DFIRCON APT Malware & Memory Challenge
The memory image contains real APT malware launched against a test system.Your job? Find it.
The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!
Win a free Simulcast Seat at DFIRCON Monterey - http://dfir.to/DFIR-CON by downloading the memory image
ThroughDec 13, 2013you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite E45T-AST2N01Ultrabook' Convertible, or an $850 discount when you register and pay for a qualifying*vLiveorOnDemandcourse! SANS-Forensics-Virtual-Training-Offerings
To take advantage of this offer, enter one of the following discount codes at checkout:
FOR408: Computer Forensic Investigations - Windows In-Depth
PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting to answer your investigative questions--at scale. As I'll discuss shortly, Remoting provides us the ability to query a thousand machine in just minutes!
Before I get to the details of Remoting though, let me kickoff the discussion by going through the basics of PowerShell and Windows Remote Management (WinRM), which provides the foundation for the PowerShell "Remoting" feature. After covering this background information, I'll go over the significant performance benefits of Remoting and then cover the authentication details and implications for privileged account use (fortunately there's a lot of good news on this front too).
PowerShell is the ...
It's been a busy time in digital forensics and incident response (DFIR). Every summer, for over 20 years, infosec and forensicators and old school hackers have gathered in Las Vegas. A mixture of very deep tech talks, trainings, and technology oriented distractions "flood the zone" in Las Vegas. Close to 15-20,000 people were in Las Vegas this summer for what has now evolved into three separate conferences, all in the same week.
July 27th was the start of Black Hat atCaesars Palace in Las Vegas. The conference kicks off with training in the last weekend of the month, and finishes onWednesday, July 31st and Thursday, August 1st, with lectures and technical demonstrations, called "Black Hat Briefings." This year, in the wake of the NSA/Snowden rowe, NSA Director, General Keith Alexander gave the opening keynote. Black Hat was more corporate than ever, with more sponsor banners, and sponsor-generated talks (disclosed by the organizers, and placed in a separate area, bravo!)
SANS expanded the Reverse-Engineering Malware course (FOR610) to include a day's worth of capture-the flag malware analysis challenges. The challenges are built upon the NetWars tournament platform and are designed to reinforce the skills learned earlier in the course by experimenting with real-world malware. You can get a sneak peak at the new experience.