Harlan Carvey – Page 2 – WindowsTechs.com

Mystery Hacked System

Posted on January 7, 2019 by Harlan Carvey

Ali was gracious enough to make several of the challenges that he put together for his students available online, as well as for allowing me to include the first challenge in IWS. I didn’t include challenge #3, the “mystery hacked system” in the … Continue reading Mystery Hacked System→

LNK Toolmarks, Revisted

Posted on January 1, 2019 by Harlan Carvey

There was a recent blog post and Twitter thread regarding the parsing and use of weaponized LNK file metadata. Based on some of what was shared during the exchange, I got to thinking about toolmarks again, and how such files might be created.&nbsp… Continue reading LNK Toolmarks, Revisted→

Parsing the Cozy Bear LNK File

Posted on December 29, 2018 by Harlan Carvey

November 2018 saw a Cozy Bear/APT29 campaign, discussed in FireEye’s blog post regarding APT29 activity (from 19 Nov 2018), as well as in this Yoroi blog regarding the Cozy Bear campaign (from 21 Nov 2018). I found this particular … Continue reading Parsing the Cozy Bear LNK File→

PUB File

Posted on December 28, 2018 by Harlan Carvey

Earlier this month, I saw a tweet that led me to this Trend Micro write-up regarding a spam campaign where the bad guys sent malicious MS Publisher .pub file attachments that downloaded an MSI file (using .pub files as lures has been seen before).&nbsp… Continue reading PUB File→

Hunting and Persistence

Posted on December 20, 2018 by Harlan Carvey

Sometimes when hunting, we need to dig a little deeper, particularly where the actor employs novel persistence mechanisms. Persistence mechanisms that are activated by some means other than a system start or user login can be challenging for a hu… Continue reading Hunting and Persistence→

Updates

Posted on December 18, 2018 by Harlan Carvey

Based on some testing that Phill had done, I recently updated my Recycle Bin index file ($I*, INFO2) parser. Since then, there have been some other developments, and I wanted to document some additional updates.NTFSDisableLastAccessUpdateWe have … Continue reading Updates→

Tool Testing

Posted on November 24, 2018 by Harlan Carvey

Phill recently posted regarding some testing that he’d conducted, with respect to tools for parsing Windows Recycle Bin files. From Phill’s blog post, and follow-on exchanges via Twitter, it seems that Phill tested the following tools (I’m assuming the… Continue reading Tool Testing→

Basic Skillz, pt II

Posted on November 23, 2018 by Harlan Carvey

Following my initial post on this topic, and to dove-tail off of Brett’s recent post, I wanted to provide something of a consolidated view based on the comments received.For the most part, I think Brett’s first comment was very much on point:Should be … Continue reading Basic Skillz, pt II→

Basic Skillz

Posted on November 20, 2018 by Harlan Carvey

Based on some conversations I’ve had with Jessica Hyde and others recently (over the past month or so), I’ve been thinking a good bit lately about what constitutes basic skills in the DFIR field.Let’s narrow it down a bit more…what constitutes “basic… Continue reading Basic Skillz→

Veteran Skillz

Posted on November 17, 2018 by Harlan Carvey

I had an interesting chat recently with a fellow Marine vet recently which generated some thoughts regarding non-technical skills that veterans bring to bear, in any environment. This is something I’ve thought about before, and following the exchange, … Continue reading Veteran Skillz→