Clik here to view.
TTPs
Within the DFIR and threat intel communities, there has been considerable talk about "TTPs" - tactics, techniques and procedures used by targeted threat actors. The most challenging aspect of this...
View ArticleClik here to view.
WFA 4/e
Okay, so Windows Forensic Analysis 4/e showed up in a couple of boxes on my doorstep tonight. It's now a thing. Cool.As I write this, I'm working on finishing up the materials that go along with the...
View ArticleClik here to view.
Follow up on TTPs post
David Bianco's "Pyramid of Pain"As a follow-up to my previous post on TTPs, a couple of us (David Bianco, Jack Crook, etc.) took the discussion to G+. Unfortunately, I did not set the conversation to...
View ArticleClik here to view.
WFA 4/e Reviews
Brett Shavers has posted the first (that I'm aware of) reviews of WFA 4/e...one on Amazon, and a longer one can be found on his WinFE blog. Not so much a review, but Corey refers to the book in one of...
View ArticleClik here to view.
New Stuff
RegRipper PluginsCorey's busy this week attending Volatility training, but last night sent me a couple of RegRipper plugins he wrote, inspired by what he was learning in the training. He'd also sent...
View ArticleClik here to view.
Links
OpenLiveViewTim Vidas has posted OpenLV, an update to the popular LiveView tool that many of use have used before. When conducting an investigation, there are a number of ways to access acquired...
View ArticleUpdates
Exploit ArtifactsCorey is back with yet another of his amazing exploit artifacts blog posts! This time around, the post has to do with Silverlight exploits from 2013; even so, this is something...
View ArticleClik here to view.
Artifacts
I received a request right before WFA 4/e hit the streets...after the writing and editing was complete and while the printed book was being shipped...to "talk about anti-forensics". Unfortunately, at...
View ArticleClik here to view.
Book Writing: To Self-Publish, or Not
The CEIC Conference is going on as I write this, and Suzanne Widup's author panel went on yesterday. I'm not at the conference, so like many others, I live vicariously through what gets Tweeted about...
View ArticleClik here to view.
RegRipper
Just a reminder to everyone out there that the OFFICIAL download link for the most current version of RegRipper is available from the link found here, or here (i.e., at the [RegRipper download]"...
View ArticleClik here to view.
Random Stuff
Host-Based Digital AnalysisThere are a lot of folks with different skill sets and specialties involved in targeted threat analysis and threat intel collection and dissemination. There are a lot of...
View ArticleFile system ops, effects on MFT records
I recently conducted some testing of different actions on a Windows 7 system, with the specific purpose of identifying artifacts within the file system (in this case, the MFT and the USN change...
View ArticleFile system ops, testing phase 2
As I mentioned in my previous post on this topic, there were two other tests that I wanted to conduct with respect to file system operations and the effects an analyst might expect to observe within...
View ArticleClik here to view.
Book Review: "The Art of Memory Forensics"
I recently received a copy of The Art of Memory Forensics (thanks, Jamie!!), with a request that I write a review of the book. Being a somewhat outspoken proponent of constructive and thoughtful...
View ArticleClik here to view.
What does that "look like"?
We've heard this question a lot, haven't we? I attended a conference about 2 1/2 years ago, and the agenda for that conference had about half a dozen or more presentations that contained "APT" in their...
View ArticleClik here to view.
What Does That Look Like, Pt II
In my last post, I talked about sharing what things "look like" on a system, and as something of a follow up to that post, this article was published on the Dell SecureWorks blog, illustrating...
View ArticleWindows Phone 8 and RegRipper
Last week, Cindy Murphy (@cindymurph) sent me some Registry hive files...from a Windows Phone 8. This was pretty fascinating, and fortunate, because I'd never seen a Windows phone, and had no idea if...
View ArticleStuff
IRHere's a really good...no, I take that back...a great blog post by Sean Mason on "IR muscle memory". Take the time to give it a read, it'll be worth it, for no other reason than because it's...
View ArticleClik here to view.
Publishing DFIR Books
I recently received notification that Syngress is interesting in publishing a second edition of Windows Registry Forensics. I submitted my proposed outline, the reviews of which were apparently...
View ArticleClik here to view.
Windows Event Logs
Dan recently tweeted:Most complete forensics-focused Event Log write-ups? #DFIRI have no idea what that means. I'm going to assume that what Dan's looking for is information regarding Event Logs...
View Article