Info

Digital Forensic Survival Podcast

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
RSS Feed
Digital Forensic Survival Podcast
2024
April
March
February
January


2023
December
November
October
September
August
July
June
May
April
March
February
January


2022
December
November
October
September
August
July
June
May
April
March
February
January


2021
December
November
October
September
August
July
June
May
April
March
February
January


2020
December
November
October
September
August
July
June
May
April
March
February
January


2019
December
November
October
September
August
July
June
May
April
March
February
January


2018
December
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
July
June
May
April
March
February


All Episodes
Archives
Now displaying: 2024
Apr 9, 2024

In the last episode on this topic, I covered SSH from a investigation point of view. I explained SSH and the artifacts that typically come up when your investigating. In this episode, we're getting into the triage methodology. This includes the artifacts targeted for a fast, but yet effective triage for notable SSH activity on a given host.

Apr 2, 2024

SSH is a protocol used to secure remote access to systems, making it a cornerstone in safeguarding sensitive information and ensuring secure communications. In this podcast, we will delve into the basics of SSH, its key concepts and other useful elements important for context when investigating for notable SSH activity.

Mar 26, 2024

This week I'm discussing a fundamental aspect of cybersecurity: incident response preparation. Effective incident response is paramount, and preparation is the key to success. This preparation includes comprehensive documentation, training, having the right tools and resources in place, and developing incident response plans and playbooks. It also involves ensuring clear communication protocols and conducting regular training and testing. 

I'll explore preparation from the perspective of the investigation life cycle, where success is the reward for preparation. Join me as I uncover the importance of preparation in incident response and how it lays the foundation for success in investigations.

Mar 19, 2024

Today I'm talking Windows forensics, focusing on Windows event logs. These logs are very valuable for fast triage, often readily available in your organization's SIEM. But have you ever wondered about the processes enabling this quick access? Not only are the logs automatically collected and fed into the appliance, but they are also formatted and normalized for easy data searchability. This is crucial, as the logs are originally in a complex format challenging to natively interpret. Now, picture a scenario where event logs are inaccessible through a security appliance—enter this week's topic: EVTX analysis options. Don't be caught unprepared.

Mar 12, 2024

In this podcast episode, we talk about Linux's `memfd` – a virtual file system allowing the creation of anonymous memory areas for shared memory or temporary data storage. Threat actors exploit `memfd` for fileless malware attacks, as its memory areas exist only in RAM, evading traditional file-based detection methods. Join me as I `memfd` as a forensic artifact, its implications in DFIR, and strategies for detecting its abuse.

Mar 5, 2024

This week we explore into the world of Windows service event codes and their role in forensic investigations. Windows services are background processes crucial for system functionality, running independently of user interaction- making them ideal. Target were exploitation. Join me to explore the intricate details of Windows services and their significance in digital forensics.

Feb 27, 2024

This week, we're delving into the realm of fast flux, a cunning technique employed by attackers to cloak their true, malicious domains. Its effectiveness is the reason behind its widespread use, making it crucial for analysts to grasp its nuances and avoid chasing elusive ghosts during investigations. Stay tuned as I unravel the intricacies of fast flux, providing insights into what it entails and offering valuable tips on how to effectively detect it. All this and more coming your way!

Feb 20, 2024

In this week's exploration, I'm delving into the intricate realm of the Master File Table (MFT), a pivotal forensic artifact in Windows investigations. The MFT provides a valuable gateway to decode evidence across various scenarios. Join me in this episode as we unravel the forensic basics, explore diverse use cases, and discover a range of tools that empower you to unlock the full potential of this invaluable artifact.

Feb 13, 2024

This week I delve into the intriguing domain of Linux malware triage. The Linux platform presents forensic analysts with a unique opportunity to excel in performing malware triage effortlessly. The beauty of it lies in the fact that you don't require any specialized tools; all you need is a solid grasp of a few commands and the ability to decipher their output. With these skills in your arsenal, any analyst can swiftly and efficiently navigate through the process of malware triage. Stay tuned for more insights on this in the upcoming discussion!

Feb 6, 2024

This week I’m going to talk about New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up. 

Jan 30, 2024

Organizations leverage third-party services more and more for business advantages. For the security professional, this means the organizational data you're charged with protecting is under the control of a third-party in some way shape or form. In this episode, I cover third-party risk landscape for security professionals with a special focus on identifying scope and responsibility.

Jan 23, 2024

Cron become important and Linux forensics when you’re talking about persistence. Think scheduled tasks if you want a Windows equivalent. The artifact is not that difficult to analyze once you understand the elements to focus on and it is typically readily available. It’s something that you can check out a live system, gather with a collection script, and more and more security appliances are designed to access the artifact as well. I’ll...

Jan 16, 2024

Ransomware cases can be particularly challenging, especially during the initial response. They tend to be fast-paced and require the responder to simultaneously prioritize a number of tasks. Each of these tasks can have critical impact upon the outcome of the response and subsequent investigation. In this episode I am going to cover some immediate response actions. The goal here is to provide a framework that will allow responders to get off on the right foot…

Jan 9, 2024

Conhost, or the Console Application Host, often comes up during investigations. Understanding what it is, the evidence may contain and how to extract that information becomes important...

Jan 2, 2024

This week I'm talking about detecting evidence of lateral movement on Window systems using NTLM credential validation events. Much like the episode I did on Kerberos, NTLM events offer the same advantage of being concentrated on domain controllers, which allows you, as the analyst, leverage a great resource for user account analysis. I will have the background, artifact breakdown, and triage strategy coming up right after this…..

1