Blog

*** SANS is offering a one-time discount for the DFIR Summit & Training to government employees (e.g., federal, state, local, DoD).This offer reduces the Summit registration fee from $1,995 to $795 when purchased in conjunction with a full priced course. The discount is available for a limited time only, on a first come, first served basis. Please register athttps://www.sans.org/registration/register.php?conferenceid=30107with the code DFIRGOV

***There is also a 10% off code DFIR

You might have noticed that we recently posted the course description for the upcoming all-new course, FOR572: Advanced Network Forensics and Analysis. FOR572 will go include a lot of tcpdump and Wireshark work, but also goes beyond that, using a "big picture" approach that incorporates evidence and methods covering all kinds of network-based systems and devices. Since every device that handles a network communication can provide a unique and valuable "witness's view" of an incident, these skills are critical to conducting a comprehensive investigation. However, with so many sources and formats of evidence, analysis quickly becomes a challenge. Mo' evidence, mo' problems...

Although the

...

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated toWindows Memory Forensics. The hands-on course, written by memory forensics pioneerJesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.

SANS is offering a 10% discount off theFOR526 coursefor the following events: Discount Code:WINDEX

1. SANSFIRE 2013 - Washington, DC - June 17-21-http://www.sans.org/info/128960


2. Network Security ...

The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:

• Firewall changes made for unauthorized software (firewall.cpl)


• User account additions / modifications (nusrmgr.cpl)


• Turning off System Restore / Volume Shadow Copies (sysdm.cpl)


• System time changes (timedate.cpl)


• Interaction with third-party security software applets

While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As ...

Recently, I spoke to students in a computer forensics class who will be graduating in the spring of 2013 about getting a job in computer forensics after school. We covered interview tips as well as performed mock forensic job interviews when I realized there are some pointers that I could share about the process from a hiring manager's perspective to help candidates better prepare for seeking that first position in computer forensics. While many aspects of getting that first job are common in any field, serious computer forensics professionals do have a mindset, attitude and passion that requires a certain approach when a candidate is looking for their first job in the field.

Resume/C.V.:

Generally a resume is skimmed and reviewed in about 20-30 seconds which means you need to make sure it is laid out in a way that gets you on the short stack of potential candidates. You want to consider ordering sections by your objectives, education,

...