Digital Forensic Survival Podcast

This week I breakdown CRON for the uninitiated.

This week is about persistence artifacts. Namely the records for when services fail to start, are either started or stopped, have crashed have had their start type changed. Since services are one of the common ways attackers achieve persistence, understanding how these events may be used for triage purposes is very important...

This week I talk Mac autoruns.

This week is about bash history forensics.

In the past I’ve talked about fast triage from a high-level, addressing the different artifacts and some interesting elements in each of those artifacts. I decided to start going a bit deeper and focus on one or a few artifacts at a time and really talk about the important details they may record for your investigation and how to interpret that information quickly. I’m going to start with the New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up.

Every so often I like to revisit certifications. Everyone seems to have their own opinion as to the value of one certification over another, whether or not certifications should carry as much weight as they do, or preference of certain certifications over others, and so on. In this episode I’m sharing my thoughts on the topic as well as how I would approach certifications if I were new in the field but also retained everything I have learned over the years about the impact certifications have or can have on your career.

This week is a back to basics episode where I cover Windows shell bags. This is a core Windows artifact that gets included in pretty much  every file use and knowledge investigation. Any investigation where you’re looking to tie a specific account to directory access activity. Like most Windows artifacts you must know how user interaction affects the artifact in order to properly interpreted as evidence and you must also be aware of any caveats or pitfalls that may affect your evidence. Spoiler alert, there is a huge one associated with Windows shell bags that I’ll cover at the end of the episode-it’s nothing new but if you’re unfamiliar with it you definitely need to know about it.

If you are accustomed to Windows forensics you may find you have to shift your way of thinking about executables when you are dealing with a Linux system. Unlike Windows, in Linux there is no fixed file extension to designate an executable. Everything on a Linux system of the file and any file can be executable, so where do you even begin? In this episode I am going to address how to approach Linux executables to help those newer to Linux exams deal with the nuances.

One of the first things attackers attempt to accomplish on a compromised system is to establish persistence. Unless you are dealing with a denial of service attack, most other attacker goals are centered on maintaining the degree of control over a compromise system in order to use system resources for things like cryptomining or to maintain a foothold to further an attack strategy. This week I am going to talk about a fast triage methodology for persistence, which is one of the first triage strategies I normally recommend for a compromise assessment. Because I am focusing on a fast triage methodology I am going to focus on the artifacts most examiners will have readily at hand and how to make the most of them during the initial pass.

This week I’m covering the Master file table as a core forensic artifact for Windows investigations. This artifact has value is both a primary and secondary artifact and offers opportunity to decode evidence in a number of different situations. In this episode I’m covering the forensic basics, some use cases and tools you can use to bring the value of the artifact to its full potential.

This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.

This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.

This week I’m talking about SRUM, a Windows artifact that you don’t hear that much about. It has a lot of great potential as evidence and it is something worth the time to check it out and see how it fits into your daily DFIR work.

This week is some thoughts on live evidence integrity. Years ago evidence validation was fairly standard with few exceptions. Nowadays it’s more of a challenge when considering live evidence collections either on scene, remotely or even in lab environments where physical level access to your evidence is becoming more the exception. It is something that needs to be part of your collection process as it may impact the reliability of your results. 

This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies depending on what you are dealing with.

This week I’m going to cover detecting lateral movement using Windows event logs. This is not the Windows fast triage method I covered in previous episodes. This is more in-depth and focuses on specific attack tools and strategies seen in actual cases. Going into this level of detail is beyond the scope of a typical episode, however there is some research that has very granular details on the tools and methods you can use. I’ll have that coming up right after this.

This week is a back to basics episode where I am going to cover Windows shellbags. This is a core Windows artifact that gets included in pretty much most every file use and knowledge investigation or any investigation where you’re looking to tie a specific account to directory access activity. Like most Windows artifacts you must know how user interaction affects the artifact in order to properly interpreted it as evidence. You must also be aware of any caveats or pitfalls that may affect your evidence. Spoiler alert, there is a huge one associated with Windows shellbags that I’ll cover at the end of the episode-it’s nothing new but if you’re unfamiliar with it you definitely need to know about it.

This week I am talking about a program language called rust and the advantages it has for DFIR analyst. I’m also covering Chainsaw, a toolset that you can use for Windows event log analysis.

This week it’s back to basics with a Windows artifact for tracking program execution. I’m covering the user assist key which is a mainstay for both live triage and dead box forensics. This artifact is useful for profiling system usage, identifying malware, and general file use and knowledge applications. There are some caveats you need to be aware of and in this episode I’m covering  five different experiments to document the effects that different types of user activity had on the artifact. If you want to better understand this artifact and how to work with it stay tuned.

This week I am covering how different common protocols are secured in the cloud. Part of your effectiveness as a security analyst is your knowledge and understanding of how environments work in a typical scenario. I know that all environments are different but there is some foundational knowledge that you can learn that will be useful no matter what environment you’re working. My goal with this episode is to provide you with a better understanding of how insecure protocols are handled in cloud environments.