Investigate and fight cyberattacks with SIFT Workstation


Digital forensics and incident response (DFIR) has hit a tipping point. No longer just for law enforcement solving cybercrimes, DFIR tools and practices are a necessary component of any organization’s cybersecurity. After all, attacks are increasing daily and getting more sophisticated – exposing millions of people’s personal data, hijacking systems around the world and shutting down numerous sites.

SANS has a smorgasbord of DFIR training, and we also offer a free Linux distribution for DFIR work. Our SANS Investigative Forensic Toolkit (SIFT) Workstation is a powerful collection of tools for examining forensic artifacts related to file system, registry, memory, and network investigations. It is also available bundled as a virtual machine (VM), and includes everything one needs to conduct any in-depth forensic investigation or response investigation.

Capture9The SIFT Workstation was developed by an international team of forensics experts, including entrepreneur, consultant and SANS Fellow Rob Lee, and is available to the digital forensics and incident response community as a public service. Just because it’s freely available and originally designed for training, though, doesn’t mean it can’t stand up to field investigations. The SIFT Workstation incorporates powerful, cutting-edge open-source tools that are frequently updated, vetted by the open source community and able to match any modern DFIR tool suite. Don’t just take our word for it. Thousands of individuals download SIFT yearly, and it’s used by tens of thousands of people all over the world, including those at multiple Fortune 500 companies. And recently, HackRead named SIFT Workstation in a list of the top 7 cyber forensic tools preferred by specialists and investigators around the world.

SIFT got its start in 2007, during the time SANS instructors were developing virtual machines (VMs) for use in the classroom. In its earliest iterations, it was available online as a download, but was hard-coded and static so whenever there were updates, users had to download a new version. By 2014, SIFT Workstation could be downloaded as an application series and was later updated to a very robust package based on Ubuntu. It can also be installed on Windows, if there is an Ubuntu subsystem running on the system.

In November 2017, SANS unveiled a new version of SIFT Workstation that allows for much more functionality, is much more stable, and is comprised of specific tools such as the Package Manager. This time the package supports rolling updates, and uses SALT, a Python-based configuration management platform, rather than a bootstrap executable and configuration tool.

The new version can work with more than 200 tools and plug-ins from third-parties, and newly added memory analysis functionality enables the SIFT Workstation to leverage data from other sources. New automation and configuration functions mean the user only has to type one command to download and configure SIFT. Because SIFT is scriptable, users can string together commands and create automated analysis, customizing the system to the needs of their investigation.

Download SIFT Workstation today, and get started on your own DFIR initatives. And look into our FOR508: Advanced Incident Response and Threat Hunting course for hands-on learning with SIFT, and how to detect breaches, identify compromised and affected systems, determine damage, contain incidents, and more.

Gamble? Not with your future



By Lee Whitfield

Honestly, I’ve never been big into gambling. The closest I’ve come is buying a lottery ticket when I was 18. While I understand the excitement, the science, and compulsion, it has just never been a huge draw for me personally.

There are many things that fall into the category of gambling. You can choose to back your favorite sports team by putting your money where your mouth is. You may not have a lot of faith in your team and bet against them, and still call yourself a fan? You may attend a regular gathering of friends and play cards together.

Gambling presents an inherent risk, hence the excitement. You run the odds in your head and determine if there’s a chance you’ll win. If the right combination of probability and odds come up, you pony up and hope for the best. However, there’s always a chance that something goes wrong and you walk away with a loss instead of a win.

You may not be familiar with Steve Richards. Why would you? He’s a roofer from the UK. Richards had a penchant for sports betting and accurately predicted the correct scores for twelve different rugby games. He bet £10 at some crazy odds and walked away with £38,970. Now, roofers in the UK probably don’t make that much in a year so this was an extraordinary win for him but instead of taking that money and doing something useful, he “reinvested” by placing a £30,000 on another Rugby game one week later. He lost. A year’s wages gone in an instant.

So why am I talking about gambling? Well, it is the start of a new year. New opportunities, new goals, new budgets. The likelihood is that you have some amount of money allocated to you for training purposes in 2019 and you have a to ask yourself a question. How do you spend that money wisely and not gamble it away on less-than-stellar instruction?

As you may know, I recently started teaching for SANS. I’ve had the pleasure of teaching in Boston, London and Denver. My next class is in Reno, Nevada – the gambling state. It starts on February 25. Here I will be teaching the FOR500: Windows Forensic Analysis class. In six days you’ll learn the skills needed to conduct investigations into a variety of cases and, to top it off, you’ll put the skills to the test with the forensic challenge that I helped to create. The FOR500 class is updated throughout the year so you’ll be learning about the latest and greatest artifacts to help you become a lethal forensicator, take down the bad guys, impress your bosses, and get that raise that you deserve.

As an added bonus, I’ll also be giving a brand new @Night talk entitled “Ready, Fire, Aim.” You won’t want to miss it.

So don’t gamble away your future, make the safe bet and come join me in Reno in February. Come to the class, hang out with me, learn some stuff, and play some slots. Who knows, you might walk away with more than the best training money can buy.

More information about the SANS Reno event
Register for the class


Go Big with Bootcamp for Advanced Memory Forensics and Threat Detection


Many experienced security analysts end up repeating the same investigative playbook for similar types of cases day after day. They become technical experts but siloed into a single lane of investigative scenario, whether it be intellectual property theft, malware or intrusion investigations. With the rapid evolution of fileless malware and sophisticated anti-forensics mechanisms, security analysts need access to current system state that can be derived solely from memory analysis. Learning bleeding edge analysis skills such as memory interrogation can be a touch challenge requiring determined and extraordinary work. The relaunched bootcamp SANS FOR526 Advanced Memory Forensics and Threat Detection is the class that will get you and your team to this next level – it’s time for bootcamp!

Malware is more sophisticated, and its ability to evade detection growing. Cryptojacking – software programs and malware that hijack another’s computer without their knowledge to mine cryptocurrency – is one such example. Recently, researchers discovered a new cryptocurrency mining malware that employs multiple evasion techniques, including one that poses as an installer file for the Windows operating system so it seems less suspicious. And illicit cryptocurrency mining operations have increased dramatically over the past year, according to a recent Cyber Threat Alliance report, rising by as much as 459 percent in 2018.

The more complex, advanced malware and anti-analysis and evasion techniques pose great challenges to today’s security practitioners, as the endpoint detection methods and technologies, we rely upon to protect our enterprise fail. For this reason, we at SANS have decided to go big with a revised FOR526 course – with an additional boot camp – that teaches you how to isolate malicious activity using memory analysis to counter these evasions and allows you to determine the capability and intent of the intrusion for successful scoping and containment.

To move to proactive hunting, teams must have the skills to identify the activity for which there is no signature. The FOR526 course delivers this expertise with an intensive hands-on focus, allowing security practitioners to build on the knowledge advanced security professionals already have.

The two creators of FOR526, Alissa Torres and Jake Williams, understand the unique challenges of memory forensics and the complex types of cases examiners are up against today. Both forensics practitioners themselves, they know examiners need deeper technical expertise beyond just running a tool so they can perform memory analysis to understand the evidence, and that means offering students labs inspired by real-world investigations in which memory forensics saved the day. As Williams notes, “memory offers a very dense and target-rich search space for evidence of value. Memory-only malware? Malicious insiders using private browsing to eliminate disk evidence? Anti-forensics techniques? They all get stuck in memory.”

Williams and Torres have added a boot camp consisting of additional content and memory forensics challenges to make the course even more relevant for present-day memory forensics investigations and threat detection. The NEW FOR526: Advanced Memory Forensics and Threat Detection BootCamp brings you extended mid-week SANS NetWars challenges, more in-depth technical content and advanced threat detection scenarios to take senior incident responder professionals to the next level.

Slider_CTIAt this month’s Cyber Threat Intelligence Summit in Arlington, Virginia, Torres will run FOR526: Advanced Memory Forensics & Threat Detection January 23 – 28. The summit is a week-long conference and educational event with in-depth talks and interactive discussions, as well as community-building events, networking opportunities and hands-on, immersive courses designed to give you world-class training.

Learn more about the course new format and content by attending Alissa Torres webcast January 14th at 1:00 pm EST.

Register for the webcast:

Next FOR526 course runs:

The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.


Sof-Elk (Horizontal)

We are excited to announce the release of an all-new version of the free SOF-ELK®, or Security Operation and Forensics ELK virtual machine. Now based on the new version of the Elastic Stack, SOF-ELK is a complete rebuild that is faster and more effortless than its predecessors, making forensic and security data analysis easier than ever.


Since its introduction about five years ago, there have been more than 10,000 downloads of SOF-ELK around the world by computer forensic investigators and information security operations personnel in the government, law enforcement and commercial sectors. The SOF-ELK platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingestion and enrichment component, and the Kibana dashboard frontend.


SOF-ELK was always designed to help minimize the typically long and involved setup process the ELK stack requires by delivering a pre-built virtual appliance that can be downloaded in a ready-to-use state. It can consume various source data types (numerous log types as well as NetFlow), parses out the most critical data fields, and presents it on several stock dashboards. Users can also build custom data visualizations that suit their own investigative or operational requirements (and because of the fully open source nature of the project, can choose to contribute those custom builds back to the primary code repository). Learn more about the SOF-ELK distribution.


The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components. This required a total rebuild of all dashboards and supporting scripts. Simply download this distribution, turn it on, feed it some data and begin analysis. It’s that easy.


The SANS team has performed extensive testing of this distribution of the SOF-ELK platform. The new version’s most immediate benefits are its speed and refreshed browser interface. This is faster and easier to use and can visualize massive amounts of data through the dashboards. We also expect faster development cycles. Here are some more changes in the new SOF-ELK:


  • Supports the latest updates on the kernel and all CentOS packages.
  • Includes new parsers from upstream and community contributions.
  • Rebuilt and revalidated all Logstash parsers against latest syntax
  • Better handles dynamic (boot-time) memory allocation for Elasticsearch.
  • Rebuilt all Kibana dashboards to handle updated index mappings and field names
  • IPv6 addresses can now be handled as IPs instead of strings
  • Features many under-the hood changes that will make our roadmap much smoother in the future

The SOF-ELK platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in SANS SEC555, SIEM with Tactical Analysis. Additional course integrations are being actively worked at this time and considered for future versions. However, SOF-ELK was always designed as a free resource for the digital forensic and broader information security communities at large – a ready-to-use appliance that teams can use without having to invest the many hours into deploying, configuring, and maintaining an Elastic Stack instance. We hope you check out the latest version of the SOF-ELK distribution.SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations


SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operations

  • When: Tuesday, March 5th, 2019 at 1:00 PM EST 
  • Conducted by Phil Hagen
  • Register now


There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this webcast, we will explore SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

SANS Threat Hunting and Incident Response Summit 2018 Call for Speakers – Deadline 3/5



Summit Dates: September 6 & 7, 2018
Call for Presentations Closes on Monday, March 5, 2018 at 5 p.m CST
Submit your presentation here

The Threat Hunting & Incident Response Summit will focus on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks. SANS and our advisory partner Carbon Black are pleased to invite you to the Summit where you will have the opportunity to directly learn from and collaborate with incident response and detection experts who are uncovering and stopping the most recent, sophisticated, and dangerous attacks against organizations.

Chances are very high that hidden threats already exist inside your organization’s networks. Organizations can’t afford to assume that their security measures are impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools.

The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress rather than after attackers have attained their objectives and done worse damage to the organization. For the incident responder, this process is known as “threat hunting.” Threat hunting uses known adversary behaviors to proactively examine the network and endpoints and identify new data breaches.

Call for Presentations Closes on Monday, March 5, 2018
Submit your presentation here

If you are interested in presenting, SANS and our advisory partner Carbon Black would be delighted to consider your threat hunting-focused proposal with use cases and communicable lessons. We are looking for presentations from both the intelligence producer and the intelligence consumer fields, with actionable takeaways for the audience.

The THIR Summit offers speakers opportunities for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

CFP submissions should detail how the proposed case study, tool, or technique can be utilized by attendees to increase their security posture. All THIR Summit presentations will be 30 minutes with 5 minutes for questions.

We are looking for presentations that focus on:
– Endpoint threat hunting
– Network threat hunting
– Hunt teams and how to organize them to be extremely effective
– Using known attacker methodologies to hunt/track adversaries
– Innovative threat hunting tools, tactics, and techniques
– Case studies on the application of threat hunting to security operations

Call for Presentations Closes on Monday, March 5, 2018
Submit your presentation here 

Meltdown and Spectre – Enterprise Action Plan

Meltdown and Spectre – Enterprise Action Plan by SANS Senior Instructor Jake Williams
Blog originally posted January 4, 2018 by RenditionSec

Watch the webcast now

Unless you’ve been living under a rock for the last 24 hours, you’ve heard about the Meltdown and Spectre vulnerabilities. I did a webcast with SANS about these vulnerabilities, how they work, and some thoughts on mitigation. I highly recommend that you watch the webcast and/or download the slides to understand more of the technical details. In this blog post, I would like to leave the technology behind and talk about action plans. Our goal is to keep this hyperbole free and just talk about actionable steps to take moving forward. Action talks, hyperbole walks.

To that end, I introduce you to the “six step action plan for dealing with Meltdown and Spectre.”

  1. Step up your monitoring plan
  2. Reconsider cohabitation of data with different protection requirements
  3. Review your change management procedures
  4. Examine procurement and refresh intervals
  5. Evaluate the security of your hosted applications
  6. Have an executive communications plan

Step 1: Step up your monitoring plan

Meltdown allows attackers to elevate privileges on unpatched systems. This means that attackers who have a toehold in your network can elevate to a privileged user account on a system. From there, they could install backdoor and rootkits or take other anti-forensic measures. But at the end of the day, the vulnerability doesn’t exfiltrate data from your network or encrypt your data, delete your backups, or extort a ransom. Vulnerabilities like Meltdown will enable attackers, but they are only a means to an end. Solid monitoring practices will catch attackers whether they use an 0-day or a misconfiguration to compromise your systems. As a wise man once told me, “if you can’t find an attacker who exploits you with an 0-day, you need to be worried about more than 0-days.”

Simply put, monitor like your network is already compromised. Keeping attackers out is so 1990. Today, we assume compromise and architect our monitoring systems to detect badness. The #1 goal of any monitoring program in 2018 must be to minimize attacker dwell time in the network.

Step 2. Reconsider cohabitation of data with different protection requirements

Don’t assume OS controls are sufficient to separate data with different protection requirements. The Spectre paper introduces a number of other possible avenues for exploitation. The smart money says that at least some of those will be exploited eventually. Even if other exploitable CPU vulnerabilities are not discovered (unlikely since this was already an area of active research before these vulnerabilities), future OS privilege escalation vulnerabilities are a near certainty.

Reconsider your architecture and examine how effective your security is if an attacker (or insider) with unprivileged access can elevate to a privileged account. In particular, I worry about those systems that give a large number of semi-trusted insiders shell access to a system. Research hospitals are notorious for this. Other organizations with Linux mail servers have configured the servers so that everyone with an email address has a shell account. Obviously this is far from ideal, but when combined with a privilege escalation vulnerability the results can be catastrophic.

Take some time to determine if your security models collapse when a privilege escalation vulnerability becomes public. At Rendition, we’re still running into systems that we can exploit with DirtyCOW – Meltdown isn’t going away any time soon. While you’re thinking about your security model, ask how you would detect illicit use of a privileged account (see step #1).

Step 3. Review your change management procedures

Every time there’s a “big one” people worry about getting patches out. But this month Microsoft is patching several critical vulnerabilities. Some of these might be easier to exploit than Meltdown. When thinking about patches, measure your response time. We advise clients to keep three metrics/goals in mind:

Normal patch Tuesday
Patch Tuesday with “active exploit in the wild”
“Out of cycle” patch
How you handle regular patches probably says more about your organization than how you handle out of cycle patches. But considering all three events (and having different targets for response) is wise.

Because of performance impacts, Meltdown definitely should be patched in a test environment first. Antivirus software has reportedly caused problems (BSOD) with the Windows patches for Spectre and Meltdown as well. This shows a definite example where “throw caution to the wind and patch now” is not advisable. Think about your test cycles for patches and figure out how long is “long enough” to test (both for performance and stability) in your test environment before pushing patches to production.

Step 4. Examine procurement and refresh intervals

There is little doubt that future processors (yet to be released) will handle some functions more securely than today’s models. If you’re currently on a 5 year IT refresh cycle, should you compress that cycle? It’s probably early to tell for hardware, but there are a number of older operating systems that will never receive patches. You definitely need to re-evaluate whether leaving those unpatchable systems in place is wise. Just because you performed a risk assessment in the past, you don’t get a pass on this. You have new information today that likely wasn’t available when you completed your last risk assessment. Make sure your choices still make sense in light of Meltdown and Spectre.

When budgeting for any IT refresh, don’t forget about the costs to secure that newly deployed hardware. Every time a server is rebuilt, an application is installed, etc. there is some error/misconfiguration rate (hopefully small, often very large). Some of these misconfigurations are critical in nature and can be remotely exploited. Ensure that you budget for security review and penetration testing of newly deployed/redeployed assets. Once the assets are in production, ensure that they are monitored to detect anything that configuration review may have missed (see step #1).

Step 5. Evaluate the security of your hosted applications

You can delegate control, but you can’t delegate responsibility. Particularly when it comes to hosted applications, cloud servers, and Platform as a Service (PaaS), ask some hard questions of your infrastructure providers. Sure your patching plan is awesome and went off without a hitch (see step #3). What about your PaaS provider? How about your IaaS (Infrastructure as a Service) provider? Ask your infrastructure provider:

Did they know about the embargoed vulnerability?
If so, what did they do to address the issue ahead of patches being available?
Have they patched now?
If not, when will they be fully patched?
What steps are they taking to look for active exploitation of Meltdown? *
* #5 is sort of a trick question, but see what they tell you…

Putting an application, server, or database in the cloud doesn’t make it “someone else’s problem.” It’s still your problem, it’s just off-prem. At Rendition, we’ve put out quite a few calls today to MSPs we work with. Some of them have been awesome – they’ve got an action plan to finish patching quickly and monitoring for all assets. One called us last night for advice, another called us this morning. Others responded with “Melt-what?” leading us to wonder what was going on there. Not all hosting providers are created equal. Even if you evaluated your hosting provider for security before you trusted them with your data, now is a great time to reassess your happiness with how they are handling your security. It is your security after all…

Step 6. Have an executive communications plan

When any new vulnerability of this magnitude is disclosed, you will inevitably field questions from management about the scope and the impact. That’s just a fact of life. You need to be ready to communicate with management. To that end, in the early hours of any of these events there’s a lot of misinformation out there. Other sources of information aren’t wrong, they’re just not on point. Diving into the register specific implementations of a given attack won’t help explain the business impact to an executive.

Spend some time today and select some sources you’ll turn to for information the next time this happens (this won’t be the last time). I’m obviously biased towards SANS, but I wouldn’t be there if they didn’t do great work cutting through the FUD (fear uncertainty and doubt) when it matters. The webcast today was written by me, but reviewed by other (some less technical) experts to make sure that it was useful to a broad audience. My #1 goal was to deliver actionable information you could use to educate a wide range of audiences. I think I hit that mark. I’ve seen other information sources today that missed that mark completely. Some were overly technical, others were completely lacking in actionable information.

Once you evaluate your data sources for the next “big one,” walk through a couple of exercises with smaller vulnerabilities/issues to draft communications to executives and senior leadership. Don’t learn how to “communicate effectively” under the pressure of a “big one.” Your experience will likely be anything but “effective.”

Closing thoughts

Take some time today to consider your security requirements. It’s a new year and we certainly have new challenges to go with it. Even if you feel like you dodged this bullet, spend some time today thinking about how your organization will handle the next “big one.” I think we all know it’s not a matter of “if” but a matter of “when and how bad.”

Of course, if I don’t tell you to consider Rendition for your cyber security needs, my marketing guy is going to slap me silly tomorrow. So Dave, rest easy my friend. I’ve got it covered

WannaCry Ransomware Threat : What we know so far – WEBCAST slides

The WannaCry ransomware worm is unprecedented for two reasons. First, it’s a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams‘ firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of the Internet for this threat. The webcast walks you through what we know so far about the malware, the leaked exploits, mitigation strategies, and predictions for future impact.


This webcast aired on May 12th, 2017 and was conducted by SANS Instructor Jake Williams. View webcast here: Webcast slides can be viewed here: WannaCry Ransomware Threat

SANS Institute Internet Storm Center:
Microsoft released information what can be done to protect against #WannaCry which includes deploying MS17-010 if not already done (March patch release), update Windows Defender (updated 12 May 2017) and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis

FullSizeRender (4)


The FOR408: Windows Forensic Analysis course was renumbered to FOR500: Windows Forensic Analysis. SANS renumbered the course to better reflect the course’s intermediate-level material. The content of the course will remain basically the same, although it will be constantly updated to reflect changes in the field.



Why change the course number?
FOR500/FOR408 is an intermediate-level Windows forensics course that skips over the introductory material of digital forensics. This class does not include basic digital forensic analysis concepts. FOR500/FOR408 focuses entirely on in-depth, tool-agnostic analysis of the Windows operating system and artifacts. The course has been at the intermediate skill level since 2013 and a course number change to the 5 level reflects this content more accurately. The course is vigorously updated each year. The change in the course number was timed to coincide with the regularly scheduled update of the course in the Spring of 2017. SANS courses are updated as frequently as possible as part of our efforts to keep teaching material hyper-current and relevant for leading-edge problem solving.

What is the difference between FOR500 and FOR508?
FOR500 focuses on deep-dive forensic analysis of Windows operating systems and artifact locations. FOR508 teaches students how to conduct enterprise incident response and threat hunting. Its focus is on intrusion response and forensics. Each course complements the other and both should be taken to create a full operational and analytical capability.

Which course should I take first, FOR500 or FOR508?
It is recommended that FOR500/FOR408 be taken prior to FOR508 so that students obtain a firm understanding of operating system and artifact locations on Windows systems as well as demonstrable, hands-on skills in Windows forensics. However, FOR500 is not a formal prerequisite for FOR508, so the classes could be taken in any order.

How does the change in the course number affect GIAC certification?
Any current GCFE certifications will not change in any way. Any student taking FOR500/FOR408 will be taking the same exam. Additionally, DoDD 8570, DoDD 8140, and ANSI/ISO/IEC 17024 accreditation status remains unchanged.

How will the course number change affect alumni?
Anyone who wishes to retake the FOR500/FOR408 course using the alumni discount may do so if they have taken FOR408 in the past.

If you have any additional questions regarding this change, please email us at

Digital Forensics – Automotive Infotainment and Telematics Systems

 Paul A. Henry – Senior Sans Instructor –



Powerful Features

There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 – Source), including but not limited to:

  • Digital radio
  • Satellite (GPS) navigation
  • Bluetooth connectivity (the vehicle has its own phone number that SMS messages can be sent to and some systems will even read your SMS text messages to you)
  • Audio player – on CD, MP3, USB or Bluetooth
  • Internet access (Hotspot) – enables web browsing for multiple passengers via an in-built Wi-Fi connection, and can also provide real-time traffic updates for GPS navigation systems
  • Satellite TV tuners – for passengers or for everyone as long as the car is parked
  • Cameras – an array of cameras literally showing a bird’s-eye view of the car, making maneuvering in tight spaces even easier then ever before
  • Screen mirroring – wirelessly connect mobile devices to the automobile and mirror its user interface on the car’s larger touchscreen


Figure 1

As automotive infotainment and telematics systems evolve and become more powerful, the value of the historical data they contain from an evidence perspective grows as well.

Automotive Infotainment and Telematics Systems Are Not Crash Data Recorders

 It is important to understand that automotive infotainment and telematics systems are not the same as crash data recorders (CDR), or event data recorders (EDR). In a CDR, safety sensor data such as brake position, speed, steering wheel position and airbag deployment is recorded at high frequency but only for a matter of seconds leading up to a crash. In an automotive infotainment and telematics system data is collected from primarily non-safety related components (i.e. speed and coordinates from GPS at a lower frequency but for a substantially longer time period). Hence while CDR systems can determine a point of impact an automotive infotainment and telematics system can perhaps show the longer term driving habits of the vehicle’s driver.

Abundant Information but Difficult to Get To

 While there is an abundance of available information, vendors of automotive infotainment and telematics systems have not made them easy to acquire. The forensic product vendor Berla ( use various methods to extract the data. To get to the data, one must use Berla’s iVe kit, which is composed of iVe software and hardware components for accessing numerous systems from various automakers (i.e. Ford, GM, FCA, BMW, Toyota, and Volkswagen to name a few). For some systems it is as simple as plugging a USB or on-board diagnostics (OBD-II) cable from the iVe kit into a system running the iVe desktop application and walking through the on-screen steps for performing an acquisition. For some other supported systems, an iVe device interface board (DIB) from the kit is attached to the infotainment/telematics module’s PCB as outlined in the in-app instructions. The DIB is then connected to a computer running the iVe application, as well as the kit’s power supply (for certain modules). Depending on the particular type of system being acquired, iVe will offer the option for either a physical image, logical image, or both. For certain modules, one must also remove the protective solder mask from certain pads on the module’s PCB prior to connecting the DIB, though a scratch pen is included in the iVe kit, and instructions with photos showing the specific pads to scratch are included in the application.

It’s the Wild Wild West All Over Again

It is also important to note that a CDR has a definitive government requirement (CFR-2011-title49-vol6-part563) that defines not only what data is to be stored but also the format in which that data is stored. In contrast, infotainment and telematics system vendors are all over the map regarding what data is stored and how and where it is stored. Furthermore, specifically what data is stored can vary from one vehicle model to another, even when the same system appears present in two different vehicles. This requires the forensic tool developer to have a deep understanding of the data structure for each vendor’s product as well as for each car model in order to be effective. It reminds the author of the early days of mobile device forensics.

The following is a broad example of available data types for iVe-supported systems. Any given manufacturer’s system will have a select subset based on features present for that particular system. The data stored may also vary based on the vehicle’s use, actions of the occupant(s), which features were used, etc. The types of data stored can also change when a given manufacture updates the firmware of a system.

To see if a particular vehicle is supported, and what information may be available on the system, use the iVe supported vehicle lookup on Berla’s website. The lookup is also included in the iVe application itself.

Vehicle / System Information

  • Serial Number
  • Part Number
  • Original VIN Number
  • Build Number

Installed Application Data

  • Weather
  • Traffic
  • Facebook
  • Twitter

Connected Devices

  • Phones
  • Media Players
  • USB Drives
  • SD Cards
  • Wireless Access Points

Navigation Data

  • Tracklogs and Trackpoints
  • Saved Locations
  • Previous Destinations
  • Active and Inactive Routes

Device Information

  • Device IDs
  • Calls
  • Contacts
  • SMS
  • Audio
  • Video
  • Images
  • Access Point Information


  • Doors Opening/Closing
  • Lights On/Off
  • Bluetooth Connections
  • Wi-Fi Connections
  • USB Connections
  • System Reboots
  • GPS Time Syncs
  • Odometer Readings
  • Gear Indications


Oh My! Guess What I Found on eBay?


Figure 2

An eBay seller was parting out a wrecked 2015 Silverado pickup truck (Figure 2) including its infotainment system, an NG 2.0 HMI module (Figure 3, 4, 5).


Figure 3


Figure 4


Figure 5

Primary Components in the NG 2.0 HMI

  • Micron Technology N2M400JDB341A Flash – eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC – Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module – Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM – DDR3-1333, 4Gb, 1.5V- (Qty: 2)
  • Epson AP-6110LR Inertial Sensor – 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • Spansion S29GL512S100DHA02 Flash – NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller – 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer – FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive


Lets acquire some data

Preparation for acquisition (Figure 6) involves scratching insulating material away from specific PCB pads, as specifically outlined in iVe’s instructions, to permit connectivity with the PC board traces. The fiberglass scratch pen has strands that tend to come apart during the removal process, so gloves and safety glasses are highly recommended. The iVe DIB is then connected to the PCB. Proper alignment of the DIB pins on the PCB is critical.



Figure 6


The PCB is powered with the variable power supply (Figure 7) that is included in the iVe kit. It is important to ensure the voltage is adjusted to 12V prior to connecting the leads to the PCB power connector.


Figure 7


The iVe application includes an acquisition wizard to walk the user through each step for setting up the acquisition.

The iVe DIB is connected to the computer running iVe, and power is applied. After successfully testing the hardware connections by clicking the ‘Detect’ and ‘Test’ buttons (Figure 8) in the software, the acquisition can be started. For the HMI module, iVe allows for a logical image to be acquired.


Figure 8

Once extraction has completed, analysis can be performed, and reports can be generated. iVe’s data export functionality supports .csv, tab-delimited, and .kml for GPS data, and reports can be exported in HTML or PDF format.


Below is some of the data collected by iVe for the HMI device in this test.

Attached Devices (Figure 9)


Figure 9

SMS Messages (Figure 10)


Figure 10

Call Logs (Figure 11)


Figure 11

Contacts (Figure 12)contacts

Figure 12

Device Events (Figure 13)


Figure 13

Voice Recordings (Figure 14)


Figure 14

Carved Files (Figure 15)


Figure 15

Music (Figure 16)


Figure 16

Summary of HMI Device

  • No crash data but good data to establish habits and patterns of the driver
  • Examples of available historical data included
    • Calls
    • SMS
    • Some GPS Information
    • Media (i.e. Music)
    • Connected Devices
    • More Can Possibly Be Parsed from Recovered DB Files


Another Visit to eBay

We already imaged an NG HMI so this time I was looking for an OnStar Gen 9 device to analyze (Figure 17).


Figure 17

Primary Components of OnStar Gen 9

  • Micron Technology N2M400JDB341A Flash – eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC – Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module – Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM – DDR3-1333, 4Gb, 1.5V- (2)
  • Epson AP-6110LR Inertial Sensor – 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • 6-Layer – FR4, Lead-Free
  • Spansion S29GL512S100DHA02 Flash – NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller – 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer – FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive


Lets acquire some data

As with the previous acquisition, the iVe DIB is attached to the PCB and the computer running iVe. The variable power supply is tested to ensure it is set at 12V before connecting it to the PCB power connector. The step-by-step acquisition wizard in the iVe software is followed to begin the data extraction (Figure 18). iVe allows for a physical extraction on the OnStar Gen 9.


Figure 18


Below is some of the data collected by iVe for the OnStar Gen 9 device.

Attached Devices (Figure 19)


Figure 19

SMS Messages (Figure 20)


Figure 20

Call Logs (Figure 21)


Figure 21

Contacts (Figure 22)


Figure 22

Locations (Figure 23)


Figure 23

Power Events (Figure 24)


Figure 24

GPS Tracking (over 5000 entries in one-second intervals – Figure 25)


Figure 25


Summary of OnStar Gen 9 Device

  • No crash data but good data to establish habits and patterns of the driver
  • Tons of historical data
  • Calls
  • Tons of GPS information including over 5000 tracking entries in one-second intervals detailing speed, distance and GPS coordinates
  • Connected devices
  • More can possibly be parsed from recovered DB files


In Closing

  • No crash data but tons of historical data that can potentially show details of driver’s habits prior to a crash
  • Your “mileage may vary” as to exactly what can be recovered, partially depending on how the vehicle was used and what features and actions the occupant(s) employed
  • Big difference between HMI and OnStar devices as far as available data goes, though that is by design, as the latter is intended primarily for telematics functions rather than infotainment
  • Also data recoverable may depend on specific implementation for a given car model
  • There is no clearly defined data standard for vehicle infotainment and telematics systems
  • Very much like the early days of mobile device forensics
  • Crash forensics using Bosch does use the US government standard CFR-2011-title49-vol6-part563 – more on that later in a future blog post
  • Though the above tests covered only GM systems, iVe supports numerous makes, including Ford, GM, FCA, BMW, Toyota, and Volkswagen
  • Support for more and more vehicle makes and models is constantly being added to iVe
  • Using the supported vehicle lookup on will help determine whether a specific vehicle is currently supported in iVe