Blog: Category - Evidence Analysis

Mark this date: On March 20th 2013, the non-technical managers may finally start to understand what a digital forensics professional actually does. With the massive cyber attacks on South Korean banks, media outlets, and ISPs, the role of forensicators is put front and center. The attack(s) resulted in widespread ATM outages, online banking and mobile banking offline, and tens of thousands of PCs wiped of all their data. At minimum, non-technical decision makers should finally start to understand that cyber attackers are not targeting "someone else." The attacks in South Korea had an impact on the bottom line of many South Korean firms. Since many of the same strategies for information security and incident response are used by most westernized nations, many experts agree that the attacks in South Korea are a warning sign of what could happen in the United States. We have analytical coverage of the South Korean attacks, with stories and drill downs that go beyond the

Dear like-minded people,

I'm very proud to announce that our (CERT.at - CERT Austria) latest contribution to the malware analysis community is finally available as open beta.

It's called ProcDOT - I already gave a preview of the alpha version some months ago at SANS Forensics Summit in Prague - and it is an absolute must have tool for everyone's lab, at least in my humble opinion ;-)

It correlates Procmon logfiles and PCAPs to an interactively investigateable graph. Besides that ProcDOT is now also capable of animating the whole infection evolution based on a timeline of activities. This feature lets you even quickly find out which server or which requests were responsible that specific data/code got on the underlying system, by which process it was written, how often, who injected what, which autostart registry key was set, what happened when, and so forth ...

ProcDOT's approach of correlating Procmon logs and PCAPs to a directed animateable graph has

This week on Case Leads, we learn the truth of China's cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.

Tools:

• HMFTwas given a small update.


• Autopsywas recently updated as well.


• Passware can now extract passwords for certain popular websites from memory.

• A very interesting article about finding and reverse

[Author's Note: This is the 6th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.]

PsExec is an extremely powerful tool and is used commonly in enterprise networks, for both good and evil. Systems administrators and incident responders use it for its flexibility in interacting with remote machines, including a telnet-like ability to run command-line tools on remote machines and receive the output on their local console. Attackers utilize it for the same reasons, providing a convenient way to move laterally and interact with remote machines using compromised credentials.

Given its power, you might wonder what the

The general public is getting a lesson in incident response with the post Hurricane Sandy storm damage in the Northeastern part of the United States. Your case leads blogger is working on incident responses related to the storm. Many non-technical professionals have had a chance to witness the challenges of DFIR. And some are starting to ask some very intelligent questions: How resistant are IT systems to intentional cyber attacks? Could attackers do more damage than a natural disaster? We have stories this week that try to answer the question this way: Do we need a strategic shift in how we respond to incidents? Listen to the interview with Conrad Constantine on his take regarding a new approach to incident response.

Before all the storm coverage saturated the news, there were a flurry of news stories following Secretary of Defense Leon Panetta's statements on how poorly prepared the nation's critical infrastructure is vulnerable to cyber attacks. And, after Hurricane