Info

Digital Forensic Survival Podcast

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
RSS Feed
Digital Forensic Survival Podcast
2024
December
November
October
September
August
July
June
May
April
March
February
January


2023
December
November
October
September
August
July
June
May
April
March
February
January


2022
December
November
October
September
August
July
June
May
April
March
February
January


2021
December
November
October
September
August
July
June
May
April
March
February
January


2020
December
November
October
September
August
July
June
May
April
March
February
January


2019
December
November
October
September
August
July
June
May
April
March
February
January


2018
December
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February


All Episodes
Archives
Now displaying: 2023
Dec 26, 2023

Temporary directories play a significant role in computer forensic investigations as they can potentially contain valuable digital evidence. When conducting a computer forensic investigation, these temporary directories can provide insights into user activities, application usage, and potentially malicious behavior...

Dec 19, 2023

This week I’m talking about Regsvcs /Regasm exploitation, which is a Windows tactic attackers use to evade defense mechanisms and execute code. Specifically, this technique can be used to bypass process whitelisting and digital certificate validation. I'll break down some interpretation methods that may be used to identify such exploitation....

Dec 12, 2023

This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week I’ll break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.

Dec 5, 2023

This week it's more about lateral movement and kerberos events.

Nov 28, 2023

In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What is the purpose and difference between these BIN directories? What do you need to know about them for forensic investigations? The answers to those questions and more are coming up...

Nov 21, 2023

Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways.  Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean different things. Add to that a layer of apparent obscurity as to exactly how to interpret the information makes it even more difficult for newer examiners. I took on the question...

Nov 14, 2023

Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common indicators of misuse. In this episode, we will delve into the utility of Certutil and identify effective methods to promptly detect and address potential abuses. Stay tuned as we explore these topics in depth...

Nov 7, 2023

This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or password spraying attacks. It may also be used to detect attack or probing activities. The artifact breakdown and triage methodology is coming up….

Oct 31, 2023

In Linux and Unix-based operating systems, the "root" account is the superuser or administrator account with the highest level of privileges. It has complete control over the system and can perform any action, including modifying system files, installing software, and managing user accounts. The root account is sometimes referred to as the "root user" or simply “root"....

Oct 24, 2023

This week we are taking a bit of a deep dive into an advanced attack technique to accomplish remote execution called “fetch and execute.” While there are different methods to accomplish the sort of thing what I am going to be focusing on is exploitation using a common Windows executable and installation file. Think of this as one of the touted “living off the land” attack techniques. It has value for compromise assessment methods as well as for threat hunting strategies...

Oct 17, 2023

This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that conducted due diligence exams for evidence of malware. I have covered remote execution in the past from different angles and I have done so because it is one of the red flags that an analyst should be looking for. In order to be effective in recognizing either an actual malicious execution or the risk of an attempted remote execution you must be reversed in the clever ways attackers attempt to compromise a host using Microsoft applications. The highlight this week will be CMSTP.exe abuse...

Oct 10, 2023

Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps attempted activity by an attacker. A standard move in the attack chain is to compromise an account and use it to move within the breached environment. However, it doesn't always work as planned for the attacker, and you may find failed activity a valid signal for identifying, malicious actions. This episode, I'm going to take a look at failed logon events from an investigation point of you.

Oct 3, 2023

This week I will discuss the use of the OODA loop and JOHARI window in security incident response investigations. These two frameworks are designed to help organizations quickly and effectively respond to security incidents, and can be used in combination to enhance incident response capabilities....

Sep 26, 2023

This week I'm talking about the linux file system from the point of view of a forensic analyst. In general, it's a good idea to have a solid working knowledge of the linux file system so you understand what directories hold what artifacts… Or if you're looking for a specific category of artifact, you at least have an idea of where you may find it. I will cover the home directory this week and breakdown the typical forensic artifacts you find there……

Sep 19, 2023

This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies....

Sep 12, 2023

This week is on lateral movement detection techniques. Inspecting Domain Admin account logons is a key component to lateral movement triage. Admin accounts are sought after by attackers for their elevated privileges. Evidence is often left behind both on the targeted system and on the domain controller. Both these factors provide protection opportunity through Windows event log analysis. I’ll break down the method....

Sep 5, 2023

This week I want to talk about the value of having functional documentation for your organization, or, at least for your team. Functional documentation means you have thoughtful and up-to-date incident run books, and play books that provide utility and usefulness for a responder. Without such documentation, you are always in danger of some dangerous pitfalls, some of which I'll discuss. This episode I cover what functional documentation is, it's investigative value for an organization, how to get started...

Aug 29, 2023

The linux subsystem for windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take it vantage of the many many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the linux subsystems for forensic investigators…

Aug 22, 2023

This week I'm going to talk about tabletop exercises as part of a security training program. I feel that there is too much focus on technical skill training and not enough focus on actual incident management training in the industry. There are plenty of highly skilled professionals that can do DFIR work… However, a roadblock, many organizations and practitioners encounter is in the struggle of how to actually implement their knowledge and skills for a security incident response investigation within a specific organization. They may know what to do, but there are many challenges in identifying actually how to do it when the time comes. I will share my thoughts on how to improve your security program through simulation training…

Aug 15, 2023

This week I'm talking about The NIST (National Institute of Standards and Technology) investigation lifecycle. The NIST investigation lifecycle encompasses a series of well-defined steps, starting from problem identification and scoping, through data collection and analysis, to the formulation of conclusions and recommendations. This comprehensive framework ensures that investigations conducted by NIST are rigorous, unbiased, and provide reliable results that can be used to inform decision-making, improve practices, and promote innovation across a wide range of disciplines. More about it...

Aug 8, 2023

This week I'm talking about linux forensic triage strategy. In particular, I'm covering SSH. SSH traffic comes up in many different types of investigations. For that reason, it is a common and standard artifact every examiner should be familiar with. I will provide you the artifact background and the triage strategy…..

Aug 1, 2023

The USN Journal, also known as the Update Sequence Number Journal, is a feature of the Windows operating system that serves as a record of changes made to files and directories on a disk volume. It provides valuable information and insights into file system activities, which can aid investigators in reconstructing events, understanding system behavior, and uncovering evidence. This week I break down the artifact from a DFIR point of view provide triage strategy.....

Jul 25, 2023

This week Jason Roslewicz from SUMURI returns for some web 3.0 and virtual reality talk.

Jul 18, 2023

This week I talk about adding, modifying, and removing network shares through the lens of detecting lateral movement.

Jul 11, 2023

This week I break down the three Windows task hosts from a DFIR point of view.

1 2 3 Next »