Got GIAC? Free GIAC Cert Attempt Included with OnDemand 5 or 6 Day Training thru July 7

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.


Featuring 107 Papers as of May 6, 2021

  • BITS Forensics Graduate Student Research
    by Roberto Nardella - October 14, 2019 

    The “Background Intelligent Transfer Service” (BITS) is a technology developed by Microsoft in order to manage file uploads and downloads, to and from HTTP servers and SMB shares, in a more controlled and load balanced way. If the user starting the download were to log out the computer, or if a network connection is lost, BITS will resume the download automatically; the capability to survive reboots makes it an ideal tool for attackers to drop malicious files into an impacted Windows workstation, especially considering that Microsoft boxes do not have tools like “wget” or “curl” installed by default, and that web browsers (especially those in Corporate environments) may have filters and plugins preventing the download of bad files. In recent years, BITS has been increasingly used not only as a means to place malicious files into targets but also to exfiltrate data from compromised computers. This paper shows how BITS can be used for malicious purposes and examines the traces left by its usage in network traffic, hard disk and RAM. The purpose of this research is also to compare the eventual findings that can surface from each type of examination (network traffic examination, hard disk examination and RAM examination) and highlight the limitation of each analysis type.

  • View All Forensics Papers

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.