The Sleuth Kit Part 3 – fls, mactime and icat
So here we are with Part 3 - fls. After receiving some feedback I have decided to use images that you all can download and follow along with. So, for this example we will use an image from Digital...
View ArticleZeus v2 Malware Analysis – Part I
So i’m new to this whole malware thing, but it’s pretty damn fun. I’ve been reading more and more about it over the past couple months. In either case I want to learn more about malware analysis (in...
View ArticleThe Sleuth Kit Part 4 – TSK and netcat
So here we are with Part 4 of The Sleuth Kit (TSK) series of posts I am doing. I hope you have learned something so far, as I know I have. This one will be a bit shorter, but it might come in handy for...
View ArticleThe Sleuth Kit Part 5 – Recover files with tsk_recover and icat
Welcome to Part 5. Here I will quickly go over recovering some files with tsk_recover and icat. So let’s get started. I first needed a “clean” image to work with. I figured that reusing an old USB...
View ArticleZeus v2 Malware Analysis – Part II
Welcome back for Part II. I am going to be taking a look at memory forensics by way of Volatility. Memory Forensics Let’s kick this section off by running the volatility command, “imageinfo”. The...
View ArticleJump List AppId lookup via Python
So I published a blog post about how I wanted to learn Python awhile back. It was more of a rant/I need/want to do something. Don’t bother going back and reading it. In a nut shell, “I figured the best...
View ArticleDo not fumble the lateral movement
I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here:...
View ArticleParsing Landesk Registry Entries FTW
I was on a case the other day and I could see the malware dropped, At jobs created (typical), then I went to work on parsing the job files and noticed two of them were pointing to what appeared to be...
View ArticleAutomating Data Reduction via Whitelists
In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method...
View ArticleForensics in the Amazon Cloud – EC2
Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or...
View Article
More Pages to Explore .....