Just in time for the holidays, we have a new update to the SANS Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for those using the excellent winpmem and DumpIt acquisition tools. The cheatsheet includes nearly everything you need to spend a relaxing evening at home analyzing memory dumps. Enjoy!
UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted to the SANS “5” level. It gives us the freedom to teach some of the more complex forensic artifacts and techniques while still staying true to keeping it a “foundational” forensics course. See for yourself: FOR500.pdf
Rob Lee put together a webcast discussing some of the class updates and changes: https://www.sans.org/webcasts/103377
With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.
I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”
Digital Forensics Tips blog: A look at how the SANS computer forensics courses 408, 508 and 610 fit together |buff.ly/ZlZqwH #DFIR
— Chad Tilbury (@chadtilbury) May 23, 2013
The team at FIRST (Forum of Incident Response and Security Teams) reached out to talk about my upcoming presentation on Windows credential attacks at their annual conference. We spoke about why enterprise credential protection is so important and some of the recent Microsoft updates to help minimize the attack surface. The entire Windows credential infrastructure has been under unceasing attack over the last couple of years, and amazingly things are about to get far worse. New tools like Bloodhound and Death Star are using graph databases to effortlessly map account permissions and sessions, greatly magnifying poor credential hygiene. At the moment, it is hard to imagine a larger threat to the enterprise. Podcast:https://media.first.org/podcasts/FIRST2017_ChadTilbury.mp3
If you will miss FIRST2017, I will be presenting a complementary presentation at the SANS DFIR Summit on June 22, 2017.