Clik here to view.
Mr Silverlight Drive-by Meet Volatility Timelines
I recently had the opportunity to attend the Volatility Windows Malware and Memory Forensics Training. Prior to the training, I used memory forensics (and thus Volatility) in different capacities but...
View ArticleMalware Root Cause Analysis Dont Be a Bone Head Slide Deck
Today I gave a presentation titled Malware Root Cause Analysis Don't Be a Bone Head at the New York State Cyber Security Conference. This presentation was a follow-up to the presentation I gave last...
View ArticleReview of Windows Forensic Analysis 4th Edition
About a month ago I finished reading Windows Forensic Analysis 4th Edition by Harlan Carvey. Due to personal obligations I was unable to post my WFA 4/e review until now. All in all the 4th edition is...
View ArticleClik here to view.
Improving Your Malware Forensics Skills
By failing to prepare, you are preparing to fail.~ Benjamin FranklinIn many ways preparation is key to success. Look at any sporting event and the team who usually comes out on top are the ones who are...
View ArticleLinkz for SIEM
Security information and event management (SIEM) has been an area where I have spent considerable time researching. My research started out as curiosity to see if the technology could solve some...
View ArticleClik here to view.
Review of Penetration Testing A Hands-On Introduction to Hacking
Helping train a computer security incident response team (CSIRT) comes with the territory when building out an enterprise incident response process. As I was reading No Starch's recently released...
View ArticleClik here to view.
Where's the IR in DFIR Training?
I'm writing this post to voice a concern about trainings for incident response. I am painting this picture with a broad stroke. The picture does not apply to every $vendor nor does it apply to every...
View Articleauto_rip, tr3secure_collection & DFS updates
This post is a quick update about a few things I've been working on over the years.auto_rip updatesauto_rip is a wrapper script for Harlan Carvey's RegRipper and the script has a few updates. For those...
View ArticleClik here to view.
SIEM Use Case Implementation Mind Map
Building out an organization's security detection capability can be a daunting task. The complexity of the network, number of applications/servers/clients, the sheer number of potential threats, and...
View ArticleClik here to view.
CSIRT Request Tracker Installation Guide
In this post I'm releasing an installation guide to build a custom ticketing system to track and document security incidents. The guide contains nothing groundbreaking; just instructions on how to...
View ArticleClik here to view.
Timeline Analysis by Categories
Organizing is what you do before you do something, so that when you do it, it is not all mixed up.~ A. A. Milne"Corey, at times our auditors find fraud and when they do sometimes they need help...
View ArticleClik here to view.
Tr3Secure Collection Script Updated
On my to-do list for some time has been to add support back into the Tr3Secure collection script to obtain the NTFS Change Journal ($UsnJrnl). This is a quick post about this functionality being added...
View ArticleThanks for Reading and Sharing
It was a little over four years ago I started a new journey. The timing wasn't the best when I took my first step into the blogging world. My family welcomed our third son into the world, I was doing...
View ArticleClik here to view.
Triaging with Tr3Secure Script's NTFS Artifacts Only Option
An alert fires about an end point potentially having a security issue. The end point is not in the cubicle next to you, not down the hall, and not even in the same city. It's miles away in one of your...
View ArticleThe Hammer Is Not Broken
I went to my local hardware store to buy one of the latest hammers. I brought the hammer home but it was unable to build the shed in my backyard. I spoke to someone else who said something similar....
View ArticleClik here to view.
Prefetch File Meet Process Hollowing
There are times when you are doing research and you notice certain behavior. You may had been aware about the behavior but you never consider the impact it has on other artifacts we depend on during...
View ArticleThe Art of Memory Forensics Book Review
Christmas is in the rear view mirror and you may be left wondering about the gift you didn't find under the tree. The gift loaded with DFIR goodness to bring you into the new year. A gift you can use...
View ArticleClik here to view.
Triaging a System Infected with Poweliks
Change is one of the only constants in incident response. In time most things will change; technology, tools, processes, and techniques all eventually change. The change is not only limited to the...
View ArticleLinkz for Detection and Response
The fastest way to reach a destination is to learn from those who have traveled parts of the journey you are on. Others may point you in a direction to avoid the obstacles they faced or show you the...
View ArticleClik here to view.
Process Hollowing Meets Cuckoo Sandbox
Growing up I loved to watch horror movies. In hindsight, they scared the crap out of me probably because I was too young to watch them. One such movie was the 1986 movie Night of the Creeps. Alien...
View Article