As incident responders, we are often called upon to not only supply answers regarding "Who, What, When, Where, and How" an incident occurred, but also how does the organization protect itself against future attacks of a similar nature? In other words, what are the lessons learned and recommendations based on the findings?A new paper from Microsoft titled "Best Practices for Securing Active Directory" provides a wealth of information and guidance that responders can use to answer these types of questions. The paper can be found at the following link: http://blogs.technet.com/b/security/archive/2013/06/03/microsoft-releases-new-mitigation-guidance-for-active-directory.aspx.I've reviewed the paper and it is an excellent document in my opinion. As the foreword by Microsoft's CISO explains, the paper provides a "practitioner's ...
↧
"Overview of Microsoft`s \"Best Practices for Securing Active Directory\""
↧
"Get a MacBook Air, Toshiba Satellite Ultrabook, or an $850 discount with most #DFIR Online courses"
Through July 11, 2013 you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite U925T-S2120 Ultrabook' Convertible, or an $850 discount when you register and pay for a qualifying* vLive or OnDemand course!SANS-Forensics-Virtual-Training-OfferingsTo take advantage of this offer, enter one of the following discount codes at checkout:0613_MBAIR (MacBook Air)0613_TOSH (Toshiba Satellite Ultrabook)0613_850 ($850 Discount)Qualifying OnDemand courses include:FOR408: Computer Forensic Investigations - Windows In-Depth
↧
↧
"SANS Digital Forensics and Incident Response Virtual Training Offerings #DFIR"
Through July 11, 2013 you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite U925T-S2120 Ultrabook Convertible, or an $850 discount when you register and pay for a qualifying *vLive or OnDemand course!
↧
"Getting Started with Linux Memory Forensics"
Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant
↧
"SANS Survey of Digital Forensics and Incident Response #DFIR"
More than 450 participants completed the SANS 2013 Digital Forensics Survey, conducted online during Apriland May 2013. A primary goal of this survey was to identify the nontraditional areas where digital forensicstechniques are used. The survey can be downloadedHERE.A webcast introducing the Survey earlier this month can be found here: https://www.sans.org/webcasts/digital-forensics-modern-times-survey-96645The survey written by Paul Henry, Jacob Williams, and Benjamin Wright.In the survey 54% of respondents indicated ...
↧
↧
"Windows 8 \/ Server 2012 Memory Forensics"
With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):MemoryDD.bat -output E:\\Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings trueTo perform live memory analysis and take advantage of capabilities like ...
↧
"Reverse-Engineering Malware Course Expanded to Include Capture-the-Flag Challenges"
SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience.
↧
"Case Leads: A Forensicator's take on BlackHat\/DefCon\/BSides"
It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.July 27th was the start of Black Hat atCaesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes onWednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) ...
↧
"The Power of PowerShell Remoting"
PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting to answer your investigative questions--at scale. As I'll discuss shortly, Remoting provides us the ability to query a thousand machine in just minutes!Before I get to the details of Remoting though, let me kickoff the discussion by going through the basics of PowerShell and Windows Remote Management (WinRM), which provides the foundation for the PowerShell "Remoting" feature. After covering this background information, I'll go over the significant performance benefits of Remoting and then cover the authentication details and implications for privileged account use (fortunately there's a lot of good news on this front too).PowerShell BasicsPowerShell is the ...
↧
↧
"Get a MacBook Air, Toshiba Satellite Ultrabook, or an $850 discount with most #DFIR Online courses"
ThroughDec 13, 2013you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite E45T-AST2N01Ultrabook' Convertible, or an $850 discount when you register and pay for a qualifying*vLiveorOnDemandcourse! SANS-Forensics-Virtual-Training-OfferingsTo take advantage of this offer, enter one of the following discount codes at checkout:MacBook Air:MACB13$850 Discount:850B13Toshiba Ultrabook:PCB13QualifyingOnDemandcourses include:FOR408: Computer Forensic Investigations - Windows In-Depth
↧
"Reverse-Engineering Malware Course Expanded to Include Capture-the-Flag Challenges"
SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience.
↧
"Case Leads: A Forensicator's take on BlackHat\/DefCon\/BSides"
It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.July 27th was the start of Black Hat atCaesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes onWednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!) ...
↧
"The Power of PowerShell Remoting"
PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting to answer your investigative questions--at scale. As I'll discuss shortly, Remoting provides us the ability to query a thousand machine in just minutes!Before I get to the details of Remoting though, let me kickoff the discussion by going through the basics of PowerShell and Windows Remote Management (WinRM), which provides the foundation for the PowerShell "Remoting" feature. After covering this background information, I'll go over the significant performance benefits of Remoting and then cover the authentication details and implications for privileged account use (fortunately there's a lot of good news on this front too).PowerShell BasicsPowerShell is the ...
↧
↧
"Get a MacBook Air, Toshiba Satellite Ultrabook, or an $850 discount with most #DFIR Online courses"
ThroughDec 13, 2013you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite E45T-AST2N01Ultrabook' Convertible, or an $850 discount when you register and pay for a qualifying*vLiveorOnDemandcourse! SANS-Forensics-Virtual-Training-OfferingsTo take advantage of this offer, enter one of the following discount codes at checkout:MacBook Air:MACB13$850 Discount:850B13Toshiba Ultrabook:PCB13QualifyingOnDemandcourses include:FOR408: Computer Forensic Investigations - Windows In-Depth
↧
"DFIRCON APT Malware and Memory Challenge #DFIRCON"
DFIRCON APT Malware & Memory ChallengeThe memory image contains real APT malware launched against a test system.Your job? Find it.The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!Win a free Simulcast Seat at DFIRCON Monterey - http://dfir.to/DFIR-CON by downloading the memory image ...
↧
"Get a MacBook Air, Toshiba Satellite Ultrabook, or an $850 discount with most #DFIR Online courses"
ThroughJan 23, 2014, you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite E45T-AST2N01Ultrabook' Convertible, or an $850 discount when you register and pay for a qualifying*vLiveorOnDemandcourse! SANS-Forensics-Virtual-Training-OfferingsTo take advantage of this offer, enter one of the following discount codes at checkout:MacBook Air:MACB13$850 Discount:850B13Toshiba Ultrabook:PCB13QualifyingOnDemandcourses include:FOR408: Computer Forensic Investigations - Windows In-Depth
↧
"SANS #DFIRSummit Call For Papers (Austin - Jun 2014)"
Summit Dates: - June 9-10, 2014Pre-Summit Course Dates: June 3-8 , 2014The 7th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.Call for Speakers- Now OpenThe 7th annual Forensics and Incident Response Summit Call for ...
↧
↧
"Deadline Approaching - APT Malware and Memory Challenge #DFIRCON"
DEADLINE 31 Jan 2014 -- Winner Announced - 3 Feb 2014DFIRCON APT Malware & Memory ChallengeThe memory image contains real APT malware launched against a test system.Your job? Find it.The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!Win a free Simulcast Seat at DFIRCON Monterey -http://dfir.to/DFIR-CONby downloading the memory ...
↧
"Introducing Mac Forensics: The new SANS #DFIR course in BETA starting in April, 2014"
Vienna, VA | Tue Apr 22 - Sun Apr 27, 2014Digital forensic investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms, yet most investigators are familiar with Windows-only machines.Times and trends change and forensic investigators and analysts need to change with them. The newFOR518: Mac Forensic Analysiswritten by Sarah Edwards ...
↧
"Announcing the #DFIRCON Photo Contest - Changce to Win a Free Simulcast Course"
↧