System Forensics

All your artifacts are belong to us.

WinZip MRU Tool Check

I was playing around with WinZIP today and noticed something and wanted to write it down before I forgot to document it. I still need to do some analysis, but wanted to make it known if it wasn’t already. This has to do with the following WinZIP registry entry: Software\Nico Mak Computing\WinZip\mru\archives While writing a new […]

,

Python Registry Parser (regparse)

I released a tool called, Python Registry Parser (or regparse for short), which is a plugin based Windows Registry parser written in Python. The reason for writing regparse was three fold. 1) I don’t like the output that current registry parsers (Gui/non-Gui) provide. 2) I like RegRipper, but didn’t want to learn Perl. 3) I […]

Manage DFIR Information – A possible solution?

I posted a tweet yesterday asking for some blog request ideas here because I was kind of running out of ideas to write about. So then @Hexacorn tweeted me saying, “perhaps there should be a place where ppl can submit DFIR/RCE requests that interested bloggers could research & write about?” That makes sense. Here I […]

Forensics in the Amazon Cloud – EC2

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or incident response. Why wait for that phone call before you start diving into the “know how” of conducting […]

, , , ,

Automating Data Reduction via Whitelists

In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method and never really used it. I had plenty of RAM, so I kept for-looping through my text file of whitelisted files. […]

, , ,

Do not fumble the lateral movement

I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here: http://sysforensics.org/2014/01/know-your-windows-processes.html I got quite a bit of positive feedback on that post so I figured I would write a similar one for spotting lateral movement on systems. Let me […]

, , , ,

Know your Windows Processes or Die Trying

I have been talking with quite a few people lately tasked with “security” inside their organizations and couldn’t help but notice their lack of understanding when it came to Windows process information. I figured if the people I have talked with don’t understand then there are probably a lot more people that don’t understand. I’m […]

, ,

Build your own NSRL Server

It’s been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn’t let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year. This […]

, ,

Previous Posts

Theme created by thememotive.com. Powered by WordPress.org.