Archives For May 2013

With the major expansion of forensic curriculum at the SANS Institute, I frequently get questions about what class(es) to take. If you are trying to decide between FOR408 (Windows Forensics) and FOR508 (Advanced Forensics and Incident Response), this is the best comparison I have seen online.

I found the following quote particularly insightful: “508 is not a more advanced version of the 408, it’s a completely different course with completely different objectives.”

PlugX Malware Progression

Amanda Stewart at the FireEye blog dissected the PlugX malware remote access tool (RAT).  Of particular interest is this beautiful graphic showing the attack progression.  With decoys, DLL sideloading, encrypted payloads, process injection, and new payload retrieval, this attack pretty much has it all!