System Forensics

All your artifacts are belong to us.

Manage DFIR Information – A possible solution?

I posted a tweet yesterday asking for some blog request ideas here because I was kind of running out of ideas to write about. So then @Hexacorn tweeted me saying, “perhaps there should be a place where ppl can submit DFIR/RCE requests that interested bloggers could research & write about?” That makes sense. Here I […]

Forensics in the Amazon Cloud – EC2

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response. Why wait for that phone call before you start diving into the “know how” of conducting […]

, , , ,

Automating Data Reduction via Whitelists

In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method and never really used it. I had plenty of RAM, so I kept for-looping through my text file of whitelisted files. […]

, , ,

Do not fumble the lateral movement

I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here: I got quite a bit of positive feedback on that post so I figured I would write a similar one for spotting lateral movement on systems. Let me […]

, , , ,

Know your Windows Processes or Die Trying

I have been talking with quite a few people lately tasked with “security” inside their organizations and couldn’t help but notice their lack of understanding when it came to Windows process information. I figured if the people I have talked with don’t understand then there are probably a lot more people that don’t understand. I’m […]

, ,

Build your own NSRL Server

It’s been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn’t let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year. This […]

, ,

LastWriteTime and LastAccessTimes via Powershell

I read a blog post by Boe Prox while sitting on the beach in Cebu this past weekend, which oddly enough is the same guy I used to work with about 6+ years ago when I was working for BAE Systems back in Nebraska. Small world, eh? In either case here is the post: Write to an […]

, , , , ,

APTish Attack via Metasploit – Part IV – File System Forensics

Welcome back for the final part of my APTish Attack via Metasploit series. If you haven’t read any of the other posts I suggest you read them so you can get an idea of where we are starting from. You can find them here: Part I, Part II, and Part III Let’s get started…. TIMELINE ANALYSIS: […]

, , , , ,

Previous Posts

Theme created by Powered by