be run only when required, this can present a challenge for security professionals because these applications do not collaborate with the host operating system in a traditional way. Therefore, they can leave fewer artefacts behind for a forensic investigator to analyse. This analysis can be further impeded by the fact containerisation is being used within virtual private servers hosted in the cloud.

  • Using Image Excerpts to Jumpstart Windows Forensic Analysis by John Brown - June 25, 2018 

    There are many options available for acquiring, processing and analyzing forensic disk images. Choices range from feature-rich commercial tools that provide all-in-one solutions, to open source scripts for carrying out specific tasks. The availability of these tools and the hard work of those who contribute to the forensic community have made the job of the examiner much easier. Even with recent advances, analysis can still be time-consuming, particularly in the acquisition and processing of Windows full disk images. One alternative is to extract and analyze the files historically known to contain the most relevant data first. In many cases, a relatively small number of files contain the majority of information needed to perform a forensic examination. Tests were performed on Windows images to analyze some of these high-value artifacts to find an efficient approach for selectively acquiring and extracting different types of metadata. A script was then written to automate repetitive steps and leverage open source tools found on most recent Linux version of the SANS Sift virtual machine.

  • Windows 10 as a Forensic Platform SANS.edu Graduate Student Research
    by Ferenc Kovacs - June 15, 2018 

    Microsoft Windows is widely used by forensic professionals. Windows 10 is the latest version available today. Many popular forensic packages such as FTK, Encase, and Redline are only running on Windows. Other packages such as Python, Volatility, The Sleuth Kit and Autopsy have Windows versions. This paper will detail the process of configuring a Windows 10 computer as a forensics investigation platform. It will show the necessary steps to set up the operating system, install Windows Subsystem for Linux, Python, VMware, and VirtualBox. The research will examine the setup of dd.exe, FTK Imager, Encase Forensic Imager, Redline, The Sleuth Kit, Autopsy, the SANS SIFT workstation, Volatility and Log2Timeline. This research will also highlight the external devices that will be used such as write blockers and external drives. Metrics will be collected to show the effectiveness of the software tools and hardware devices. By following the described steps, the reader will have a configured Windows 10 workstation that provides a useful platform for conducting forensic investigations.

  • Pick a Tool, the Right Tool: Developing a Practical Typology for Selecting Digital Forensics Tools SANS.edu Graduate Student Research
    by J. Richard “Rick” Kiper, Ph.D. - March 16, 2018 

    One of the most common challenges for a digital forensic examiner is tool selection. In recent years, examiners have enjoyed a significant expansion of the digital forensic toolbox – in both commercial and open source software. However, the increase of digital forensics tools did not come with a corresponding organizational structure for the toolbox. As a result, examiners must conduct their own research and experiment with tools to find one appropriate for a particular task. This study collects input from forty six practicing digital forensic examiners to develop a Digital Forensics Tools Typology, an organized collection of tool characteristics that can be used as selection criteria in a simple search engine. In addition, a novel method is proposed for depicting quantifiable digital forensic tool characteristics.

  • Pinpoint and Remediate Unknown Threats: SANS Review of EnCase Endpoint Security Analyst Paper (requires membership in SANS.org community)
    by Jake Williams - March 15, 2018 

    With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.

  • Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity by Michael C. Long II - February 23, 2018 

    Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.

  • Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court SANS.edu Graduate Student Research
    by John Garris - November 17, 2017 

    The creation of a restrictive digital evidence search protocol by the U.S. Ninth Circuit Court of Appeals - the most stringent in the United States - triggered intense legal debate and caused significant turmoil regarding digital forensics procedures and practices in law enforcement operations. Understanding the Court's legal reasoning and the U.S. Department of Justice's counter-arguments regarding this protocol is critical in appreciating how the tension between privacy concerns and the challenges to law enforcement stand at the center of this unique Information Age issue. By focusing on the Court's core assumption that the seizure and search of electronically stored information are inherently overly intrusive, digital forensics practitioners have a worthy target to focus their efforts in the advancement of digital forensics processes, procedures, techniques, and tool-sets. This paper provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the Court's decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement.

  • Exploring the Effectiveness of Approaches to Discovering and Acquiring Virtualized Servers on ESXi SANS.edu Graduate Student Research
    by Scott Perry - November 17, 2017 

    As businesses continue to move to virtualized environments, investigators need updated techniques to acquire virtualized servers. These virtualized servers contain a plethora of relevant data and may hold proprietary software and databases that are relatively impossible to recreate. Before an acquisition, investigators sometimes rely on the host administrators to provide them with network topologies and server information. This paper will demonstrate tools and techniques to conduct server and network discovery in a virtualized environment and how to leverage the software used by administrators to acquire virtual machines hosted on vSphere and ESXi.

  • Enhance Your Investigations with Network Data Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 19, 2017 

    Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach. In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations.

  • Forensicating Docker with ELK SANS.edu Graduate Student Research
    by Stefan Winkel - July 17, 2017 

    Docker has made an immense impact on how software is developed and deployed in today's information technology environments. The quick and broad adoption of Docker as part of the DevOps movement has not come without cost. The introduction of vulnerabilities in the development cycle has increased many times. While efforts like Docker Notary and Security Testing as a Service are trying to catch up and mitigate some of these risks, Docker Container Escapes through Linux kernel exploits like the recent widespread Dirty COW privilege escalation exploit in late 2016, can be disastrous in a cloud and other production environments. Organizations find themselves more in need of forensicating Docker setups as part of incident investigations. Centralized event logging of Docker containers is becoming crucial in successful incident response. This paper explores how to use the Elastic stack (Elasticsearch, Logstash, and Kibana) as part of incident investigations of Docker images. It will describe the effectiveness of ELK as result of a forensic investigation of a Docker Container Escape through the use of Dirty COW.

  • Beats & Bytes: Striking the Right Chord in Digital Forensics (OR: Fiddling with Your Evidence) by Ryan D. Pittman, Cindy Murphy, and Matt Linton - May 22, 2017 

    This paper will present results from a recent survey of DF/IR professionals and seek to provide relevant observations (together with published psychological, sociological, and neurological research) to discuss the similarities and intersections of DF/IR and music, as well as identify potential correlations between being a successful DF/IR professional and playing music. It will also discuss numerous challenges facing DF/IR professionals today and how learning to play and enjoy music can help DF/IR personnel both overcome some of those challenges and be more effective in their chosen field.

  • The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it by Deepak Bellani - April 20, 2017 

    Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information.

  • Detection of Backdating the System Clock in Windows by Xiaoxi Fan - March 15, 2017 

    In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches, system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that "the system clock has not been backdated," he or she must examine multiple artifacts for corroboration.

  • Tor Browser Artifacts in Windows 10 SANS.edu Graduate Student Research
    by Aron Warren - February 24, 2017 

    The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser version 5 client on a Windows 10 host for an individual or group interested in remnants left by the software. This paper will utilize various free and commercial tools to provide a detailed analysis of filesystem artifacts as well as a comparison between pre- and post- connection to the Tor network using memory analysis.

  • OS X as a Forensic Platform SANS.edu Graduate Student Research
    by David M. Martin - February 22, 2017 

    The Apple Macintosh and its OS X operating system have seen increasing adoption by technical professionals, including digital forensic analysts. Forensic software support for OS X remains less mature than that of Windows or Linux. While many Linux forensic tools will work on OS X, instructions for how to configure the tool in OS X are often missing or confusing. OS X also lacks an integrated package management system for command line tools. Python, which serves as the basis for many open-source forensic tools, can be difficult to maintain and easy to misconfigure on OS X. Due to these challenges, many OS X users choose to run their forensic tools from Windows or Linux virtual machines. While this can be an effective and expedient solution, those users miss out on the much of the power of the Macintosh platform. This research will examine the process of configuring a native OS X forensic environment that includes many open-source forensic tools, including Bulk Extractor, Plaso, Rekall, Sleuthkit, Volatility, and Yara. This process includes choosing the correct hardware and software, configuring it properly, and overcoming some of the unique challenges of the OS X environment. A series of performance tests will help determine the optimal hardware and software configuration and examine the performance impact of virtualization options.

  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.

  • Forensication Education: Towards a Digital Forensics Instructional Framework SANS.edu Graduate Student Research
    by J. Richard “Rick” Kiper - February 3, 2017 

    The field of digital forensics is a diverse and fast-paced branch of cyber investigations. Unfortunately, common efforts to train individuals in this area have been inconsistent and ineffective, as curriculum managers attempt to plug in off-the-shelf courses without an overall educational strategy. The aim of this study is to identify the most effective instructional design features for a future entry-level digital forensics course. To achieve this goal, an expert panel of digital forensics professionals was assembled to identify and prioritize the features, which included general learning outcomes, specific learning goals, instructional delivery formats, instructor characteristics, and assessment strategies. Data was collected from participants using validated group consensus methods such as Delphi and cumulative voting. The product of this effort was the Digital Forensics Framework for Instruction Design (DFFID), a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula.

  • Implementing Full Packet Capture SANS.edu Graduate Student Research
    by Matt Koch - November 7, 2016 

    Full Packet Capture (FPC) provides a network defender an after-the-fact investigative capability that other security tools cannot provide. Uses include capturing malware samples, network exploits and determining if data exfiltration has occurred. Full packet captures are a valuable troubleshooting tool for operations and security teams alike. Successful implementation requires an understanding of organization-specific requirements, capacity planning, and delivery of unaltered network traffic to the packet capture system.

  • Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response by Gordon Fraser - September 21, 2016 

    A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.

  • Portable System for Network Forensics Data Collection and Analysis SANS.edu Graduate Student Research
    by Don Murdoch - July 15, 2016 

    A portable lab environment for network level analysis is a necessary tool today for the forensic analyst. With today's malicious software and myriad of network aware client- side software, one of the tools that should be in the forensic analysts' toolbox is a portable response system for data collection and analysis. This paper will explain how to build a portable forensic workstation that provides several virtual environments installed together with supplemental hardware, such as multiple NICs and modern managed switch in order to provide a network forensic tool. VM's will include pfSense 2.2 running in transparent firewall mode along with other supporting packages, a network security- monitoring platform. A cookbook approach will be used to explore common use cases for the network and system forensic analyst, such as updating rules, sharing data among multiple environments, extracting data from packet captures, and clearing out all of the tools installed to start an investigation. This paper was written to provide a build outline for using pfSense and Security Onion to achieve these goals.

  • Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access SANS.edu Graduate Student Research
    by Scott Perry - April 29, 2016 

    News stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences.

  • Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud by Tom Arnold - April 21, 2016 

    As Head of Digital Forensics for Payment Software Company Inc. (“PSC”), a company that focuses exclusively on Clients that accept or process payments,1 we’ve responded to sites operating within cloud environments, most notably Amazon EC2.

  • Filesystem Timestamps: What Makes Them Tick? SANS.edu Graduate Student Research
    by Tony Knutson - March 29, 2016 

    One of the most critical aspects of a forensic investigation is what and where a file has been.

  • Tech Refresh for the Forensic Analysis Toolkit by Derek Edwards - March 16, 2016 

    Many have written about the “digital forensics crisis” caused by growing caseloads and storage device sizes.

  • Mimikatz Overview, Defenses and Detection SANS.edu Graduate Student Research
    by James Mulder - February 29, 2016 

    Over the past decade or so, we have seen hacker tools mature from tedious bit flipping to robust attack frameworks.

  • Incident identification through outlier analysis SANS.edu Graduate Student Research
    by Joshua Lewis - February 16, 2016 

    Distinguishing between friend and foe as millions of packets traverse a network at any given moment can be a very tedious and trying objective.

  • Using Virtualization in Internal Forensic Training and Assessment SANS.edu Graduate Student Research
    by Courtney Imbert - January 20, 2016 

    Continual training is a critical part of forensics work. Formal training and education in forensics are irreplaceable, but training has the most value when supplemented with hands-on laboratory work to reinforce concepts and apply practical skills (Ananthapadmanabhan, Frankl, Memon, & Naumovich, 2003).

  • Detecting Malware and Sandbox Evasion Techniques by Dilshan Keragala - January 20, 2016 

    The Internet has revolutionized the operations of businesses, the manner in which transactions are conducted, education programs are administered, and how research works are handled; these are a few of the benefits it has afforded society.

  • Network Forensics and HTTP/2 SANS.edu Graduate Student Research
    by Stefan Winkel - January 18, 2016 

    The first publicly released version of Hypertext Transfer Protocol (HTTP), HTTP 1.0, was released in 1996. HTTP is an application-level protocol for distributed, collaborative, hypermedia information systems (Berners-Lee, Fielding, & Frystyk, 1996). It is the basis of communication for the World Wide Web.

  • Zork as a Computer Investigative Mind Set SANS.edu Graduate Student Research
    by Timothy Cook - January 7, 2016 

    While not the first text adventure (alternatively known as “interactive fiction genre”) game, Zork is possibly the most well-known one. It was created in the late 1970’s on a PDP-10 mainframe computer by Massachusetts Institute of Technology (MIT) students Tim Anderson, Marc Blanc, Bruce Daniels and Dave Lebling.

  • Extracting Files from Network Packet Captures SANS.edu Graduate Student Research
    by Rebecca Deck - December 28, 2015 

    Full content packet captures provide analysts with the ability to review exactly what has transpired on a network. Analysts neither have to rely on questionable logs nor perform guesswork when determining what data have been transferred.

  • Investigative Forensic Workflow-based Case Study for Vectra and Cyphort by Jennifer Mellone - December 18, 2015 

    Enterprise and organizational networks are vulnerable to malware in part because of users’ endpoint laptops. Users routinely disconnect them from the corporate network with its due diligence perimeter security, connect to public and home networks, and reconnect to the corporate network.

  • A Forensic Look at Bitcoin Cryptocurrency by Michael Doran - November 16, 2015 

    Since the creation of the Internet in 1969, there have been notable technological advances involving the Internet that not only drastically affect each aspect of a person's life, but also forever changes the way that a society functions (Strickland, 2007).

  • Analysis and Reporting improvements with Notebooks by Ben Knowles - November 2, 2015 

    Free and open source scientific notebook software allows responders to perform analysis and record results simultaneously in an open, flexible, portable format for ease of sharing and reporting.

  • Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool SANS.edu Graduate Student Research
    by Dallas Haselhorst - October 26, 2015 

    What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s).

  • Forensic Analysis On Android: A Practical Case by Angel Alonso-Parrizas - October 14, 2015 

    Mobile platforms have grown in the last few years very quickly. At the same time, vulnerabilities and malware have evolved affecting the new mobile landscape. In order to respond to this new set of threats it is necessary that existing security techniques and tools adapt to the new situation. As a result, the current techniques, tools and processes to perform forensic analysis in networks and systems, need to cover also mobile platforms. In this paper it will be discussed how it is possible to perform forensic analysis in Android platforms covering the following aspects: the evidences in the logs, the network traffic, file system and in particular the analysis of the memory. A real malware case is investigated using the above aspects.

  • Forensic Analysis of Industrial Control Systems by Lewis Folkerth - September 25, 2015 

    Industrial Control Systems (ICS) contribute to our safety and convenience every day, yet remain unseen and unnoticed. From oil refineries to traffic lights, from the elevators we ride to the electric power plants that keep our lights on, they provide the control and monitoring for our essential services. ICS have served reliably for decades, but a changing technological environment is exposing them to risks they were not designed to handle. Internet connectivity, vulnerability assessment tools, and attacks by criminal and nation-state organizations are part of this changing picture. Along with this higher-risk environment comes the certainty that some of our ICS will be compromised. In order to prevent recurring attacks, security professionals must be able to discover where the compromise originated, how it was carried out, and, if possible, who was responsible. Many types of ICS run on proprietary hardware, so commonly accepted forensic techniques must be adapted for use in an ICS environment. In order to detect a compromise, baseline configurations should be documented. Networks should be monitored for unauthorized access and activity. In addition, a response plan should be in place to maintain service and streamline recovery. Techniques for forensic analysis were adapted and tested on live ICS, resulting in recommendations for successful detection and recovery after an incident. With adequate preparation and the appropriate response planning and execution, it is possible to successfully perform a forensic analysis for an ICS compromise.

  • A Network Analysis of a Web Server Compromise SANS.edu Graduate Student Research
    by Kiel Wadner - September 8, 2015 

    Through the analysis of a known scenario, the reader will be given the opportunity to explore a website being compromised. From the initial reconnaissance to gaining root access, each step is viewed at the network level. The benefit of a known scenario is assumptions about the attackers’ reasons are avoided, allowing focus to remain on the technical details of the attack. Steps such as file extraction, timing analysis and reverse engineering an encrypted C2 channel are covered.

  • Forensic Timeline Analysis using Wireshark GIAC (GCFA) Gold Certification SANS.edu Graduate Student Research
    by David Fletcher - August 10, 2015 

    The objective of this paper is to demonstrate analysis of timeline evidence using the Wireshark protocol analyzer. To accomplish this, sample timelines will be generated using tools from The Sleuth Kit (TSK) as well as Log2Timeline. The sample timelines will then be converted into Packet Capture (PCAP) format. Once in this format, Wireshark's native analysis capabilities will be demonstrated in the context of forensic timeline analysis. The underlying hypothesis is that Wireshark can provide a suitable interface for enhancing analyst's ability. This is accomplished through use of built-in features such as analysis profiles, filtering, colorization, marking, and annotation.

  • Coding For Incident Response: Solving the Language Dilemma SANS.edu Graduate Student Research
    by Shelly Giesbrecht - July 28, 2015 

    Incident responders frequently are faced with the reality of "doing more with less" due to budget or manpower deficits. The ability to write scripts from scratch or modify the code of others to solve a problem or find data in a data "haystack" are necessary skills in a responder's personal toolkit. The question for IR practitioners is what language should they learn that will be the most useful in their work? In this paper, we will examine several coding languages used in writing tools and scripts used for incident response including Perl, Python, C#, PowerShell and Go. In addition, we will discuss why one language may be more helpful than another depending on the use-case, and look at examples of code for each language.

  • Using windows crash dumps for remote incident identification by Zong Fu Chua - June 16, 2015 

    With the proliferation of defense mechanisms built into Windows Operating System,, such as ASLR, DEP, and SEHOP, it is getting more difficult for malware to successfully exploit it.

  • IDS File Forensics SANS.edu Graduate Student Research
    by George Khalil - May 13, 2015 

    Attackers usually follow an attack framework in order to breach an organization's computer network infrastructure. In response, forensic analysts are tasked with identifying files, data and tools accessed during a breach.

  • Using Sysmon to Enrich Security Onion's Host-Level Capabilities by Josh Brower - March 27, 2015 

    In 2003, Gartner declared Intrusion Detection Systems as a “market failure” primarily because of the high false positives and negatives, and the significant amount of time and resources needed to monitor and validate alerts.

  • Windows Phone 8 Forensic Artifacts by Cynthia Murphy, Adrian Leong, Maggie Gaffney, Shafik G. Punja, JoAnn Gibb, Brian McGarry - February 20, 2015 

    Because of the fast pace of change of mobile device technologies and operating systems, there are times when a newer mobile device which is unsupported or only partially supported by commercial mobile forensic tools for data extraction and parsing must be examined in the course of a criminal investigation, with the end goal being the extraction of digital evidence for use in court.

  • Analyzing Man-in-the-Browser (MITB) Attacks SANS.edu Graduate Student Research
    by Chris Cain - January 12, 2015 

    Malware today has become the method of choice to attack financial institutions. With the ease of use and ability for criminals to cover their tracks, this has been the way to rob banks without the need for a getaway car. Attackers are finding new and complex methods in which to carry out attacks. One of these vectors is a Man-in-the-Browser (MITB) attack.

  • Let's face it, you are probably compromised. What next? by Jonathan Thyer - December 15, 2014 

    Over the past several years, the information technology industry has dramatically shifted from a desktop workstation centric, corporate owned computing asset model to a model of performing business processing tasks from anywhere with any capable device. This is evident through the dramatic increase in tablet, and smartphone use by organizational employees, and demand of employees to be able to use their own devices to manage daily business tasks.

  • Intelligence-Driven Incident Response with YARA by Ricardo Dias - October 20, 2014 

    The concept of threat intelligence is gaining momentum in the cyber-security arena. As targeted attacks increase in number and sophistication, organizations are beginning to develop and integrate the concept of threat intelligence into their cyber-defensive strategies. By doing so, organizations are taking the next step forward to respond to cyber-attacks. Recent threat reports reveal promising results.

  • Reducing the Catch: Fighting Spear-Phishing in a Large Organization by Joel Anderson - October 20, 2014 

    The phishing problem isn't new. Over 150 years ago, Charles Dickens wrote a passionate and witty letter about fraudsters of his day who, like Nigerian 419 scammers today, preyed upon the generosity and gullibility of well-meaning folk. The differences in our time are that of scale and scope, as the perpetrators have taken on seven league boots and covered continents with their shameless appeals.

  • An Analysis of Meterpreter during Post-Exploitation SANS.edu Graduate Student Research
    by Kiel Wadner - October 14, 2014 

    Much has been written about using the Metasploit Framework to gain access to systems, utilizing exploits, and the post-exploitation modules. What has received less attention is how they work, what they actually do on the system and how it can be detected. That is the focus of this research paper.

  • Forensicator FATE - From Artisan To Engineer by Barry Anderson - October 13, 2014 

    The SANS Investigative Forensic Toolkit (SIFT) is an awesome set of (free!) tools for the forensics professional. Using these tools effectively however can be overwhelming, especially in the case of a large complex case such as an APT intrusion.

  • Forensic Images: For Your Viewing Pleasure SANS.edu Graduate Student Research
    by Sally Vandeven - September 19, 2014 

    Digital forensic investigations often involve creating and examining disk images. A disk image is a bit-for-bit copy of a full disk or a single partition from a disk. Because the contents of a disk are constantly changing on a running system, disk images are often created following an intrusion or incident to preserve the state of a disk at a particular point in time.

  • Creating a Baseline of Process Activity for Memory Forensics SANS.edu Graduate Student Research
    by Gordon Fraser - August 27, 2014 

    SANS's Advanced Forensic Analysis and Incident Response course (Lee & Tilbury, 2013) defines a process for the examination of memory to identify indicators of compromise.

  • A Journey into Litecoin Forensic Artifacts by Daniel Piggott - June 3, 2014 

    Litecoin is a virtual peer-to-peer currency.

  • Automation of Report and Timeline-file based file and URL analysis by Florian Eichelberger - May 6, 2014 

    The proposed solution tries to lessen the burden of manually processing timeline-based logfiles and automating the classification of both files and URLs.

  • Windows ShellBag Forensics in Depth by Vincent Lo - April 14, 2014 

    Microsoft Windows records the view preferences of folders and Desktop.

  • Repurposing Network Tools to Inspect File Systems by Andre Thibault - February 27, 2014 

    Digital forensics can be a laborious and multi-step process. Some of the initial steps in digital forensics include: Data Reduction, Anti-Virus checks, and an Indicator of Compromise (IOC) search.

  • Review of Windows 7 as a Malware Analysis Environment by Adam Kramer - January 9, 2014 

    The SANS course "FOR610: Reverse Engineering of Malware" is designed using Windows XP as the malware analysis environment (SANS Institute, 2013).

  • Live Response Using PowerShell by Sajeev Nair - August 19, 2013 

    Organizations today handle more sensitive personal data than ever before. As the amount of sensitive personal data increases, the more they are susceptible to security incidents and breaches (AICPA, n.d).

  • The SANS Survey of Digital Forensics and Incident Response Analyst Paper (requires membership in SANS.org community)
    by Paul Henry, Jacob Williams, and Benjamin Wright - July 18, 2013 

    2013 Digital Forensics Survey to identify the nontraditional areas where digital forensics techniques are used.

  • Dead Linux Machines Do Tell Tales by James Fung - May 15, 2013 

    A summary study of a compromised Linux network and the incident handling procedures that followed.

  • Log2Pcap by Joaquin Moreno - April 29, 2013 

    During the analysis of all the available data that are logged, organizations must be able to identify which portions of this information are actionable and pertinent.

  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

  • Indicators of Compromise in Memory Forensics by Chad Robertson - March 21, 2013 

    There has been a recent increase in the availability of intelligence related to malware.

  • Windows Logon Forensics by Sunil Gupta - March 12, 2013 

    Digital forensics, also known as computer and network forensics, is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

  • Forensic Analysis on iOS Devices SANS.edu Graduate Student Research
    by Tim Proffitt - January 25, 2013 

    Technology in smart phones and tablets is advancing in a feverish pace.

  • A Regular Expression Search Primer for Forensic Analysts by Tim Cook - April 24, 2012 

    This paper introduces some of the powerful ASCII pattern identification and manipulation tools that are available to Forensic Analysts from the command line of the Linux Operating System of the SANS Investigative Forensic Toolkit (SIFT) Workstation.

  • What's in a Name: Uncover the Meaning behind Windows Files and Processes by Larisa Long - February 7, 2012 

    When a system has been compromised, forensic analysts have to be part researcher and part investigator. They must be able to parse out known or healthy files to eliminate them as possible clues. Like the old saying goes: know what you don‟t know, but know where to find the answers.

  • iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012 

    One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Identifying Malicious Code Infections Out of Network by Ken Dunham - August 29, 2011 

    Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

  • Wireless Networks and the Windows Registry - Just where has your computer been? SANS.edu Graduate Student Research
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis SANS.edu Graduate Student Research
    by T.J. OConnor - September 13, 2010 

    Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.

  • Integrating Forensic Investigation Methodology into eDiscovery by Colin Chisholm - September 7, 2010 

    The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.

  • Remotely Accessing Sensitive Resources by Jason Ragland - February 18, 2010 

    Often travelers require access to digital resources to perform work from off-site locations such as conferences, hotels, and homes. These resources can include emails, research, medical, financial data, server management applications, or any number of other things that may have a very high need for confidentiality and integrity. The acceptable methods for access vary based on a variety of factors such as size, complexity, available types of network connectivity, and bandwidth. Access to email is often easily provided via a secure website and a password, for example. If the resource consists of gigabytes of research data, it isn’t as simple.

  • Reverse Engineering the Microsoft exFAT File System by Robert Shullich - February 18, 2010 

    As Technology pushes the limits of removable media - so drives the need for a new file system in order to support the larger capacities and faster access speeds being designed. Microsoft's answer to this need is the new Extended FAT File System (exFAT) which has been made available on its newer operating systems and which will be supported on the new secure digital extended capacity (SDXC) storage media. This new file system is proprietary and requires licensing from Microsoft and little has been published about exFAT's internals. Yet in order to perform a full and proper digital forensics examination of the media, the file system layout and organization must be known. This paper takes a look under the hood of exFAT and demystifies the file system structure in order to be an aid in the performance of a digital investigation.

  • Mac OS X Malware Analysis by Joel Yonts - September 2, 2009 

    As Apple's market share raises so will the Malware! Will incident responders be ready to address this rising threat? Leveraging the knowledge and experience from the mature windows based malware analysis environment, a roadmap will be built that will equip those already familiar with malware analysis to make the transition to the Mac OS X platform. Topics covered will include analysis of filesystem events, network traffic capture & analysis, live response tools, and examination of OS X constructs such as executable file structure and supporting configuration files.

  • Techniques and Tools for Recovering and Analyzing Data from Volatile Memory by Kristine Amari - March 26, 2009 

    There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory, but because this is a relatively new and fast-growing field many forensic analysts do not know or take advantage of these assets.

  • Data Carving Concepts by Antonio Merola - November 19, 2008 

    The idea behind this paper is to help people become familiar with data carving concepts and analysis techniques.

  • Mobile Device Forensics by Andrew Martin - September 5, 2008 

    This research paper will document in detail the methodology used to examine mobile electronic devices for the data critical to security investigations. The methodology encompasses the tools, techniques and procedures needed to gather data from a variety of common devices.

  • A Forensic Primer for Usenet Evidence by Mark Lachniet - June 25, 2008 

    This document is intended to provide an overview of the Usenet on the Internet, including the NNTP protocol and types of evidence of Usenet abuse that may be present on permanent storage devices such as hard disks and flash drives.

  • Ex-Tip: An Extensible Timeline Analysis Framework in Perl by Michael Cloppert - May 21, 2008 

    Digital forensic investigative needs extend well beyond the capabilities provided by classic timeline generation and analysis tools. In this paper, a simple, extensible, and portable timeline framework is discussed in detail. Dubbed Ex-Tip, it is shown that this tool can be used to provide basic timeline capabilities to any variety of input sources, with customizable output for human or programmatic consumption.

  • Taking advantage of Ext3 journaling file system in a forensic investigation by Gregorio Narvaez - December 11, 2007 

    The Ext3 file system has become the default for most Linux distributions and thus is of great importance for any practitioner of forensics to understand how Ext3 handles files differently from the previous standard (Ext2) and how the knowledge of these differences can be applied to recover evidence as deleted files, and file activity.

  • Forensic Analysis of a SQL Server 2005 Database Server by Kevvie Fowler - September 28, 2007 

    In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.

  • Forensic Analysis of a Compromised Intranet Server by Roberto Obialero - June 8, 2006 

    This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.

  • Becoming a Forensic Investigator by Mark Maher - August 15, 2004 

    One of the forensic analyst's primary functions is the dissemination of the forensic process to the intended audience. To do their jobs successfully, they must write forensic reports that are both technically accurate and easy to read.

  • A Case for Forensics Tools in Cross-Domain Data Transfers by Dwane Knott - July 14, 2003 

    Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. This paper presents three options, the most practical is more fully discussed.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.