20 02 2013
I read a blog post by Boe Prox while sitting on the beach in Cebu this past weekend, which oddly enough is the same guy I used to work with about 6+ years ago when I was working for BAE Systems back in Nebraska. Small world, eh? In either case here is the post: Write to an [...]
mmls, Powershell Forensics, The Sleuth Kit, Timeline analysis, Timestomping, TSK
20 12 2012
Welcome back for the final part of my APTish Attack via Metasploit series. If you haven’t read any of the other posts I suggest you read them so you can get an idea of where we are starting from. You can find them here: Part I, Part II, and Part III Let’s get started…. TIMELINE ANALYSIS: [...]
Netcat, pasco, Prefetch, timeline, TIOR.exe, UserAssist
30 11 2012
Hello all, I wanted to take a few minutes and let you know that I am releasing some code I have been working on over the past couple weeks. I blogged awhile back about how I wanted to learn more about Python while also learning about digital forensics. Well, I finally got around to it [...]
BARFF, Browser Malware, parse chrome, parse firefox, parse google drive
21 11 2012
INTRO: Some of you might be familiar with GrrCon [1]. I wasn’t until this year. I found out about them after reading a post by the Volatility guys/gals [2]. In the post they discuss how they used volatility to analyze the GrrCon challenge. The write up on the analysis was really good and it goes to show the power of memory forensics. [...]
netscan, printkey, printkey -K, procmemdump, pslist, psxview, Volatility
19 11 2012
Welcome back for Part II where I will cover a bit of log analysis using cloud based SplunkStorm logging system. I’m going to assume you have read the first post in this series. If not, you can find it here. This will give you a frame of reference as to where I am going with [...]
Splunk and Metasploit, Splunk Windows Security
22 10 2012
UPDATE: Jeff’s tool now supports memory acquisition. You can find out more here. So I was getting my morning dose of DFIR reading on the train this morning and couldn’t help but notice Jeff Bryner’s email message to the SANS mailing list about a tool he modified to help us DFIR guys – You can find out [...]
log2timeline, NBDS, Network Block Device Server, TSK
22 09 2012
It’s been awhile since I last posted. I’ve been super busy, but I had some time today. I found this a bit interesting so I thought I would share. I haven’t looked at browser based malware much lately. Let’s get started. I was looking online at Malware Domain List and saw an html file that [...]
Blackhole, Browser Malware, Obfuscated iframe, Reverse Engineering Blackhole Exploit
7 08 2012
sysforensics | Ambush IPS
So I ran across a tweet from one of my friends (@obscuresec) mentioning something about Ambush IPS and he also provided a video link. I never heard of Ambush before so I proceeded to check the tweet out and watch the BSlides Las Vegas 2012 video presented by the author (@scriptjunkie1/Matt Weeks) of the tool. I highly suggest [...]
ambuships, HIDS
21 07 2012
So I was looking at Google Analytic’s at some of the search queries that bring people to my blog and noticed a huge list of “How to” questions. I thought it would be neat to sort all of them and answer each of the questions. Some of them were quite funny, but I guess at the same [...]
$MFT, DEFT, fls, icat, mactime, MBR, OpenMRU, Prefetch Files, SaveMRU, SIFT, The Sleuth Kit, tsk_recover, UserAssist, Zeus Malware
