Clik here to view.
Ripping VSCs – Tracking User Activity
For the past few months I have been discussing a different approach to examining Volume Shadow Copies (VSCs). I’m referring to the approach as Ripping VSCs and the two different methods to implement...
View ArticleClik here to view.
Second Look at Prefetch Files
The one thing I like about sharing is when someone opens your eyes about additional information in an artifact you frequently encounter. Harlan has been posting about prefetch files and the information...
View ArticleClik here to view.
Volume Shadow Copy Timeline
Windows 7 has various artifacts available to help provide context about files on a system. In previous posts I illustrated how the information contained in jump lists, link files, and Word documents...
View ArticleClik here to view.
Tale as Old as Time: Don’t Talk To Strangers
I was enjoying my Saturday afternoon doing various things around the house. My phone started ringing the caller ID showed it was from out of the area. I usually ignore these types of calls, but I...
View ArticleClik here to view.
Improvise Adapt Overcome
Everybody has a story about how they became involved in DFIR. Showing the different avenues people took to reach the same point can be helpful to others trying to break into the field. I’ve been...
View ArticleClik here to view.
Cleaning Out the Linkz Hopper
Volume Shadow Copies has been my main focus on the blog for the past few months. I took the time needed to share my research because I wanted to be thorough so others could use the information. As a...
View ArticleClik here to view.
Practical Malware Analysis Book Review
There are times when I come across malware on systems. It happens when I’m helping someone with computer troubles to processing a DFIR case to providing assistance on a security incident. It seems as...
View ArticleClik here to view.
More About Volume Shadow Copies
CyberSpeak Podcast About Volume Shadow CopiesI recently had the opportunity to talk with Ovie about Volume Shadow Copies (VSCs) on his CyberSpeak podcast. It was a great experience to meet Ovie and see...
View ArticleClik here to view.
Finding Fraudulent Documents Preview
Anyone who looks at the topics I discuss on my blog may not easily see the kind of cases I frequently work at my day job. For the most part my blog is a reflection of my interests, the topics I’m...
View ArticleClik here to view.
Compromise Root Cause Analysis Model
A common question runs through my mind every time I read an article about: another targeted attack, a mass SQL injection attack, a new exploit being rolled into exploit packs, or a new malware...
View ArticleClik here to view.
Computers Don’t Get Sick – They Get Compromised
Security awareness campaigns have done an effective job of educating people about malware. The campaigns have even reached the point to where if people hear certain words they see images in their...
View ArticleClik here to view.
Detect Fraud Documents 360 Slides
I recently had the opportunity to attend the SANs Digital Forensics and Incident Response summit in Austin Texas. The summit was a great con; from the outstanding presentations to networking with...
View ArticleClik here to view.
Metasploit The Penetration Testers Guide Book Review
A penetration test is a method to locate weaknesses in an organization’s network by simulating how an attacker may circumvent the security controls. The Preface indicated Metasploit The Penetration...
View ArticleClik here to view.
Combining Techniques
“You do intrusion and malware investigations, we do CP and fraud cases” is a phrase I saw Harlan mention a few times on his blog. To me the phrase is more about how different the casework is; about how...
View ArticleClik here to view.
Malware Root Cause Analysis
The purpose to performing root cause analysis is to find the cause of a problem. Knowing a problem’s origin makes it easier to take steps to either resolve the problem or lessen the impact the next...
View ArticleClik here to view.
Welcome to Year 2
This past week I was vacationing with my family when my blog surpassed another milestone. It has been around for two years and counting. Around my blog’s anniversary I like to reflect back on the...
View ArticleClik here to view.
Linkz for Tools
In this Linkz edition I’m mentioning write-ups discussing tools. A range of items are covered from the registry to malware to jump lists to timelines to processes.RegRipper UpdatesHarlan has been...
View ArticleClik here to view.
Man versus AntiVirus Scanner
Knowing what programs ran on a system can answer numerous questions about what occurred. What was being used to communicate, what browsers are available to surf the web, what programs can create...
View ArticleClik here to view.
From Malware Analysis to Portable Clam AV
Malware forensics can answer numerous questions. Is there malware on the system, where is it, how long has it been there, and how did it get there in the first place. Despite all the questions malware...
View ArticleClik here to view.
Linkz for Toolz
It looks like Santa put his developers to work so they could deliver an early Christmas for those wanting DFIR goodies. Day after day this week there was either a new tool being released or an updated...
View Article