This week I'm talking about the linux file system from the point of view of a forensic analyst. In general, it's a good idea to have a solid working knowledge of the linux file system so you understand what directories hold what artifacts… Or if you're looking for a specific category of artifact, you at least have an idea of where you may find it. I will cover the home directory this week and breakdown the typical forensic artifacts you find there……
This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies....
This week is on lateral movement detection techniques. Inspecting Domain Admin account logons is a key component to lateral movement triage. Admin accounts are sought after by attackers for their elevated privileges. Evidence is often left behind both on the targeted system and on the domain controller. Both these factors provide protection opportunity through Windows event log analysis. I’ll break down the method....
This week I want to talk about the value of having functional documentation for your organization, or, at least for your team. Functional documentation means you have thoughtful and up-to-date incident run books, and play books that provide utility and usefulness for a responder. Without such documentation, you are always in danger of some dangerous pitfalls, some of which I'll discuss. This episode I cover what functional documentation is, it's investigative value for an organization, how to get started...
The linux subsystem for windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take it vantage of the many many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the linux subsystems for forensic investigators…
This week I'm going to talk about tabletop exercises as part of a security training program. I feel that there is too much focus on technical skill training and not enough focus on actual incident management training in the industry. There are plenty of highly skilled professionals that can do DFIR work… However, a roadblock, many organizations and practitioners encounter is in the struggle of how to actually implement their knowledge and skills for a security incident response investigation within a specific organization. They may know what to do, but there are many challenges in identifying actually how to do it when the time comes. I will share my thoughts on how to improve your security program through simulation training…
This week I'm talking about The NIST (National Institute of Standards and Technology) investigation lifecycle. The NIST investigation lifecycle encompasses a series of well-defined steps, starting from problem identification and scoping, through data collection and analysis, to the formulation of conclusions and recommendations. This comprehensive framework ensures that investigations conducted by NIST are rigorous, unbiased, and provide reliable results that can be used to inform decision-making, improve practices, and promote innovation across a wide range of disciplines. More about it...
This week I'm talking about linux forensic triage strategy. In particular, I'm covering SSH. SSH traffic comes up in many different types of investigations. For that reason, it is a common and standard artifact every examiner should be familiar with. I will provide you the artifact background and the triage strategy…..
The USN Journal, also known as the Update Sequence Number Journal, is a feature of the Windows operating system that serves as a record of changes made to files and directories on a disk volume. It provides valuable information and insights into file system activities, which can aid investigators in reconstructing events, understanding system behavior, and uncovering evidence. This week I break down the artifact from a DFIR point of view provide triage strategy.....
This week Jason Roslewicz from SUMURI returns for some web 3.0 and virtual reality talk.
This week I talk about adding, modifying, and removing network shares through the lens of detecting lateral movement.
This week I break down the three Windows task hosts from a DFIR point of view.
This week I talk about network share access events and lateral movement detection.
This week Jason Roslewicz from SUMURI returns for some cloud talk.
This week I talk about the exploitation of the Windows Management Instrumentation application.
This week Chris Currier and I talk about mobile forensics and protocol buffers.
This week I cover Windows events commonly associated with data spoliation and insider threats.
This week Jason Roslewicz from SUMURI returns for some ransomware talk.
This week I Cover my all-time favorite Windows event, security event 4688: new process creation. If you do windows, incident, response, forensics, this is a must-know know artifact.
This week I talk about SVCHOST; how it fits into the Windows operating system, and how to think about it from a DFIR point of view.
This week I talk with Interview with Yugal Pathak about organizational forensic readiness.
This week I talk about the role and typical responsibilities DFIR professionals may be called up to take to assist with a zero-day response.
This week Jason Roslewicz from SUMURI returns to talk more about AI issues.
This week I break down the Windows System Resource Usage Monitor from a DFIR point of view.
This week I cover some malware detection methods for Linux.