Category: Windows Incident Response

Ransomware artifacts

I recently read through this FalconFeeds article on Qilin ransomware; being in DFIR consulting for as long as I have, and given how may ransomware incidents I’ve responded to or dug into, articles with titles like this attract my attention.…

Read more →

Hunting Fileless Malware

I ran across Manuel Arrieta‘s Hunting Fileless Malware in the Windows Registry article recently, and found it to be an interesting read. Let me start by saying that the term “fileless malware”, for me, is like finger nails dragged down…

Read more →

Program Execution, follow-up pt II

On the heels of my previous post on this topic, it occurred to me that this tendency to incorrectly refer to ShimCache and AmCache artifacts as “evidence of execution” strongly indicates that we’re also not validating program execution. That is…

Read more →

I’ve Seen Things, pt II

As a follow-on to my previous post with this title, I wanted to keep the story going; in fact, there are likely to be several more posts in this series, so stay tuned. And hey, I’m not the only one…

Read more →

Program Execution, follow-up

 Last Nov, I published a blog post titled Program Execution: The ShimCache/AmCache Myth as a means of documenting, yet again and in one place, the meaning of the artifacts. I did this because I kept seeing the “…these artifacts illustrate program…

Read more →

I’ve Seen Things

< p style=”text-align: left;”>I like the movie “Blade Runner”. I’ve read Philip K. Dick’s “Do Androids Dream of Electric Sheep“, on which the movie is based.   So what does this have to do with anything? Well, I’ve been around the…

Read more →

Know Your Tools

In 1998, I was in a role where I was leading teams on-site to conduct vulnerability assessments for organizations. For the technical part of the assessments, we were using ISS’s Internet Scanner product, which was a commercial scanner. Several years…

Read more →

WMI

The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…

Read more →

WMI

The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…

Read more →

The Problem with the Modern Security Stack

I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…

Read more →

The Problem with the Modern Security Stack

I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…

Read more →

Lina’s Write-up

Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…

Read more →

Lina’s Write-up

Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…

Read more →

The Role of AI in DFIR

The role of AI in DFIR is something I’ve been noodling over for some time, even before my wife first asked me the question of how AI would impact what I do. I guess I started thinking about it when…

Read more →

Artifacts: Jump Lists

In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The foundational methodology starts with your goals…what are you…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

UEPOTB, LNK edition

A while back, Jesse Kornblum published a paper titled, “Using Every Part of the Buffalo in Windows Memory Analysis“. This was, and still is, an excellent paper, based on it’s content and how it pertained to the subject (Windows memory…

Read more →

FTSCon

I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different…

Read more →