Clik here to view.
You Are Not Admin with UAC
There is a tendency to focus on what is different when we are faced with newer operating systems. What are the security changes and how does that impact security testing against it? What are the new...
View ArticleClik here to view.
So You Wanna Be A DFIR Blogger
It was a little over two years ago when I started Journey Into Incident Response (aka jIIr). In these two years I learned a lot about blogging on technical topics so I wanted to share some tips and...
View ArticleClik here to view.
Finding An Infection Vector After IT Cleaned the System
Almost every “CSI” episode begins the same way. An attack took someone’s life, first responders secured the crime scene, and then the main characters show up to start processing a well preserved scene....
View ArticleClik here to view.
To Whom It May Concern
This is an open letter to a person I will never get to meet. We will never exchange greetings nor will I ever know their name or identity. I had to settle for an open letter since I’m unable to give...
View ArticleClik here to view.
Different Take on the Rootkit Paradox
Jesse Kornblum’s paper “Exploiting the Rootkit Paradox with Windows Memory Analysis” explains the predicament Rootkits find themselves in. The predicament is: 1. They want to remain hidden....
View ArticleClik here to view.
NTOSBOOT Prefetch File
Knowing the programs that executed on a system can answer numerous questions. The answers can help on a range of cases from acceptable use policy violations to investigations to intrusions to malware....
View ArticleClik here to view.
Extracting ZeroAccess from NTFS Extended Attributes
This past week I was reading a paper about the ZeroAccess Trojan when a section about a clever data hiding technique caught my eye. The paper was Sophos’s The ZeroAccess Botnet: Mining and Fraud for...
View ArticleA Malware Convergence at jIIr
I normally wait until my blog’s anniversary to post about the direction I want to take in the upcoming year. However, there has been a perfect storm brewing over at jIIr and the eye of the storm would...
View ArticleClik here to view.
Re-Introducing $UsnJrnl
The NTFS change journal ($UsnJrnl) is not a new artifact and has been discussed before by others. The file's importance may have been overlooked since it wasn’t available in Windows XP by default. As...
View ArticleClik here to view.
Layering Data
Layering is defined as the action of arranging something into layers. There are various reasons to why data is layered but I think the most important one is to show a more accurate picture about...
View ArticleClik here to view.
Links for Toolz
The Linkz for various tools have been piling up in the hopper. For some too much time has passed and others have already done an adequate job talking about them. In this long overdue Linkz post I’m...
View ArticleClik here to view.
UAC Impact on Malware
The User Account Control (UAC) is a feature in Windows where every application ran under an administrator user account only runs in the context of a standard user. UAC not only has an impact on the...
View ArticleHouston We’ve Had a Problem – Wow64
This is a piggyback post to an issue Harlan has been raising about the Wow64 issue. His most recent post on the subject Wow64Node: Registry Redirection goes into detail about what Wow64 is, it’s impact...
View ArticleClik here to view.
Tracking Down Persistence Mechanisms
On my to-do list for quite some time has been tracking down the various locations in the registry that malware and attackers use to remain persistent on a system. Typically, one of my initial...
View ArticlePlugin: MenuOrder
A new RegRipper plugin archive was released during the RegRipper Consolidation. The archive contains some new plug-ins; one of them is the MenuOrder.pl plug-in. Before discussing the plug-in I thought...
View ArticlePlugins: soft_run user_run
The next two RegRipper plugins I wanted to highlight are: soft_run and user_run. Some may have been familiar with what these plugins did and the registry keys they checked. I’m referencing the past...
View ArticleThank You and Some jIIr Updates
Thank YouEarlier in the year I sent out a tweet that was driven by disappointment. This blog is for personal use so I barely discuss what kind of work I did. I was in a pretty cool job. On the one hand...
View ArticleLinkz for Tools & Tips
In this edition of Linkz I’m talking about tools I came across in the past week. There are tool updates, new tools, and some tips about existing tools. Without further ado ….New RegRipper...
View ArticleClik here to view.
Unleashing auto_rip
The most common question someone asks me after they find out the work I do for a living is “what tools do you use”. This occurs regardless if the person only knows about digital forensics from TV shows...
View ArticleFinding Malware Like Iron Man Slide Decks
This year I decided to step out of my comfort zone by presenting at conferences. I’m not a public speaker but I wanted to reach an audience beyond jIIr to provide information that may be helpful to...
View Article