forensicmethods.com
Mimikatz Kerberos Golden Ticket | Forensic Methods
http://forensicmethods.com/mimikatz-kerberos-golden-ticket
Mimikatz Kerberos Golden Ticket. Mimikatz Kerberos Golden Ticket. June 30, 2014. Mdash; Leave a comment. It has been an interesting year for attacks against the Windows credential model. If you aren’t familiar with the Mimikatz “Golden Ticket” attack, it represents some of the best justification for guarding your domain administrator credentials with your life (if you really needed additional justification). CERT EU published an excellent whitepaper. On strategies for mitigating this attack. Las Vegas, NV.
forensicmethods.com
Incident Response | Forensic Methods
http://forensicmethods.com/category/incident-response
Archives For Incident Response. Blue Team: Reconnaissance Detection. May 11, 2016. Mdash; Leave a comment. Note: This article originally appeared on the CrowdStrike blog. Look here. Self-Recon is the Best Recon. Investigating PowerShell: Command and Script Logging. March 8, 2016. Mdash; Leave a comment. Hunting Command Line Activity . I am pleased to report that there have been some significant upgrades to command line logging since that webcast. Starting with Server 2012R2, Microsoft released a new grou...
forensicmethods.com
Forensic Methods | Computer Forensic Investigations
http://forensicmethods.com/page/2
March 1, 2014. Mdash; Leave a comment. It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop. On fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. Securing Your New Tablet. December 5, 2013. November 12, 2013.
forensicmethods.com
Malware | Forensic Methods
http://forensicmethods.com/category/malware
Mimikatz Kerberos Golden Ticket. June 30, 2014. Mdash; Leave a comment. It has been an interesting year for attacks against the Windows credential model. If you aren’t familiar with the Mimikatz “Golden Ticket” attack, it represents some of the best justification for guarding your domain administrator credentials with your life (if you really needed additional justification). CERT EU published an excellent whitepaper. On strategies for mitigating this attack. Malware Analysis Quant Project. The original ...
forensicmethods.com
Control Panel Forensics: Evidence of Time Manipulation and More… | Forensic Methods
http://forensicmethods.com/control-panel-forensics
Control Panel Forensics: Evidence of Time Manipulation and More. Control Panel Forensics: Evidence of Time Manipulation and More. June 5, 2013. Mdash; Leave a comment. Firewall changes made for unauthorized software (firewall.cpl). User account additions / modifications (nusrmgr.cpl). Turning off System Restore / Volume Shadow Copies (sysdm.cpl). System time changes (timedate.cpl). Interaction with third-party security software applets. Figure 1: Sample Userassist Output. Context is critical, and, while ...
forensicmethods.com
ESE Databases are Dirty! | Forensic Methods
http://forensicmethods.com/ese-recovery
ESE Databases are Dirty! ESE Databases are Dirty! June 15, 2015. Mdash; Leave a comment. The Path to the WebCache. Figure 1: Intermediary Stages of Writing to the WebCacheV*.dat Database. Figure 2: Modification Times of ESE Log Files and Database. Mining the Log Files. Esentutl /mh WebCacheV01.dat. Figure 3: WebCacheV01.dat Header Information. Esentutl /r V01 /d. Figure 4: Successful ESE Database Recovery. Database log files may contain both inserts and deletes! While I demonstrated recovery of an Intern...
forensicmethods.com
Forensic Methods | Author Archives
http://forensicmethods.com/author/chadtilbury
Archives / Chad Tilbury. Archives For Chad Tilbury. Blue Team: Reconnaissance Detection. May 11, 2016. Mdash; Leave a comment. Note: This article originally appeared on the CrowdStrike blog. Look here. Self-Recon is the Best Recon. Investigating PowerShell: Command and Script Logging. March 8, 2016. Mdash; Leave a comment. Hunting Command Line Activity . I am pleased to report that there have been some significant upgrades to command line logging since that webcast. Starting with Server 2012R2, Microsoft...
forensicmethods.com
What’s New in Windows Application Execution? | Forensic Methods
http://forensicmethods.com/application-execution
What’s New in Windows Application Execution? What’s New in Windows Application Execution? February 5, 2015. Mdash; Leave a comment. One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts. Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system. Why was FTP run on this workstation? Is it normal to see execution of Winsvchost.exe? With Amcache.hve, the replacement to...
forensicmethods.com
Memory Forensics | Forensic Methods
http://forensicmethods.com/category/memory-forensics
Archives For Memory Forensics. Hunting PowerShell Command Lines. July 19, 2014. Mdash; 1 Comment. My recent webcast with Jaron Bradley was recorded and a link is available below. If you have been looking for an excuse to get more familiar with Windows PowerShell, have a look. Hunting Command Line Activity. Introduction to Windows Memory Analysis – SANS DFIRCast. October 3, 2013. Mdash; Leave a comment. September 4, 2013. Mdash; Leave a comment. Despite being written in 2006, Chris Ries’ paper. Is still s...
forensicmethods.com
OUCH! Securing Your New Tablet | Forensic Methods
http://forensicmethods.com/ouch-tablet
Securing Your New Tablet. Securing Your New Tablet. December 5, 2013. Mdash; Leave a comment. The December 2013 issue of OUCH! Is out, and I am pleased to be this month’s guest editor. The SANS Securing the Human. Team is impressive and it is always a pleasure to work with professionals with such diverse security backgrounds. If you aren’t familiar with OUCH! It is a free Creative Commons resource intended to supplement user awareness training. OUCH! Malware Analysis Quant Project. Virginia Beach, VA.
SOCIAL ENGAGEMENT