Author Archives: Chad Tilbury

Investigating PowerShell: Command and Script Logging

Posted on by

PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers.  Nearly every malicious activity imaginable is possible with PowerShell: privilege escalation, credential theft, lateral movement, data destruction, persistence, data exfiltration, and much more.  Malicious PowerShell is being used in the wild, […] Continue reading Investigating PowerShell: Command and Script Logging

Digging into Windows Prefetch: Device Profiling

Posted on by

It wasn’t that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools to easily parse and provide it […] Continue reading Digging into Windows Prefetch: Device Profiling

Digging into Windows Prefetch: Device Profiling

Posted on by

It wasn’t that long ago that every report I read containing Windows prefetch artifacts included only the basics: executable name, first and last time executed (now eight timestamps in Win8), and number of executions. There is much more information stored in prefetch files, but until recently there were few tools to easily parse and provide it […] Continue reading Digging into Windows Prefetch: Device Profiling

ESE Databases are Dirty!

Posted on by

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored.  The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format.  While many forensic examiners have remained blissfully unaware of the […] Continue reading ESE Databases are Dirty!

ESE Databases are Dirty!

Posted on by

With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored.  The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format.  While many forensic examiners have remained blissfully unaware of the […] Continue reading ESE Databases are Dirty!

What’s New in Windows Application Execution?

Posted on by

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts.  Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system.  Why was FTP run on this workstation?  Is it normal to see execution of […] Continue reading What’s New in Windows Application Execution?

What’s New in Windows Application Execution?

Posted on by

One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts.  Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system.  Why was FTP run on this workstation?  Is it normal to see execution of […] Continue reading What’s New in Windows Application Execution?

Registry Analysis with CrowdResponse

Posted on by

The third release of the free CrowdResponse incident response collection tool is now available!  This time around we are including plugins facilitating collection of Windows registry data.  Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the […] Continue reading Registry Analysis with CrowdResponse

Registry Analysis with CrowdResponse

Posted on by

The third release of the free CrowdResponse incident response collection tool is now available!  This time around we are including plugins facilitating collection of Windows registry data.  Our inspiration for this release was one of those vulnerabilities that just won’t die, Windows Sticky Keys, and we’ll show how to identify this attack while demonstrating the […] Continue reading Registry Analysis with CrowdResponse

Hunting PowerShell Command Lines

Posted on by

My recent webcast with Jaron Bradley was recorded and a link is available below.  If you have been looking for an excuse to get more familiar with Windows PowerShell, have a look. What Malware?  Hunting Command Line Activity There is a reason hackers use the command line, and it isn’t to impress you with their prowess. […] Continue reading Hunting PowerShell Command Lines