Building your own lab
My favorite way to learn something new is with hands on experience. It’s easy to read a blog article or watch a video and “think” you know something. It’s a different story when you have… Read More »Building your own lab
bru
Sniper Incident Response – How did they get in?
How did they get in? Question number 4 in our Big 4. It may seem counterintuitive to try and solve this last, but in reality, this is often one of the least important questions to… Read More »Sniper Incident Response – How did they get in?
Sniper Incident Response – Where did they go?
Where did they go? This question is all about lateral movement and knowing the scope of the infection. Windows systems have several artifacts that we can quickly triage to see which systems were accessed. These… Read More »Sniper Incident Response – Where did they go?
Sniper Incident Response – Are they still here?
Are they still here? This question plays an important part of your investigation. If there is an active attacker in the environment you need to identify and block all of their remote access and backdoors… Read More »Sniper Incident Response – Are they still here?
Sniper Incident Response – What did they take?
What did they take? This question is always a key priority for lawyers. Knowing what data was taken and what it contained helps them decide on the next legal steps to protect the company. Often… Read More »Sniper Incident Response – What did they take?
Introducing Sniper Incident Response
The Problem and the Solution The current method of doing forensics is slow and outdated. One at a time triage or disk forensics may work okay when you only have a handful of endpoints, but… Read More »Introducing Sniper Incident Response
Questions are the answer
Theres nothing like the adrenaline rush of being onsite and starting a new case. Going through fresh data, trying to find the bad guy, hunting an active attacker and stopping them in their tracks is… Read More »Questions are the answer
Finding Evil in 30 Minutes or Less Part 2 – Amcache, Shimcache and the Srum DB
In Part 1 of this series, we looked at collecting volatile data from a machine and analyzing running processes and network connections. Those things are great for analyzing a running system, but what if we… Read More »Finding Evil in 30 Minutes or Less Part 2 – Amcache, Shimcache and the Srum DB
Finding Evil in 30 Minutes or Less Part 3 – Windows Registry
In parts 1 and 2 of this series we examined the artifacts from live system by looking at the processes and network connections. We also looked at artifacts left behind after a system was powered… Read More »Finding Evil in 30 Minutes or Less Part 3 – Windows Registry