| 2017-07-09 | Russ McRee | Adversary hunting with SOF-ELK |
| 2017-05-23 | Rob VandenBrink | What did we Learn from WannaCry? - Oh Wait, We Already Knew That! |
| 2017-05-16 | Russ McRee | WannaCry? Do your own data analysis. |
| 2017-01-12 | Mark Baggett | System Resource Utilization Monitor |
| 2016-10-31 | Russ McRee | SEC505 DFIR capture script: snapshot.ps1 |
| 2016-10-19 | Xavier Mertens | Spam Delivered via .ICS Files |
| 2016-08-11 | Pasquale Stirparo | Looking for the insider: Forensic Artifacts on iOS Messaging App |
| 2016-07-10 | Kevin Liston | Lessons Learned from Industrial Control Systems |
| 2016-05-22 | Pasquale Stirparo | The strange case of WinZip MRU Registry key |
| 2016-03-28 | Xavier Mertens | Improving Bash Forensics Capabilities |
| 2016-03-11 | Jim Clausing | Forensicating Docker, Part 1 |
| 2016-02-18 | Xavier Mertens | Hunting for Executable Code in Windows Environments |
| 2016-01-06 | Russ McRee | toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics |
| 2015-12-04 | Tom Webb | Automating Phishing Analysis using BRO |
| 2015-08-29 | Tom Webb | Automating Metrics using RTIR REST API |
| 2015-04-24 | Basil Alawi S.Taher | Fileless Malware |
| 2015-04-17 | Didier Stevens | Memory Forensics Of Network Devices |
| 2015-03-18 | Daniel Wesemann | New SANS memory forensics poster |
| 2015-02-03 | Johannes Ullrich | Another Network Forensic Tool for the Toolbox - Dshell |
| 2014-08-10 | Basil Alawi S.Taher | Incident Response with Triage-ir |
| 2014-06-22 | Russ McRee | OfficeMalScanner helps identify the source of a compromise |
| 2014-06-03 | Basil Alawi S.Taher | An Introduction to RSA Netwitness Investigator |
| 2014-05-18 | Russ McRee | sed and awk will always rock |
| 2014-03-11 | Basil Alawi S.Taher | Introduction to Memory Analysis with Mandiant Redline |
| 2014-03-07 | Tom Webb | Linux Memory Dump with Rekall |
| 2014-02-09 | Basil Alawi S.Taher | Mandiant Highlighter 2 |
| 2014-01-10 | Basil Alawi S.Taher | Windows Autorun-3 |
| 2013-12-12 | Basil Alawi S.Taher | Acquiring Memory Images with Dumpit |
| 2013-11-21 | Mark Baggett | "In the end it is all PEEKS and POKES." |
| 2013-11-20 | Mark Baggett | Searching live memory on a running machine with winpmem |
| 2013-11-19 | Mark Baggett | Winpmem - Mild mannered memory aquisition tool?? |
| 2013-08-26 | Alex Stanford | Stop, Drop and File Carve |
| 2013-08-14 | Johannes Ullrich | Imaging LUKS Encrypted Drives |
| 2013-07-12 | Rob VandenBrink | Hmm - where did I save those files? |
| 2013-05-23 | Adrien de Beaupre | MoVP II |
| 2013-04-25 | Adam Swanger | SANS 2013 Forensics Survey - https://www.surveymonkey.com/s/2013SANSForensicsSurvey |
| 2013-02-20 | Manuel Humberto Santander Pelaez | SANS SCADA Summit at Orlando - Bigger problems and so far from getting them solved |
| 2012-11-02 | Daniel Wesemann | The shortcomings of anti-virus software |
| 2012-09-14 | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-07-16 | Jim Clausing | An analysis of the Yahoo! passwords |
| 2012-06-04 | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2011-09-29 | Daniel Wesemann | The SSD dilemma |
| 2011-08-05 | Johannes Ullrich | Forensics: SIFT Kit 2.1 now available for download http://computer-forensics.sans.org/community/downloads |
| 2011-03-01 | Daniel Wesemann | AV software and "sharing samples" |
| 2010-11-26 | Mark Hofman | Using password cracking as metric/indicator for the organisation's security posture |
| 2010-11-17 | Guy Bruneau | Reference on Open Source Digital Forensics |
| 2010-05-22 | Rick Wanner | SANS 2010 Digital Forensics Summit - APT Based Forensic Challenge |
| 2010-05-21 | Rick Wanner | 2010 Digital Forensics and Incident Response Summit |
| 2010-04-30 | Kevin Liston | The Importance of Small Files |
| 2010-04-11 | Marcus Sachs | Network and process forensics toolset |
| 2010-03-26 | Daniel Wesemann | SIFT2.0 SANS Investigative Forensics Toolkit released |
| 2009-12-14 | Adrien de Beaupre | Anti-forensics, COFEE vs. DECAF |
| 2009-11-25 | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-10-20 | Raul Siles | WASC 2008 Statistics |
| 2009-08-18 | Daniel Wesemann | Forensics: Mounting partitions from full-disk 'dd' images |
| 2009-08-13 | Jim Clausing | New and updated cheat sheets |
| 2009-07-02 | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-02-02 | Stephen Hall | How do you audit your production code? |
| 2009-01-02 | Rick Wanner | Tools on my Christmas list. |
| 2008-11-17 | Marcus Sachs | New Tool: NetWitness Investigator |
| 2008-09-08 | Raul Siles | Quick Analysis of the 2007 Web Application Security Statistics |
| 2008-08-17 | Kevin Liston | Volatility 1.3 Released |
| 2008-08-15 | Jim Clausing | OMFW 2008 reflections |
| 2008-06-18 | Marcus Sachs | Olympics Part II |
