Collaborate Disseminate
Now and again I pop my head up and take a look around to see where RegRipper has been, and is being, used. My last blog post on this topic had quite a few listings, but sometimes changing the search terms reveals something new, or someone else has deci… Continue reading Distros and RegRipper, pt deux
If you ask DFIR analysts, “What is best in life?”, the answer you should hear is, “…creating timelines!” After all, industry luminaries such as Andrew said, “Time is the most important thing in life, and timelines are one of the most useful tools for… Continue reading USB Device Redux, with Timelines
Back in 2005, Cory Altheide and I published the first paper on tracking USB storage devices across Windows systems; at the time, the focus was Windows XP. A lot has happened since then…I know, that’s an understatement…as the Windows platform has de… Continue reading USB Devices Redux
Following on the heels of my previous post regarding file formats and sharing the link to the post on LinkedIn, I had some additional thoughts that would benefit greatly from not blasting those thoughts out as comments to the original post, but instead… Continue reading Understanding Data Sources and File Formats
It’s great when a plan, or a puzzle, comes together, isn’t it? I’m not just channeling my inner Hannibal Smith…I’m talking about bringing various pieces or elements together to build a cohesive, clear picture, connecting the dots into a coh… Continue reading Putting It All Together
Not long ago, I posted regarding how LNK files can be (ab)used; the post refers to LNK file metadata, and how, if the LNK file is sent by the threat actor, that metadata can be used to learn about the threat actor’s environment. I first saw this mentio… Continue reading Changes In The Use Of LNK Files
One of the challenges within DFIR, particularly as we’ve moved to an enterprise approach by leveraging EDR telemetry, is the root cause analysis, or “RCA”. In short, the challenge is observing malicious activity and determining the root cause; the chal… Continue reading Root Cause Analysis
Having an understanding of file formats is an important factor in DFIR work. In particular, analysts should understand what a proper file using a particular format should look like, so that they can see when something is amiss, or when the file itself … Continue reading File Formats
I’ve discussed LNK files a number of times in this blog, and to be honest, I really don’t think that this is a subject that gets the attention it deserves. In my experience, and I humbly bow to collection bias here, LNK files are not as well understood… Continue reading LNK (Ab)use
As many readers of this blog are aware, I often find great value in open reporting, but that I also see the value in taking that open reporting a step (or three) further beyond where it exists now. In more than a few instances, something extra can be p… Continue reading Digging Into Open Reporting