Welcome to this week’s session, where we’ll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I’ll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations:…

Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limi…

In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs

Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific …

The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of progr…

Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investig…

Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations ena…

CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and ne…

Business Email Compromise (BEC) forensics involves the meticulous investigation of cyberattacks where attackers infiltrate email systems to manipulate business communications for financial gain. These attacks often entail phishing, social engineering, and credential theft to impersonate trusted entities within or outside an organization. Forensic a…

Remote Desktop Protocol (RDP) is a crucial artifact in digital forensics due to its extensive use for remote system access. Analyzing RDP activities can uncover vital information about unauthorized access, insider threats, and attacker lateral movement within a network. Forensic examination of RDP logs enables investigators to trace an attacker's s…

This week, I will be discussing the Linux operating system from a DFIR perspective. It is highly recommended for every examiner to become proficient in Linux, especially with the increasing prevalence of cloud-based infrastructures in enterprise environments. As these platforms become the norm, you can expect to encounter Linux systems frequently d…

In Windows forensics, understanding the intricacies of autorun functionalities and the Windows Registry is essential for effective incident response and investigation. Autorun mechanisms, which allow programs to execute automatically when the system starts or specific actions are performed, can be exploited by malicious actors to persist on a syste…

The JOHARI methodology simply provides a structure for something that you're probably already doing. However, with the structure comes a standard, which is the benefit to any security team. The team should be speaking the same language, especially in fast moving, dynamic situations. Going into a situation and asking for the "known – knowns” and “Bl…

Threat actors often exploit PowerShell in cyber attacks due to its capabilities and integration with Windows operating systems. Microsoft has cited powershell as one of the most commonly used tools in the attack chain. It also comes up in phishing campaigns and other attacks that include infecting URL links. The challenge lies in the fact that it i…

The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as for applications running on the platform. In order to make use of any of this information, you must understand the registry from a DFIR point…

On a Linux or Mac system, there can be user accounts that have the ability of privilege escalation. Knowing how to triage, for this has a twofold benefit: (1) you obviously want to know which account may elevate to route privileges. If you're doing account triage, these are the ones you should prioritize. The other benefit (2) is to identify any ac…

TCP control bits are part of the TCP header and are used to manage the connection between two devices. These control bits are single-bit flags that indicate various aspects of the TCP connection and are important for understanding and analyzing network traffic...