This week I talk about Windows startup locations.
This week I talk about Windows Prefetch forensics.
This week I talk about fileless attacks Linux systems.
This week I talk about how to find evidence of malicious autoruns in the windows registry using Windows event codes.
This week I talk about strategies to determine root cause early during an investigation.
This week is a breakdown of HTTP log forensic triage.
This week I talk about finding evidence of Kernel file masquerading on Linux systems.
This week I talk about how to find evidence of malicious autoruns in the windows registry.
This week I talk about the forensic value of the Apple Spotlight DB.
When you talk autoruns you must talk about the Windows registry. This artifact is very dense and it may be difficult to zero in on the elements that are important for compromise assessment. Given that, I am going to begin the series with a breakdown of the Windows Registry from a DFIR point of view. This is crucial in understanding ...
This week’s focus is on other scheduled task events useful for DFIR triage.
This week I talk about a popular Windows utility attackers often exploit.
This week I breakdown the SUDOERS file for forensic triage.
This week’s focus is on new scheduled tasks, which are a common way of establishing longevity on system. I will have my breakdown of the artifact and how to interpret it for fast analysis coming up….
This week is about persistence artifacts. Namely the records for when services fail to start, are either started or stopped, have crashed have had their start type changed. Since services are one of the common ways attackers achieve persistence, understanding how these events may be used for triage purposes is very important...
This week is about bash history forensics.
Every so often I like to revisit certifications. Everyone seems to have their own opinion as to the value of one certification over another, whether or not certifications should carry as much weight as they do, or preference of certain certifications over others, and so on. In this episode I’m sharing my thoughts on the topic as well as how I would approach certifications if I were new in the field but also retained everything I have learned over the years about the impact certifications have or can have on your career.
If you are accustomed to Windows forensics you may find you have to shift your way of thinking about executables when you are dealing with a Linux system. Unlike Windows, in Linux there is no fixed file extension to designate an executable. Everything on a Linux system of the file and any file can be executable, so where do you even begin? In this episode I am going to address how to approach Linux executables to help those newer to Linux exams deal with the nuances.