For this post, I’ll throw out a bunch of little snippets, or “post-lets”, covering a variety of DFIR topics rather than one big post that covers one topic.
What’s Old Is New Again
During Feb, 2016, Mari published a fascinating blog post regarding the VBAWarnings value. That was a bit more than 6 1/2 yrs ago, which in “Internet time” is several lifetimes.
Just this past September, Avast shared a write-up of the Roshtyak component of Raspberry Robin, where they described some of the techniques used by this malware, including checking the VBAWarnings value as a means of “detecting” virtual or testing environments.
Getting PCAPs
When I’ve been asked on-site (or remotely), it’s most often been after an incident has happened. However, that doesn’t mean that I shouldn’t have a means available for myself, or to share with IT admins, to collect pcaps. Having something like this readily available can be very beneficial, when you need it.
It seems that Windows 10 and above comes with a native tool for collecting network traffic data called pktmon.
Prefer Powershell? Doug Metz over at BakerStreetForensics has a solution for you.
I’ve used bulk_extractor to get pcaps from memory dumps; because this uses a different means for identifying network connections than Volatility, running them both is a really, REALLY good idea! So good, as a matter of fact, that I included an example of this in Investigating Windows Systems, which just shows that regardless of the version of Windows you’re dealing with, the process still holds up.
Memory Analysis
Or, if you’re looking for a bit more, consider bulk
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article:
