| 2022-04-19 | Johannes Ullrich | Resetting Linux Passwords with U-Boot Bootloaders |
| 2021-12-04 | Guy Bruneau | A Review of Year 2021 |
| 2021-11-04 | Tom Webb | Xmount for Disk Images |
| 2021-09-11 | Guy Bruneau | Shipping to Elasticsearch Microsoft DNS Logs |
| 2021-06-18 | Daniel Wesemann | Network Forensics on Azure VMs (Part #2) |
| 2021-06-17 | Daniel Wesemann | Network Forensics on Azure VMs (Part #1) |
| 2021-05-14 | Xavier Mertens | "Open" Access to Industrial Systems Interface is Also Far From Zero |
| 2021-05-12 | Jan Kopriva | Number of industrial control systems on the internet is lower then in 2020...but still far from zero |
| 2021-02-25 | Daniel Wesemann | Forensicating Azure VMs |
| 2021-02-13 | Guy Bruneau | Using Logstash to Parse IPtables Firewall Logs |
| 2021-01-30 | Guy Bruneau | PacketSifter as Network Parsing and Telemetry Tool |
| 2020-12-19 | Guy Bruneau | Secure Communication using TLS in Elasticsearch |
| 2020-12-16 | Daniel Wesemann | DNS Logs in Public Clouds |
| 2020-12-08 | Johannes Ullrich | December 2020 Microsoft Patch Tuesday: Exchange, Sharepoint, Dynamics and DNS Spoofing |
| 2020-08-01 | Jan Kopriva | What pages do bad bots look for? |
| 2020-05-06 | Xavier Mertens | Keeping an Eye on Malicious Files Life Time |
| 2020-03-02 | Jan Kopriva | Secure vs. cleartext protocols - couple of interesting stats |
| 2019-10-25 | Rob VandenBrink | More on DNS Archeology (with PowerShell) |
| 2019-08-21 | Russ McRee | KAPE: Kroll Artifact Parser and Extractor |
| 2019-07-11 | Johannes Ullrich | Remembering Mike Assante |
| 2018-11-30 | Remco Verhoef | CoinMiners searching for hosts |
| 2018-07-29 | Guy Bruneau | Using RITA for Threat Analysis |
| 2018-02-25 | Guy Bruneau | Blackhole Advertising Sites with Pi-hole |
| 2018-01-26 | Xavier Mertens | Investigating Microsoft BITS Activity |
| 2017-10-02 | Xavier Mertens | Investigating Security Incidents with Passive DNS |
| 2017-09-24 | Jim Clausing | Forensic use of mount --bind |
| 2017-09-19 | Jim Clausing | New tool: mac-robber.py |
| 2017-07-09 | Russ McRee | Adversary hunting with SOF-ELK |
| 2017-05-23 | Rob VandenBrink | What did we Learn from WannaCry? - Oh Wait, We Already Knew That! |
| 2017-05-16 | Russ McRee | WannaCry? Do your own data analysis. |
| 2017-01-12 | Mark Baggett | System Resource Utilization Monitor |
| 2016-10-31 | Russ McRee | SEC505 DFIR capture script: snapshot.ps1 |
| 2016-10-19 | Xavier Mertens | Spam Delivered via .ICS Files |
| 2016-08-11 | Pasquale Stirparo | Looking for the insider: Forensic Artifacts on iOS Messaging App |
| 2016-07-10 | Kevin Liston | Lessons Learned from Industrial Control Systems |
| 2016-05-22 | Pasquale Stirparo | The strange case of WinZip MRU Registry key |
| 2016-03-28 | Xavier Mertens | Improving Bash Forensics Capabilities |
| 2016-03-11 | Jim Clausing | Forensicating Docker, Part 1 |
| 2016-02-18 | Xavier Mertens | Hunting for Executable Code in Windows Environments |
| 2016-01-06 | Russ McRee | toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics |
| 2015-12-04 | Tom Webb | Automating Phishing Analysis using BRO |
| 2015-08-29 | Tom Webb | Automating Metrics using RTIR REST API |
| 2015-04-24 | Basil Alawi S.Taher | Fileless Malware |
| 2015-04-17 | Didier Stevens | Memory Forensics Of Network Devices |
| 2015-03-18 | Daniel Wesemann | New SANS memory forensics poster |
| 2015-02-03 | Johannes Ullrich | Another Network Forensic Tool for the Toolbox - Dshell |
| 2014-08-10 | Basil Alawi S.Taher | Incident Response with Triage-ir |
| 2014-06-22 | Russ McRee | OfficeMalScanner helps identify the source of a compromise |
| 2014-06-03 | Basil Alawi S.Taher | An Introduction to RSA Netwitness Investigator |
| 2014-05-18 | Russ McRee | sed and awk will always rock |
| 2014-03-11 | Basil Alawi S.Taher | Introduction to Memory Analysis with Mandiant Redline |
| 2014-03-07 | Tom Webb | Linux Memory Dump with Rekall |
| 2014-02-09 | Basil Alawi S.Taher | Mandiant Highlighter 2 |
| 2014-01-10 | Basil Alawi S.Taher | Windows Autorun-3 |
| 2013-12-12 | Basil Alawi S.Taher | Acquiring Memory Images with Dumpit |
| 2013-11-21 | Mark Baggett | "In the end it is all PEEKS and POKES." |
| 2013-11-20 | Mark Baggett | Searching live memory on a running machine with winpmem |
| 2013-11-19 | Mark Baggett | Winpmem - Mild mannered memory aquisition tool?? |
| 2013-08-26 | Alex Stanford | Stop, Drop and File Carve |
| 2013-08-14 | Johannes Ullrich | Imaging LUKS Encrypted Drives |
| 2013-07-12 | Rob VandenBrink | Hmm - where did I save those files? |
| 2013-05-23 | Adrien de Beaupre | MoVP II |
| 2013-04-25 | Adam Swanger | SANS 2013 Forensics Survey - https://www.surveymonkey.com/s/2013SANSForensicsSurvey |
| 2013-02-20 | Manuel Humberto Santander Pelaez | SANS SCADA Summit at Orlando - Bigger problems and so far from getting them solved |
| 2012-11-02 | Daniel Wesemann | The shortcomings of anti-virus software |
| 2012-09-14 | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-07-16 | Jim Clausing | An analysis of the Yahoo! passwords |
| 2012-06-04 | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2011-09-29 | Daniel Wesemann | The SSD dilemma |
| 2011-08-05 | Johannes Ullrich | Forensics: SIFT Kit 2.1 now available for download http://computer-forensics.sans.org/community/downloads |
| 2011-03-01 | Daniel Wesemann | AV software and "sharing samples" |
| 2010-11-26 | Mark Hofman | Using password cracking as metric/indicator for the organisation's security posture |
| 2010-11-17 | Guy Bruneau | Reference on Open Source Digital Forensics |
| 2010-05-22 | Rick Wanner | SANS 2010 Digital Forensics Summit - APT Based Forensic Challenge |
| 2010-05-21 | Rick Wanner | 2010 Digital Forensics and Incident Response Summit |
| 2010-04-30 | Kevin Liston | The Importance of Small Files |
| 2010-04-11 | Marcus Sachs | Network and process forensics toolset |
| 2010-03-26 | Daniel Wesemann | SIFT2.0 SANS Investigative Forensics Toolkit released |
| 2009-12-14 | Adrien de Beaupre | Anti-forensics, COFEE vs. DECAF |
| 2009-11-25 | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-10-20 | Raul Siles | WASC 2008 Statistics |
| 2009-08-18 | Daniel Wesemann | Forensics: Mounting partitions from full-disk 'dd' images |
| 2009-08-13 | Jim Clausing | New and updated cheat sheets |
| 2009-07-02 | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-02-02 | Stephen Hall | How do you audit your production code? |
| 2009-01-02 | Rick Wanner | Tools on my Christmas list. |
| 2008-11-17 | Marcus Sachs | New Tool: NetWitness Investigator |
| 2008-09-08 | Raul Siles | Quick Analysis of the 2007 Web Application Security Statistics |
| 2008-08-17 | Kevin Liston | Volatility 1.3 Released |
| 2008-08-15 | Jim Clausing | OMFW 2008 reflections |
| 2008-06-18 | Marcus Sachs | Olympics Part II |
https://www.sans.edu
