The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…
Category: Windows Incident Response
The Problem with the Modern Security Stack
I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…
The Problem with the Modern Security Stack
I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…
Lina’s Write-up
Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…
Lina’s Write-up
Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…
The Role of AI in DFIR
The role of AI in DFIR is something I’ve been noodling over for some time, even before my wife first asked me the question of how AI would impact what I do. I guess I started thinking about it when…
Artifacts: Jump Lists
In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The foundational methodology starts with your goals…what are you…
Carving
Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals. For example, I’ve used X-Ways to recover deleted…
Carving
Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals. For example, I’ve used X-Ways to recover deleted…
Carving
Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals. For example, I’ve used X-Ways to recover deleted…
UEPOTB, LNK edition
A while back, Jesse Kornblum published a paper titled, “Using Every Part of the Buffalo in Windows Memory Analysis“. This was, and still is, an excellent paper, based on it’s content and how it pertained to the subject (Windows memory…
FTSCon
I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different…
Artifact Tracking: Workstation Names
Very often in cybersecurity, we share some level of indicators of compromise (IOCs), such as IP addresses, domain names, or file names or hashes. There are other indicators associated with many compromises or breaches that can add a great deal…
Analysis Process
Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?” This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book…
Rundown
I ran across a fascinating post from Cyber Sundae DFIR recently that talked about the Capability Access Manager, and how with Windows 11 it includes database of applications that have accessed devices such as the mic or camera, going beyond just…
Exploiting LNK Metadata
Anyone who’s followed me for a bit knows that I’m a huge proponent of metadata, and in particular, exploiting metadata in LNK files that threat actors create, use as lures, and send to their targets. I read an article not…
Shell Items
I ran across a Cyber5W article recently titled, Windows Shell Item Analysis. I’m always very interested in not only understanding parsing of various data sources from Windows systems, but also learning a little something about how others view the topic. …
RegRipper Educational Materials
A recent LinkedIn thread led to a question regarding RegRipper educational materials, as seen in figure 1; specifically, are there any. Figure 1: LinkedIn request There are two books that address the use of RegRipper; Windows Registry Forensics, and Investigating…
What is “Events Ripper”?
I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…
What is “Events Ripper”?
I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…