Community: Whitepapers

Community:

SANS Forensics Whitepapers

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by forensic practitioners seeking GCFA, GCFE, and GREM Gold. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Featured Papers

SANS Forensics Whitepapers
Paper Author Cert
Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis Terrence OConnor GCFA
Integrating Forensic Investigation Methodology into eDiscovery Colin Chisholm GCFA
Mastering the Super Timeline With log2timeline Kristinn Gudjonsson GCFA
Integrating Forensic Investigation Methodology into eDiscovery Jeff Groman GCFA
Techniques and Tools for Recovering and Analyzing Data from Volatile Memory Kristine Amari GCFA
Mobile Device Forensics Andrew Martin GCFA
A Forensic Primer for Usenet Evidence Mark Lachniet GCFA
Mac OS X Malware Analysis Joel Yonts GCFA
Analysis of a Simple HTTP Bot Daryl Ashley GREM
Clash of the Titans: ZeuS v SpyEye Harshit Nayyar GREM
Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads Anthony, Cheuk Tung Lai GREM
Data carving Concepts Antonio Merola GCFA
Reverse Engineering a Windows Screensaver e-Postcard Seth Hardy GREM
Ex-Tip: An Extensible Timeline Analysis Framework in Perl Michael Cloppert GCFA
Building a Malware Zoo Joel Yonts GREM
Reverse Engineering the Microsoft exFAT File System Robert Shullich GCFA
Logic Models for Computer Forensics Jim Garrett GCFA
Google Desktop Search as an Analysis Tool Chris Poldervaart GCFA
Taking advantage of Ext3 journaling file system in a forensic investigation Gregorio Narvaez GCFA
A Forensic Investigation Plan and Cookbook Gerald King GCFA
Analysis of a serial based digital voice recorder Craig Wright GCFA
Analysis of a seized USB Flashdrive Cheuk Wai Yuen GCFA
Unspoken Truths - Forensic Analysis of an Unknown Binary Louie Velocci GCFA
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler GCFA
Forensic Analysis of a Compromised Intranet Server Roberto Obialero GCFA
Discovery Of A Rootkit: A simple scan leads to a complex solution John Melvin GCFA
Lessons from a Linux Compromise John Ritchie GCFA
CC Terminals, Inc.Forensic Examination Report: Examination of a USB Hard Drive Brent Duckworth GCFA
Forensic Analysis of a Compromised NT Server(Phishing) Andres Velazquez GCFA
CC Terminals Computer Forensics Analysis Report George Do GCFA
Analysis of a USB Flashdrive Christian Chablais GCFA
Forensic Analysis of a USB Flash Drive Norrie Bennie GCFA
Examining an Unknown Image & Analysis of a compromised Honeypot Farina Ramli GCFA
Forensic Examination of USB Data storage artifact Ben Reardon GCFA
Forensic analysis of a provided image Rudolph Pereira GCFA
Analysis of an unknown USB JumpDrive image Roger Hiew GCFA
Forensic Analysis on a compromised Windows 2000 system George Ng GCFA
Forensic Analysis: Leila Conlay versus Robert Lawrence, Harassment Case Matthew Carpenter GCFA
Forensic Investigation of USB Flashdrive Image for CC Terminals Rhonda Diggs GCFA
Forensic Analysis of a Misused System David Shettler GCFA
Forensic analysis of a Fedora Core 3 Notebook Michael Halm GCFA
Steganography for spies and spybots for hackers Andrew Christensen GCFA
ANALYSIS OF AN IMAGE PROVIDED FROM THE GIAC WEBSITE Juan Carlos Reyes Muņoz GCFA
Forensic with Open-Source Tools and Platform: USB Flash Drive Image Forensic Analysis Leonard Ong GCFA
CC Terminals Harassment Case Dean Farrington GCFA
Computer forensics investigation - Image file analysis Michael Spellane GCFA
Careless Crackers kill Computers Conall O'Brien GCFA
Camouflaged and Attacked? Bertha Marasky GCFA
Analysis of WinHex Jessica Dillinger GCFA
Analyze an Unknown Image and Perform Forensic Tool Validation Patricia Watson GCFA
Forensic Analysis of Camouflage and Validation of X-Ways Forensics Tool Michael Aylor GCFA
Forensic Image Analysis of a USB Flashdrive Howard Heerwagen GCFA
Forensic analysis of a seized USB Flashdrive image Ben Doyle GCFA
Analysis of an unknown disk Jure Simsic GCFA
Report on the Forensic Analysis of a recovered Floppy Disk Steve Armstrong GCFA
Analysis of a FAT16 formatted image using Linux, TSK and Autopsy Ove Hansen GCFA
Oracle Database Forensics using LogMiner Paul Wright GCFA
Infected or Owned? Anton Chuvakin GCFA
Analysis of a 64MB Lexar Media USB JumpDrive Joseph Chen GCFA
Spanish-Forensic Analysis of a Windows 98b system Oscar Ruiz GCFA
Forensic Analysis on a Windows 2000 Server Regis Cassidy GCFA
Forensic Analysis of an Apple iBook G4 Alberto Partida GCFA
NTLast as a Forensic Tool Richard Grime GCFA
Analyze an image and Perform Forensic Francisco Pecorella GCFA
Evaluaton of a Zero-Day Worm Variant at a Health Clinic Jonathan Taylor GCFA
Analyze an Unknown Image and Forensic Tool Validation: Sterilize Steven Becker GCFA
Analysis of a Windows XP Professional compromised system Manuel Santander GCFA
Analysis of a Commercial Keylogger installed on multiple systems Merlin Namuth GCFA
HONORS-Analysis of a USB Flashdrive Image Raul Siles GCFA
Analysis of a USB Flashdrive Image Kevin Wenchel GCFA
A Touch of Superiority in Linux Slade Griffin GCFA
Forensic Analysis of a Windows 2000 Server Byrne Ghavalas GCFA
Forensic analysis of a Windows XP SP1 Rob Ferrill GCFA
Forensic analysis of a honeypot RedHat Linux 6.2 Mark Read GCFA
Compromise analysis of a University SGI Indy workstation running IRIX Chris Russel GCFA
Forensic analysis of a compromised Solaris server Russell Shepherd GCFA
Analysis on a compromised RedHat 8.0 machine Jessica Deline GCFA
Analysis on a compromised Linux RedHat 8.0 Honeypot Jeff Bryner GCFA
Forensic analysis of a Windows 98 system Jerry Shenk GCFA
Forensic Analysis on a Windows 2000 system John Hayday GCFA
Forensic Investigation of a Hacked Redhat 7.1 System Nihar Khedekar GCFA
Perform Forensic Analysis on a Red Hat Linux release 7.1.2 Server Pramod Pawar GCFA
Forensic Analysis of a Red Hat Linux release 7.1 Server Vijaykumar VK GCFA
Use of SSH as a forensic tool Layne Bro GCFA
Forensic Analysis on a compromised Windows 2000 Honeypot Peter Hewitt GCFA
Forensic Tool Validation of Compromised Computer Inventory System James Perry GCFA
How not to use a rootkit Michael Wilson GCFA
Analysis of a Red Hat Honeypot James Shewmaker GCFA
Forensic Analysis on a compromised Linux Web Server Jeri Malone GCFA
Forensic Analysis of a Sun Ultra System Tom Chmielarski GCFA
Forensic Validity of Netcat Michael Worman GCFA
Forensic Analysis on a Windows 2000 Pro Workstation David Cragg GCFA
Forensic Analysis on acquired EBay Hard Drives Richard Bunnell GCFA
Forensic Analysis on a Linux IPNET challenge syste Alfredo Rinaldi GCFA
Forensic Analysis of a Windows 2000 Web Server Yi-Chung Liu GCFA
Evaluation of The Forensic Toolkit Akiteru Kamoshida GCFA
Forensic Analysis of an EBay acquired Drive Daniel Wesemann GCFA
Analysis of a Compromised Honeypot-VMware/Linux7.3 Stephen Hall GCFA
Becoming a Forensic Investigator/Use of Forensic Toolkit Mark Maher GCFA
Forensic analysis of a Windows 2000 computer literacy training and software development device Golden Richard GCFA
Sys Admins and Hackers/Analysis of a hacked system Lars Fresen GCFA
Forensic Analysis of a Windows 2000 server with IIS and Oracle Beth Binde GCFA
Romanian Winter-Forensic Analysis of a Linux system Garnot Ladstaetter GCFA
Forensic Analysis of a compromised Sun Ultra 5 workstation Carl Madzelan GCFA
Forensic analysis of a compromised Linux RedHat 7.3 system Kevin Miller GCFA
Analysis of a Linux Honeypot Tyler Hudak GCFA
Forensic Analysis Procedures of a Compromised system using Encase Jeffrey McGurk GCFA
Analysis of tar2d2 as a Forensic Tool Frank Adelstein GCFA
Forensic analysis of a Compromised Red Hat 7.2 Web Server Martin Walker GCFA
Forensic analysis of a Compromised Windows 2000 workstation Charles Fraser GCFA
Forensic Examination of a home firewall and network services system Brian Carlson GCFA
Evaluation of Crocwareis Mount Image Pro as a Forensic Tool Hugh Tower-Pierce GCFA
Forensic Tool Evaluation-Pasco Rick Larabee GCFA
Forensic Tool Evaluation-MiTeC Registry File Viewer Kevin Fiscus GCFA
Hidden Data Is Evidence Too/Metadata Assistant tool Evaluation Bob Pelcher GCFA
Compromised Redhat Linux 7.2 Honeypot Analysis Jason Anderson GCFA
Forensic analysis/process for a Windows 2000 SP2 Pro with IIS installed Jennie Callahan GCFA
Trash and Treasure-Computer Forensics and Public Domain Data (Bmap Tool Analysis) Michael Scott GCFA
Evaluation of Forensics SF-5000u as forensic Hardware Steven Hickey GCFA
Hackers and Trackers(Linux Forensic Analysis) Andy Scott GCFA
Malcode Context of API Abuse Ken Dunham GREM
Review of Foundstone Vision as a forensic tool Bil Bingham GCFA
Forensic Analysis of a RedHat 7.1 Server with Apache Web Server Aaron Sierra GCFA
Analysis of a Suspect Red Hat 6.2 Linux Server Guilherme Venere GCFA
Forensics under Brazilian Legislation(HoneyPot evaluation) Jacomo Piccolini GCFA
Piping a Shell in a ICMP Tunnel-A Forensic Study of Malicious Code Robert Noakes GCFA
Analysis of an IRC-bot compromised Microsoft Windows system Jennifer Kolde GCFA
Eavaluation of Linux ext2 file system debugger/debugfs for forensic use Michael Harvey GCFA
Evaluation of Windows Forensic Toolchest Monty McDougal GCFA
An Endeavor Down the Forensic Highway(Windows 2000 Professional) Kristy Westphal GCFA
Forensic Analysis of a Honeypot Redhat 6.2 system Sven Olensky GCFA
Forensic Analysis of a Compromised Windows NT4 workstation Adrian Hammill GCFA
Analysis of a Windows 2000 corporate web server Carlo Cordeschi GCFA
Forensic event with a Microsoft Windows 2000 Server Norbert Nolin GCFA
Validaton of icat and ils for Forensic Use David Gabler GCFA
Safe at Home? David Perez GCFA
Evaluation of a Honeypot Windows 2000 Server with an IIS Web/FTP Server Kenneth Pearlstein GCFA
Forensic Tool Validation, and Legal Issues of Incident Handling Christopher Vera GCFA
Forensic Analysis and process of a Mandrake Linux 9.1 system Dennis Da Cruz GCFA
Binary Analysis, Forensics and Legal Issues Michael Wyman GCFA
Analyses of Italian Malware, Romanian Rootkits, and United States Computer Law Michael Ford GCFA
Forensic Analysis of a Compromised System Richard Lee GCFA
Analysis of a compromised RedHat 6.2 web server running Apache Bradley Filmer GCFA
If it quacks like a duck, is it really a duck? Andrew Hall GCFA
Forensic Analysis of Shared Workstation Michael Kerr GCFA
Ironically , Some Targets Are Harder Than Others Michael Clarkson GCFA
Legal Issues of Computer Incident Handling Helen Psaila GCFA
Forensics and Incident Response : Three Investigations Brian Hutson GCFA
Digging covert tunnels Analysis of an unknown binary Michael Murr GCFA
Computer Forensic Analysis of an Unknown Binary and The Complete Computer Forensic Investigation of a Hard Drive Brian Capellini GCFA
An Exercise In Practical Computer Forensic Analysis Adam Campaign GCFA
Forensic Analysis of a MUD Gaming/Development Server John Banghart GCFA
Forensic Investigation, Analysis, Documentation, and Law Karl Prentner GCFA
Forensic Analysis of Suplused system hard drives William Bellamy, Jr. GCFA
Analyzing a Binary File and File Partitions for Forensic Evidence James Butler GCFA
Open Source Forensic Analysis - Windows 2000 Server - Andre Arnes GCFA
Forensic Analysis of Another Honeypot Jarrad Lisman GCFA
Forensic Analysis Think pad 600 laptop running Windows 2000 server Brad Bowers GCFA
Analysis of a Suspect Red Hat Linux 7.2 System Running Apache v1.3.22 Christopher Lee GCFA
EasyRecovery Professional (ER Pro) Kamarul Baharin Khalid GCFA
A Proposal for a Binary Comparison Technique Gerardo Lamastra GCFA
Forensic Analysis of dual bootable Operating System (OS) running a default Red Hat 6.2 Linux server installation and Windows 98 Mohd Shukri Othman GCFA
Building an Automated Behavioral Malware Analysis Environment using Open Source Software Jim Clausing GREM
Analysis of a Software Write Blocker - That Works? Suzanne Chevalier GCFA
Forensic Analysis of an unfamiliar Windows 2000 system Jeff Kurasiewicz GCFA
An Examination of a Compromised Solaris Honeypot, an Unknown Binary, and the Legal Issues Surrounding Incident Investigations Robert Mccauley GCFA
Analysis of LOKI2, Using mtree as a Forensic Tool, and Sharing Data with Law Enforcement Andrew Korty GCFA
Forensic Studies in the Digital World Mark de Jong GCFA
System Analysis of a Compromised Windows 2000 Professional System Robin Stuart GCFA
Loki & the Honeypot: Forensic Analyses Matthew Geiger GCFA
Use of sg_dd for Computer Forensics Michael Stone GCFA
Forensic Analysis of a Discarded University Computer System Philip Craiger GCFA
Analysis of a Suspect Windows 2000 Server SP3 Running IIS Sid Faber GCFA
Forensic analysis of a compromised RedHat Linux 7.0 system Jacob Cunningham GCFA
Analysis of a Compromised Honeypot on a Cable Modem Matthew Schlereth GCFA
Validation of Norton Ghost 2003 John Brozycki GCFA
Validation of NTLast v3.0 John Dolak GCFA
Discovering Winlogoff.exe Jennie Callahan GREM
Analysis of a Suspect Red Hat Linux 6.2 System Ray Strubinger GCFA
Reverse Engineering msrll.exe Rick Wanner GREM
Analysis of a Suspect Windows 95 SR2 System James Filiberto GCFA
Validation of TASK v1.50 fsstat and dstat Richard Ginski GCFA
GREMlins Are you taking the mIRC Adrian Hammill GREM
A Search for the Origin of a September 2001 Bomb Threat Bill Curd GCFA
Validation of The Coroner's Toolkit v1.11 mactime Matthew Dalton GCFA
Validation of GNU tar v1.13.19 & v1.13.25 and GNU cpio v2.4.2 & v2.5 Chris Calabrese GCFA
Analysis of a Compromised Windows NT 4.0 Server Running MS SQL Server 7.0 Steven Lukacs GCFA
Validation of GNU strings v2.11.90.0.8 Neil Desai GCFA
Validation of Process Accounting Records Jim Clausing GCFA
Analysis of a Honeypot running Red Hat Linux 6.2 Keven Murphy GCFA
Analysis and Comparison of Red Hat Linux 6.2 Honeypots With & Without LIDS-enabled Kernels Greg Owen GCFA
Analysis of a Suspect Red Hat Linux 6.2 System Ryan Van Riper GCFA
Analysis of a Compromised Red Hat Linux 7.2 System Jerry Pierce GCFA
Analysis of an Unknown Red Hat Linux 7.3 System Stephen Pedersen GCFA
Analysis of an Unknown Mac OS X Public Beta System Using Mac OS X 10.2 Roland Miller GCFA
Validation of ISObuster v1.0 Steven Dietz GCFA
Analysis of a Suspect Windows XP Professional System Dave Wagner GCFA
Analysis of a Potentially Misused Windows 95 System Gregory Leibolt GCFA
Validation of Restorer 2000 Pro v1.1 (Build 110621) Denis Brooker GCFA
Validation of a Modified UNIX "script" Command to Monitor Shell Sessions Ryan Barnett GCFA
Malware Adventure Russell Elliott GREM
Analysis of a Suspect Red Hat Linux 6.1 System James Fung GCFA
Analysis of a Virus Infected Windows 98 SE System Richard Hayler GCFA
Top
Forensics 508
Latest Blog Posts

2013 Digital Forensics and Incident Response Summit #DFIR in Austin Texas 8 [...]
June 13, 2013 - 3:38 PM

Sneak Preview: FOR572 on PaulDotCom June 12, 2013
June 11, 2013 - 2:22 AM

Windows Memory Analysis In-Depth - Discount Code = WINDEX = 10% Off #DFIR
June 06, 2013 - 2:53 AM

Latest Tweets @sansforensics

New #DFIR Blog Post: Sneak Preview: FOR572 on PaulDotCom Jun [...]
June 11, 2013 - 3:24 AM

Integriography Blog: First steps in converting analyzeMFT to [...]
June 11, 2013 - 1:39 AM

Forensic4Cast: 4:cast Episode 43 Where No Forensicator Has [...]
June 11, 2013 - 1:39 AM

Latest Papers

Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis
By Terrence OConnor

Integrating Forensic Investigation Methodology into eDiscovery
By Colin Chisholm

Mastering the Super Timeline With log2timeline
By Kristinn Gudjonsson

"This is awesome! We're seeing details that most people don't even know exist."
- John Wright, Info Tech, Inc.

"The class provided in-depth, real world, hands-on information."
- Robert Dale Drollinger, General Dynamic

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."
- Nathon Heck, Purdue