This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
I will be going over a list of definitions, tools that fit each category, and open source variants that fit each (if available). I will be also going over the good, bad, and ugly of new/emerging technology.
I recommend watching the talk. Many notes and context are only verbal not in the slides.
Link for talk.
http://www.irongeek.com/i.php?page=videos/bsidestampa2018/track-206-blue-teams-tool-dump-stop-using-them-term-next-gen-this-isnt-xxcall-of-dutyxx-alex-kot
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
Syed Ubaid Ali Jafri Informed Information Security Students how to conduct black box penetration testing if you do not have prior knowledge about the network environment, Few steps and consideration that should be in mind before conducting black box audit
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
SANS Digital Forensics and Incident Response Poster 2012
1. STEP 1: Prep Evidence/Data Reduction
• Carve and Reduce Evidence
- Gather Hash List from similar system (NSRL, md5deep)
- Carve/Extract all .exe and .dll files from unallocated space
• foremost • sorter (exe directory) • bulk_extractor
• Prep Evidence
- Mount evidence image in Read-Only Mode
- Locate memory image you collected
- Optional: Convert hiberfil.sys (if it exists to raw memory image) using volatility
STEP 2: Anti-Virus Checks
Run the mounted drive through an Anti Virus Scanner with the latest updates.
Anti-virus scanners employ hundreds of thousands of signatures that can quickly
identify well-known malware on a system. First, download the latest anti-virus
signatures and mount your evidence for analysis. Use a“deep”scan when available
and consider scanning your mounted drive with multiple anti-virus engines to
take advantage of their scanning and signature differences. Get in the habit
of scanning files exported from your images such as deleted files, data carving
results, Sorter output, and email attachments. While anti-virus will not be effective
on 0-day or unknown malware, it will easily find the low hanging fruit.
STEP 3: Indicators of Compromise Search
Using indicators of compromise (IOCs) is a very powerful technique to identify
malware components on a compromised host. IOCs are implemented as a combi-
nation of boolean expressions that identify specific characteristics of malware. If
these characteristics are found, then you may have a hit. An IOC should be gener-
al enough to find modified versions of the same malware, but specific enough to
limit false positives. There are two types of indicators: Host based (shown above),
and Network based (similar to snort signatures plus additional data). The best
IOCs are usually created by reversing malware and application behavioral analysis.
What Works?
OpenIOC Framework - openioc.org
IOC Editor
IOC Finder
YARA Project
STEP 4: Automated Memory Analysis
• Behavior Ruleset
- Code injection detection
- Process Image Path Verification
• svchost outside system32 = Bad
- Process User Verification (SIDs)
• dllhost running as admin = Bad
- Process Handle Inspection
• iexplore.exe opening cmd.exe = Bad
• )!voqa.i4 = known Poison Ivy mutant
• Verify Digital Signatures
- Only available during live analysis
- Executable, DLL, and driver sig checks
- Not signed?
• Is it found in 75% of all processes?
What Works?
MANDIANT Redline
www.mandiant.com/products/free_software/redline
Volatility Malfind:
http://code.google.com/p/volatility
STEP 5: Evidence of Persistence
Malware wants to hide, but it also wants to survive a reboot. Malware persistence
is extremely common and is an excellent way to find hidden malware. Persistence
comes in many forms. The simplest mechanism is via scheduled tasks and the“at”
command. Other popular persistence mechanisms include Windows Services and
auto-start locations. An adversary can run their malware as a new service or even
replace an existing service. There are numerous Windows Registry mechanisms to
auto-start an executable at boot or login. Using a tool called autorunsc.exe will eas-
ily parse the autostart locations across scheduled tasks, services, and registry keys.
While these are the most common, keep in mind there are more advanced tech-
niques. For example the Mebromi malware even flashes the BIOS to persist. Attacks
of this nature are rare because even the simplest of techniques are effective, allowing
attackers to maintain persistence for long periods of time without being discovered.
What Works? Autorunsc.exe from Microsoft sysinternals
http://technet.microsoft.com/en-us/sysinternals/bb963902
STEP 6: Packing/Entropy Check
• Scan the file system or common locations for possible malware
- Indication of packing
- Entropy test
- Compiler and packing signatures identification
- Digital signature or signed driver checks
What Works?
MANDIANT Red-Curtain http://www.mandiant.com/resources/download/red-curtain
DensityScout http://cert.at/downloads/software/densityscout_en.html
Sigcheck - http://technet.microsoft.com/en-us/sysinternals/bb897441
STEP 7: Review Event Logs
What Works?
logparser - http://www.microsoft.com/download/en/details.aspx?id=24659
Event Log Explorer - http://eventlogxp.com
Log Parser Lizard - http://www.lizard-labs.net
STEP 8: Super Timeline Examination
Once you are down to about 10-20 candidates, it is a good time to identify
where those files show up in your timeline. The additional context of seeing
other files in close temporal proximity to your candidates allows you to identify
false positives and focus on those files most likely to be malicious. In the above
example, we see the creation of the file winsvchost.exe in the C:Windows
System32 directory. If this were one of your candidate files, you would clearly
see artifacts that indicate a spearphishing attack surrounding that file’s creation
time. Notably, an .XLS file was opened via email, winsvchost.exe was executed,
an auto-start persistence mechanism was created and finally, a network socket
was opened. All within one second! Contextual clues in temporal proximity to
the files you are examining are quite useful in your overall case.
What Works? log2timeline found in SIFT Workstation
http://computer-forensics.sans.org/community/downloads
STEP 9: By-Hand Memory Analysis
Memory analysis is one of the most powerful tools for finding malware.
Malware has to run to be effective, creating a footprint that can often be easily
discovered via memory forensics. A standard analysis can be broken down
into six major steps. Some of these steps might be conducted during incident
response, but using a memory image gives deeper insight and overcomes any
rootkit techniques that malware uses to protect itself. Memory analysis tools
are operating system specific. Since each tool gathers and displays information
differently, use multiple tools to check your results.
What Works? Volatility http://code.google.com/p/volatility
Mandiant Redline www.mandiant.com/products/free_software/redline
STEP 10: By-Hand 3rd Party Hash Lookups
Hash lookups to
eliminate known
good files and identify
known bad files is
a useful technique
when narrowing down
potential malware.
Bit9 FileAdvisor is a
free search engine for querying Bit9’s application whitelisting database. It is
available via online lookup, as well as via a downloadable utility
(http://fileadvisor.bit9.com/services/wu/latest/FileAdvisor.msi). The
National Software Reference Library also provides a robust set of known good
hashes for use.
VirusTotal will scan a file through over 40 different A/V scanners to determine
if any of the current signatures detect the malware. VirusTotal also allows its
database to be searched via MD5 hashes, returning prior analyses for candidate
files with the same MD5.
What Works?
VirusTotal www.virustotal.com and bit9 http://fileadvisor.bit9.com
NSRL Query http://nsrlquery.sourceforge.net
STEP 11: MFT Anomalies
A typical file system has hundreds of thousands of files. Each file has its own
MFT Record Number. Because of the way operating systems are installed, it’s
normal to see files under entire directory structures written to disk with largely
sequential MFT Record Number values. For example, above is a partial directory
listing from a Windows NTFS partition’s %system32% directory, sorted by date.
Note that the MFT Record Number values are largely sequential and with some
exceptions, tend to align with the file creation times. As file systems are used
over the years and new patches are applied causing files to be backed up and
replaced, the ordering of these files by MFT Record Number numbers can break
down. Surprisingly, this ordering remains intact enough on many systems, even
after years of use, that we can use it to spot files of interest. This will not happen
every time as MFT entries are recycled fairly quickly, but in many cases an outlier
can be identified.
STEP 12: File-Time Anomalies
• Timestamp Anomalies
- $SI Time is before $FN Time
- Nanoseconds values are all zeroes
One of the ways to tell if file time backdating occurred on a windows machine
is to examine the NTFS $Filename times compared to the times stored in
$Standard Information. Tools such as timestomp allow a hacker to backdate
a file to an arbitrary time of their choosing. Generally, hackers do this only to
programs they are trying to hide in the system32 or similar system directories.
Those directories and files would be a great place to start. Look to see if the
$Filename (FN) creation time occurs after the $Standard Info creation time as
this often indicates an anomaly.
What Works?
analyzeMFT.py found on SIFT Workstation and
www.integriography.com
log2timeline found on SIFT Workstation
STEP 13: You Have Malware!
Now What?
• Hand it to Malware Analyst
- FOR610 – RE Malware
- Hand over sample, relevant configuration
files, memory snapshot
• Typical Output from Malware Analyst
- Host-based indicators
- Network-based indicators
- Report on malware capabilities
and purpose
• You can now find additional systems compromised by the
malware you found
Finding Unknown Malware – Step-By-Step
Finding unknown malware is an
intimidating process to many, but
can be simplified by following some
simple steps to help narrow your
search. This is not an easy process,
but using the techniques in this
chart you will learn how to narrow
the 80,000 files on a typical machine
down to the 1-4 files that is possible
malware. This process of Malware
Funneling is key to your quick and
efficient analysis of compromised
hosts and will involve most of the
skills you have built up across both
FOR408 Windows Forensics and
FOR508 Advanced Forensics and
Incident Response
Windows Time Rules
$ S T D I N F O
$ F I L E N A M E
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
Changed
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
Changed
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
No Change
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
No Change
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
No Change
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
No Change
Modified –
No Change
Access –
No Change
Creation –
No Change
Metadata –
No Change
Modified –
Change
Access –
No Change
Creation –
No Change
Metadata –
Changed
Modified –
Change
Access –
No Change
Creation –
No Change
Metadata –
Changed
Modified –
No Change
Access –
Change
NoChangeon
Vista/Win7
Creation –
No Change
Metadata –
Changed
Modified –
No Change
Access –
Change
Creation –
No Change
Metadata –
Changed
Modified –
No Change
Access –
Change
Creation –
Change
Metadata –
Changed
Modified –
Change
Access –
Change
Creation –
Change
Metadata –
Changed
Modified –
Change
Access –
Change
Creation –
Change
Metadata –
Changed
Modified –
Change
Access –
Change
Creation –
Change
Metadata –
Changed
Modified –
Change
Access –
Change
Creation –
Change
Metadata –
Changed
File
Rename
Local
File Move
Volume
File Move
File
Copy
File
Access
File
Modify
File
Creation
File
Deletion
File
Rename
Local
File Move
Volume
File Move
File
Copy
File
Access
File
Modify
File
Creation
File
Deletion
Digital Forensics
and Incident Response
P O S T E R
FALL 2012 – 22n d EDITION
http://computer-forensics.sans.org
Website:
http://computer-forensics.sans.org
Blogs:
http://computer-forensics.sans.org/blog
SIFT Workstation:
http://computer-forensics.sans.org/
community/downloads
Twitter:
www.twitter.com/sansforensics
REMNUX
http://zeltser.com/remnux
Additional Forensics Course
FOR558
Network
Forensics
FOR563
Mobile Device
Forensics
FOR508
Advanced Computer
Forensic Analysis
Incident Response
GCFA
FOR408
Computer Forensic
Investigations –
Windows In-Depth
GCFE
FOR610
REM: Malware
Analysis Tools
Techniques
GREM
FOR526
Windows Memory
Forensics In-Depth
SANS Digital Forensics and Incident Response
C urriculum