Unknown – Page 4 – WindowsTechs.com

The Problem with the Modern Security Stack

Posted on March 10, 2025 by Unknown

I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really engagi… Continue reading The Problem with the Modern Security Stack→

Lina’s Write-up

Posted on February 19, 2025 by Unknown

Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint.In short, Lina says that she found a bunch of Chinese bl… Continue reading Lina’s Write-up→

The Role of AI in DFIR

Posted on February 16, 2025 by Unknown

The role of AI in DFIR is something I’ve been noodling over for some time, even before my wife first asked me the question of how AI would impact what I do. I guess I started thinking about it when I first saw signs of folks musing over how “good” AI w… Continue reading The Role of AI in DFIR→

Artifacts: Jump Lists

Posted on January 20, 2025 by Unknown

In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The foundational methodology starts with your goals…what are y… Continue reading Artifacts: Jump Lists→

Carving

Posted on January 6, 2025 by Unknown

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals. For example, I’ve used X-Ways … Continue reading Carving→

UEPOTB, LNK edition

Posted on December 24, 2024 by Unknown

A while back, Jesse Kornblum published a paper titled, “Using Every Part of the Buffalo in Windows Memory Analysis”. This was, and still is, an excellent paper, based on it’s content and how it pertained to the subject (Windows memory analysis). Howeve… Continue reading UEPOTB, LNK edition→

Program Execution: The ShimCache/AmCache Myth

Posted on November 26, 2024 by Unknown

I recently saw another LinkedIn post from someone supporting and sending readers to a site that was reportedly started using the SANS DFIR poster as a reference. As illustrated in figure 1, this site references the ShimCache artifact as providing evide… Continue reading Program Execution: The ShimCache/AmCache Myth→

FTSCon

Posted on October 31, 2024 by Unknown

I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different tracks…Maker and Hunter…… Continue reading FTSCon→

Artifact Tracking: Workstation Names

Posted on October 26, 2024 by Unknown

Very often in cybersecurity, we share some level of indicators of compromise (IOCs), such as IP addresses, domain names, or file names or hashes. There are other indicators associated with many compromises or breaches that can add a great deal of granu… Continue reading Artifact Tracking: Workstation Names→

Analysis Process

Posted on October 15, 2024 by Unknown

Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?” This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book on that ve… Continue reading Analysis Process→