System Forensics

All your artifacts are belong to me.

Your Registry Blobs Belong to Me (RegHexDump)

So I was reading Trend’s blog post Without a Trace: Fileless Malware Spotted in the Wild and although not totally new, it got me thinking a bit. I downloaded some of the MD5s they posted and started infecting my lab box. I noticed a couple different behaviors when infecting my lab machine with two different […]

, ,

WinZip MRU Tool Check

I was playing around with WinZIP today and noticed something and wanted to write it down before I forgot to document it. I still need to do some analysis, but wanted to make it known if it wasn’t already. This has to do with the following WinZIP registry entry: Software\Nico Mak Computing\WinZip\mru\archives While writing a new […]


Python Registry Parser (regparse)

I released a tool called, Python Registry Parser (or regparse for short), which is a plugin based Windows Registry parser written in Python. The reason for writing regparse was three fold. 1) I don’t like the output that current registry parsers (Gui/non-Gui) provide. 2) I like RegRipper, but didn’t want to learn Perl. 3) I […]

Manage DFIR Information – A possible solution?

I posted a tweet yesterday asking for some blog request ideas here because I was kind of running out of ideas to write about. So then @Hexacorn tweeted me saying, “perhaps there should be a place where ppl can submit DFIR/RCE requests that interested bloggers could research & write about?” That makes sense. Here I […]

Forensics in the Amazon Cloud – EC2

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response. Why wait for that phone call before you start diving into the “know how” of conducting […]

, , , ,

Automating Data Reduction via Whitelists

In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method and never really used it. I had plenty of RAM, so I kept for-looping through my text file of whitelisted files. […]

, , ,

Previous Posts

Theme created by Powered by