Dfir

Windows Wednesday: Application Compatibility Cache

Zeltser Challenge Update

For Wednesdays, I’ve decided on the theme of “Windows Wednesday”. I was torn between Windows Wednesday and Microsoft Mondays, but was happy to settle on malware for Mondays. I…

United States Response to Grizzly Steppe

Here it is. After weeks of wondering if and how the United States Government might…

Tooling Thursday: AppCompatCacheParser

Zelter Challenge Update

Thanks to everyone who has read and given me feedback thus far. Please don’t stop, and keep being honest with me! For Thursdays, my goal is to focus on tools within the DFIR community. I am going…

Tooling Thursday: Timesketch

For today’s Tooling Thursday, I wanted to spend a couple of minutes on the tool Timesketch. This comes at an opportune time as I’m actually working on a few Timesketch scripts that will be coming out on Scripting Saturday. To help set the stage for that, I thought I’d take a…

Full Packet Friday: Parsing DHCP Traffic

As tough as it is to avoid writing about this MongoDB fiasco currently going on, I wanted to take a moment and look at parsing DHCP traffic using Python. If you’ll recall, last week’s FPF post focused on understanding what DHCP packets tell us, and the…

Reconciling analysis and response

Hints to fix what went wrong in the WannaCry and Petya outbreaks

Windows Wednesday: Volume Shadow Copies

For today’s post I’m going to take a look at the Volume Shadow Copy Service (“VSS”). While not a new artifact, this service is an integral part to the Windows Operating System and is essential for DFIR analysts to understand. They can even sometimes make the…

Avoid Ransomeware Attacks by Removing Attack Vectors

As seen on RSA, Dan Ford of Rook Security’s blog helps readers answer some important questions about ransomware attacks including if the victim should pay and how to mitigate future attacks.Please find a link to the coverage here. Below…

Chapter Seven Preview: Basic Security Hygiene Controls and Mitigations By Joe Gray

We live in an ever-evolving threat‍ landscape that requires constant analysis and attention. The ideas of old are no longer as universally effective as they once were. Take the information…

Zeltser Challenge Day 1

The Zeltser Challenge

First and foremost, I wanted to thank David Cowen and his team for hosting me in their office yesterday for an impromptu forensic lunch. It’s always a blast to see what that team is developing, and always makes me wish I had…