Unknown – Page 9 – WindowsTechs.com

DFIR Core Principles

Posted on June 24, 2023 by Unknown

My copy of “Forensic Discovery”There are a lot of folks new to the cybersecurity industry, and in particular DFIR, and a lot of folks considering getting into the field. As such, I thought it might be useful to share my view of the core, foundational p… Continue reading DFIR Core Principles→

The Need for Innovation in DFIR

Posted on June 20, 2023 by Unknown

Barely a week goes by and we see another yet post on social media that discusses knowledge sharing or “training” in cybersecurity, and in particular, DFIR and Windows forensic analysis. However, many times, these posts aren’t “new”, per se, but instead… Continue reading The Need for Innovation in DFIR→

Events Ripper Update

Posted on June 5, 2023 by Unknown

Yet again, recent incidents have led to Events Ripper being updated. This time, it’s an updated plugin, and a new plugin.appissue.pl – I updated this plugin based on Josh’s finding and Tweet; I can’t say that I’ve ever seen this event before, but when … Continue reading Events Ripper Update→

Events Ripper Update

Posted on June 1, 2023 by Unknown

Working a recent incident, I came across something very unusual. I started by going back into a previous investigation run against the endpoint that had been conducted a month ago, and extracting the WEVTX files collected as part of that investigation…. Continue reading Events Ripper Update→

Events Ripper Updates

Posted on May 26, 2023 by Unknown

I updated an Events Ripper plugin recently, and added two new ones…I tend to do this when I see something new to that I don’t have to remember to run a command, check a box on a checklist, or take some other step. If I have to do any of these, I’m no… Continue reading Events Ripper Updates→

Composite Objects and Constellations

Posted on May 17, 2023 by Unknown

Okay, to start off, if you haven’t seen Joe Slowik’s RSA 2022 presentation, you should stop now and go watch it. Joe does a great job of explaining and demonstrating why IOCs are truly composite objects, that there’s much more to an IP address than jus… Continue reading Composite Objects and Constellations→

The Windows Registry

Posted on May 16, 2023 by Unknown

When it comes to analyzing and understanding the Windows Registry, where do we go, as an industry, to get the information we need?Why does this even matter?Well, an understanding of the Registry can provide insight into the target (admin, malicious ins… Continue reading The Windows Registry→

Events Ripper Updates

Posted on May 5, 2023 by Unknown

As you may know, I’m a pretty big proponent for documenting things that we “see” or find during investigations, and then baking those things back into the parsing and decoration process, as a means of automating and retaining corporate knowledge. This … Continue reading Events Ripper Updates→

Program Execution

Posted on April 28, 2023 by Unknown

By now, I hope you’ve had a chance to read and consider the posts I’ve written discussing the need for validation of findings (third one here). Part of the reason for this series was a pervasive over-reliance on single artifacts as a source of fi… Continue reading Program Execution→

On Validation, pt III

Posted on April 25, 2023 by Unknown

From the first two articles (here, and here) on this topic arises the obvious question…so what? Not validating findings has worked well for many, to the point that the lack of validation is not recognized. After all, who notices that findings were no… Continue reading On Validation, pt III→