Erik Hjelmvik – WindowsTechs.com

Network Forensics Classes for EU and US

Posted on June 7, 2021 by Erik Hjelmvik

We have now scheduled two new live online classes, one in September and one in October. The September class is adapted to European time and the October one is adapted to American time. The contents are exactly the same in both classes. The training is … Continue reading Network Forensics Classes for EU and US→

Detecting Cobalt Strike and Hancitor traffic in PCAP

Posted on May 31, 2021 by Erik Hjelmvik

This video shows how Cobalt Strike and Hancitor C2 traffic can be detected using CapLoader. Your browser does not support the video tag. I bet you’re going: 😱 OMG he’s analyzing Windows malware on a Windows PC!!! Relax, I know what I’m doing. I have al… Continue reading Detecting Cobalt Strike and Hancitor traffic in PCAP→

Live Online Training – PCAP in the Morning

Posted on March 19, 2021 by Erik Hjelmvik

Would you like to spend four mornings in May analyzing capture files together with me? I have now scheduled a live online network forensics training called ‘PCAP in the Morning’ that will run on May 3-6 (Monday to Thursday) between 8:30 AM and 12:30 PM… Continue reading Live Online Training – PCAP in the Morning→

Twenty-three SUNBURST Targets Identified

Posted on January 25, 2021 by Erik Hjelmvik

Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims in FireEye’s SUNBURST IOC list were ***net.***.com and central.***.gov on Kaspersky’s Securelist blog in December? Reuters later reported that these victims were Cox Communi… Continue reading Twenty-three SUNBURST Targets Identified→

Capturing Decrypted TLS Traffic with Arkime

Posted on December 1, 2020 by Erik Hjelmvik

The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to include ‘pcapReadMethod=pcap-over-ip-server’ in Arkim… Continue reading Capturing Decrypted TLS Traffic with Arkime→

RawCap Redux

Posted on January 30, 2020 by Erik Hjelmvik

A new version of RawCap has been released today. This portable little sniffer now supports writing PCAP data to stdout and named pipes as an alternative to saving the captured packets to disk. We have also changed the target .NET Framework version from… Continue reading RawCap Redux→

The NSA HSTS Security Feature Mystery

Posted on November 26, 2019 by Erik Hjelmvik

I recently stumbled across an NSA Cyber Advisory titled Managing Risk from Transport Layer Security Inspection (U/OO/212028-19) after first learning about it through Jonas Lejon’s blog post NSA varnar för TLS-inspektion (Swedish). I read the NSA r… Continue reading The NSA HSTS Security Feature Mystery→

PolarProxy Released

Posted on June 21, 2019 by Erik Hjelmvik

I’m very proud to announce the release of PolarProxy today! PolarProxy is a transparent TLS proxy that decrypts and re-encrypts TLS traffic while also generating a PCAP file containing the decrypted traffic. PolarProxy enables you to do lots of things … Continue reading PolarProxy Released→

CapLoader 1.8 Released

Posted on May 28, 2019 by Erik Hjelmvik

We are happy to announce the release of CapLoader 1.8 today! CapLoader is primarily used to filter, slice and dice large PCAP datasets into smaller ones. This new version contains several new features that improves this filtering functionality even fur… Continue reading CapLoader 1.8 Released→

NetworkMiner 2.3 Released!

Posted on April 3, 2018 by Erik Hjelmvik

The free and open source network forensics tool NetworkMiner now comes with improved extraction of files and metadata from several protocols as well as a few GUI updates. But the biggest improvements for version 2.3 are in the commercial tool NetworkMi… Continue reading NetworkMiner 2.3 Released!→