This week I'm talking about the linux file system from the point of view of a forensic analyst. In general, it's a good idea to have a solid working knowledge of the linux file system so you understand what directories hold what artifacts… Or if you're looking for a specific category of artifact, you at least have an idea of where you may find it. I will cover the home directory this week and breakdown the typical forensic artifacts you find there……

This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies....

This week is on lateral movement detection techniques. Inspecting Domain Admin account logons is a key component to lateral movement triage. Admin accounts are sought after by attackers for their elevated privileges. Evidence is often left behind both on the targeted system and on the domain controller. Both these factors provide protection opportunity through Windows event log analysis. I’ll break down the method....

This week I want to talk about the value of having functional documentation for your organization, or, at least for your team. Functional documentation means you have thoughtful and up-to-date incident run books, and play books that provide utility and usefulness for a responder. Without such documentation, you are always in danger of some dangerous pitfalls, some of which I'll discuss. This episode I cover what functional documentation is, it's investigative value for an organization, how to get started...