Masthash

#DFIR

Happy Friday, another 35% sale happening now on TeePublic #DFIR https://www.teepublic.com/user/stark4n6

RyanDFIR
3 hours ago

Another new Unfurl feature is parsing DoH (DNS over HTTPS) requests! I haven't run into these often in URLs, but hey, it's nice that Unfurl can parse them for you if you do!

Example: https://dfir.blog/unfurl/?url=https://dnsserver.example.net/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB

#DFIR #Unfurl #OSINT

T.F.G.
9 hours ago

"Victim" says, her laptop is being accessed by her neighbor "over the power grid".

Guess who is going to spend a day to examine the device only to write a 3 line note in the end about in how many ways this is bs?

But hey.. if the attorney wants it, he gets it.

#infosec #forensics #dfir

RDP Snitch
17 hours ago

2023-09-28 RDP #Honeypot IOCs - 1455 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 1110
108.136.224.204 - 51
141.98.11.128 - 30

Top ASNs:
AS14061 - 1122
AS16509 - 51
AS132203 - 48

Top Accounts:
hello - 1191
Administr - 63
Domain - 54

Top ISPs:
DigitalOcean, LLC - 1122
Amazon.com - 51
Google LLC - 36

Top Clients:
Unknown - 1455

Top Software:
Unknown - 1455

Top Keyboards:
Unknown - 1455

Top IP Classification:
hosting - 1272
Unknown - 159
hosting & proxy - 9

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/Phi5aer3

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
17 hours ago

2023-09-28 RDP #Honeypot IOCs - 970 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 740
108.136.224.204 - 34
141.98.11.128 - 20

Top ASNs:
AS14061 - 748
AS16509 - 34
AS132203 - 32

Top Accounts:
hello - 794
Administr - 42
Domain - 36

Top ISPs:
DigitalOcean, LLC - 748
Amazon.com - 34
Google LLC - 24

Top Clients:
Unknown - 970

Top Software:
Unknown - 970

Top Keyboards:
Unknown - 970

Top IP Classification:
hosting - 848
Unknown - 106
hosting & proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/CbYXUFL5

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
17 hours ago

2023-09-28 RDP #Honeypot IOCs - 485 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 370
108.136.224.204 - 17
141.98.11.128 - 10

Top ASNs:
AS14061 - 374
AS16509 - 17
AS132203 - 16

Top Accounts:
hello - 397
Administr - 21
Domain - 18

Top ISPs:
DigitalOcean, LLC - 374
Amazon.com - 17
Google LLC - 12

Top Clients:
Unknown - 485

Top Software:
Unknown - 485

Top Keyboards:
Unknown - 485

Top IP Classification:
hosting - 424
Unknown - 53
hosting & proxy - 3

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/kTmJDcVp

#CyberSec #SOC #Blueteam #SecOps #Security

LMG Security
1 day ago

Warning: Geeky, technical content ahead! Dive into the world of #cybersecurity #pentesting. Watch this week's technical video in our new series, #Pentest Pro Tips with @tompohl & learn how old broadcast protocols can cause a #databreach. https://youtu.be/_ok1-UbFTe0
#DFIR #ITsecurity

RyanDFIR
1 day ago

Unfurl can parse JSON Web Tokens!

At the highest level, JWTs have three parts: header, payload, and signature. Unfurl first splits a #JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.

Here's an example: https://dfir.blog/unfurl/?url=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI

#DFIR #Unfurl #OSINT

Forensic Focus
1 day ago

Advance Your Investigations With ADF Solutions’ Enhanced Screen Recording And Streamlined Features https://www.forensicfocus.com/news/advance-your-investigations-with-adf-solutions-enhanced-screen-recording-and-streamlined-features/ #ADFSolutions #DFIR

Forensic Focus
1 day ago
RDP Snitch
2 days ago

2023-09-27 RDP #Honeypot IOCs - 2970 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 1107
139.162.9.149 - 189
43.156.6.9 - 153

Top ASNs:
AS132203 - 1314
AS14061 - 1113
AS63949 - 192

Top Accounts:
hello - 1506
142.93.8.59 - 1197
Domain - 108

Top ISPs:
DigitalOcean, LLC - 1113
Shenzhen Tencent Computer Systems Company Limited - 753
Aceville Pte.ltd - 333

Top Clients:
Unknown - 2970

Top Software:
Unknown - 2970

Top Keyboards:
Unknown - 2970

Top IP Classification:
hosting - 2604
Unknown - 243
hosting & proxy - 105

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/RjwxRnvd

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
2 days ago

2023-09-27 RDP #Honeypot IOCs - 1980 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 738
139.162.9.149 - 126
43.156.6.9 - 102

Top ASNs:
AS132203 - 876
AS14061 - 742
AS63949 - 128

Top Accounts:
hello - 1004
142.93.8.59 - 798
Domain - 72

Top ISPs:
DigitalOcean, LLC - 742
Shenzhen Tencent Computer Systems Company Limited - 502
Aceville Pte.ltd - 222

Top Clients:
Unknown - 1980

Top Software:
Unknown - 1980

Top Keyboards:
Unknown - 1980

Top IP Classification:
hosting - 1736
Unknown - 162
hosting & proxy - 70

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/CbTwnyt1

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
2 days ago

2023-09-27 RDP #Honeypot IOCs - 990 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
206.189.35.235 - 369
139.162.9.149 - 63
43.156.6.9 - 51

Top ASNs:
AS132203 - 438
AS14061 - 371
AS63949 - 64

Top Accounts:
hello - 502
142.93.8.59 - 399
Domain - 36

Top ISPs:
DigitalOcean, LLC - 371
Shenzhen Tencent Computer Systems Company Limited - 251
Aceville Pte.ltd - 111

Top Clients:
Unknown - 990

Top Software:
Unknown - 990

Top Keyboards:
Unknown - 990

Top IP Classification:
hosting - 868
Unknown - 81
hosting & proxy - 35

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/h1TjYzAz

#CyberSec #SOC #Blueteam #SecOps #Security

RyanDFIR
2 days ago

A new Unfurl release is here! v2023.09 adds new features and some fixes. The release adds:
🔹 Parsing of JWTs (JSON Web Tokens)
🔹 Parsing of DoH (DNS over HTTPS) URLs
🔹 More recognized #Mastodon servers

Blog post with more details: https://dfir.blog/unfurl-parsing-jwt-and-doh/

#DFIR #Unfurl #OSINT

Doug Metz
2 days ago

Still time to register for today’s webinar, Responding at Scale with Magnet RESPONSE. I’ll be online for Q&A for the 1pm and 4pm sessions. #DFIR #PowerShell #triage #IncidentResponse https://www.magnetforensics.com/resources/responding-at-scale-with-magnet-response/

Forensic Focus
2 days ago

Interview: Ana Cash, Technology & Cybersecurity Instructor, College of Western Idaho https://www.forensicfocus.com/interviews/ana-cash-technology-cybersecurity-instructor-college-of-western-idaho/ #ForensicFocus #DFIR

New #ALEAPP parser for #Discord in #Android:
💬 Chats
⏰ Timestamps
📸 URLs for sent/received attachment media
🗃️ Attachment filename
👤 Username
📺 Conversation channel & ID
➕ And more
🔗 Get ALEAPP: https://github.com/abrignoni/ALEAPP
#DigitalForensics #DFIR #MobileForensics

RDP Snitch
3 days ago

2023-09-26 RDP #Honeypot IOCs - 522 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
34.211.111.74 - 171
144.126.208.72 - 129
141.98.11.128 - 18

Top ASNs:
AS16509 - 171
AS14061 - 129
AS396982 - 36

Top Accounts:
hello - 324
Domain - 66
Administr - 51

Top ISPs:
Amazon.com, Inc. - 171
DigitalOcean, LLC - 129
Flyservers S.A. - 42

Top Clients:
Unknown - 522

Top Software:
Unknown - 522

Top Keyboards:
Unknown - 522

Top IP Classification:
hosting - 342
Unknown - 177
mobile - 3

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/YpNUy8ge

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
3 days ago

2023-09-26 RDP #Honeypot IOCs - 348 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
34.211.111.74 - 114
144.126.208.72 - 86
141.98.11.128 - 12

Top ASNs:
AS16509 - 114
AS14061 - 86
AS396982 - 24

Top Accounts:
hello - 216
Domain - 44
Administr - 34

Top ISPs:
Amazon.com, Inc. - 114
DigitalOcean, LLC - 86
Flyservers S.A. - 28

Top Clients:
Unknown - 348

Top Software:
Unknown - 348

Top Keyboards:
Unknown - 348

Top IP Classification:
hosting - 228
Unknown - 118
mobile - 2

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/2GkSZMwK

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
3 days ago

2023-09-26 RDP #Honeypot IOCs - 174 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
34.211.111.74 - 57
144.126.208.72 - 43
141.98.11.128 - 6

Top ASNs:
AS16509 - 57
AS14061 - 43
AS396982 - 12

Top Accounts:
hello - 108
Domain - 22
Administr - 17

Top ISPs:
Amazon.com, Inc. - 57
DigitalOcean, LLC - 43
Flyservers S.A. - 14

Top Clients:
Unknown - 174

Top Software:
Unknown - 174

Top Keyboards:
Unknown - 174

Top IP Classification:
hosting - 114
Unknown - 59
mobile - 1

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/giABHzqV

#CyberSec #SOC #Blueteam #SecOps #Security

JM ☠️
3 days ago

“backdoor commands are not implemented in the Deadglyph binary; instead, they are dynamically received from its C&C server in the form of additional modules that exist in memory only briefly, to perform the commands” #cybersecurity #infosec #blueteam #malware #dfir

https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html

T.F.G.
3 days ago

IT'S DONE!!

Passed the presentation and answering of questions of my bachelor thesis! Got a 1.0 (german gradeing scale) which is the best possible. I now officially earned my degree as bachelor of engineering in "Forensic Engineering" being 44yrs old.

4 years of blood, sweat and tears studying while in a full time job are finally over. Time for the bottle of beer I had kept in the fridge for this exact moment! Cheers everybody!

#dfir #forensics #bachelor #studying

Holding a bottle of beer (Mohrenbräu Kellerbier) in my hands
LMG Security
3 days ago

The FBI and CISA have issued a new advisory on Snatch #ransomware. This RaaS is evading AV and endpoint detection by rebooting infected devices into Safe Mode. Check out their overview and mitigation tips: https://www.hackread.com/fbi-cisa-joint-advisory-snatch-ransomware-threat/
#cybersecurity #DFIR #CISO #security #infosec

RDP Snitch
4 days ago

2023-09-25 RDP #Honeypot IOCs - 321 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
54.217.58.4 - 72
216.71.28.109 - 18
45.143.201.62 - 15

Top ASNs:
AS16509 - 72
AS396982 - 36
AS48721 - 18

Top Accounts:
hello - 153
Administr - 42
Test - 36

Top ISPs:
Amazon.com, Inc. - 72
Google LLC - 36
Flyservers S.A. - 30

Top Clients:
Unknown - 321

Top Software:
Unknown - 321

Top Keyboards:
Unknown - 321

Top IP Classification:
hosting - 153
Unknown - 150
hosting & proxy - 15

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/qzrapxZw

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
4 days ago

2023-09-25 RDP #Honeypot IOCs - 214 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
54.217.58.4 - 48
216.71.28.109 - 12
45.143.201.62 - 10

Top ASNs:
AS16509 - 48
AS396982 - 24
AS48721 - 12

Top Accounts:
hello - 102
Administr - 28
Test - 24

Top ISPs:
Amazon.com, Inc. - 48
Google LLC - 24
Flyservers S.A. - 20

Top Clients:
Unknown - 214

Top Software:
Unknown - 214

Top Keyboards:
Unknown - 214

Top IP Classification:
hosting - 102
Unknown - 100
hosting & proxy - 10

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/rxH5xGiD

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
4 days ago

2023-09-25 RDP #Honeypot IOCs - 107 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
54.217.58.4 - 24
216.71.28.109 - 6
45.143.201.62 - 5

Top ASNs:
AS16509 - 24
AS396982 - 12
AS48721 - 6

Top Accounts:
hello - 51
Administr - 14
Test - 12

Top ISPs:
Amazon.com, Inc. - 24
Google LLC - 12
Flyservers S.A. - 10

Top Clients:
Unknown - 107

Top Software:
Unknown - 107

Top Keyboards:
Unknown - 107

Top IP Classification:
hosting - 51
Unknown - 50
hosting & proxy - 5

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/9Qvp8881

#CyberSec #SOC #Blueteam #SecOps #Security

Forensic Focus
4 days ago

Listen to the latest Forensic Focus podcast, where Ryan joins Si and Desi to discuss his research into SS7 hacking and cell phone tracking. https://www.forensicfocus.com/podcast/cell-phone-tracking-and-ss7-hacking-security-vulnerabilities-to-save-lives/ #ForensicFocus #DFIR

@cyb_detective Truly offensive! *gasp*
BTW, thank you for always posting such good #DFIR and #OSINT resources!

RDP Snitch
5 days ago

2023-09-24 RDP #Honeypot IOCs - 531 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.232.159.85 - 252
193.142.146.17 - 18
193.142.147.9 - 18

Top ASNs:
AS63949 - 255
AS57523 - 42
AS208046 - 36

Top Accounts:
hello - 297
Domain - 72
Administr - 72

Top ISPs:
Akamai Technologies, Inc. - 255
Chang Way Technologies Co. Limited - 42
ColocationX Ltd. - 36

Top Clients:
Unknown - 531

Top Software:
Unknown - 531

Top Keyboards:
Unknown - 531

Top IP Classification:
hosting - 312
Unknown - 204
hosting & proxy - 9

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/vHwC9TD8

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
5 days ago

2023-09-24 RDP #Honeypot IOCs - 354 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.232.159.85 - 168
193.142.146.17 - 12
193.142.147.9 - 12

Top ASNs:
AS63949 - 170
AS57523 - 28
AS208046 - 24

Top Accounts:
hello - 198
Domain - 48
Administr - 48

Top ISPs:
Akamai Technologies, Inc. - 170
Chang Way Technologies Co. Limited - 28
ColocationX Ltd. - 24

Top Clients:
Unknown - 354

Top Software:
Unknown - 354

Top Keyboards:
Unknown - 354

Top IP Classification:
hosting - 208
Unknown - 136
hosting & proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/13sfEwRg

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
5 days ago

2023-09-24 RDP #Honeypot IOCs - 177 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
172.232.159.85 - 84
193.142.146.17 - 6
193.142.147.9 - 6

Top ASNs:
AS63949 - 85
AS57523 - 14
AS208046 - 12

Top Accounts:
hello - 99
Domain - 24
Administr - 24

Top ISPs:
Akamai Technologies, Inc. - 85
Chang Way Technologies Co. Limited - 14
ColocationX Ltd. - 12

Top Clients:
Unknown - 177

Top Software:
Unknown - 177

Top Keyboards:
Unknown - 177

Top IP Classification:
hosting - 104
Unknown - 68
hosting & proxy - 3

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/z3z9wY0q

#CyberSec #SOC #Blueteam #SecOps #Security

🎉 Congrats to Cellebrite on the CTF.
🥲 We have loved & hated it at the same time.
🏅 The true hallmark of a job well done.

#DigitalForensics #MobileForensics #DFIR

Alexandre Dulaunoy
5 days ago

hashlookup-forensic-analyser version 1.3 has been released - including Bloom filter improvements and bugs fixed. You can now specify the hash algorithm used for the Bloom filter sets.

#hashlookup #dfir #forensics #forensic #infosec

hashlookup-forensic-analyser analyses a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service.

🔗 Source code - https://github.com/hashlookup/hashlookup-forensic-analyser
🔗 Release notes - https://github.com/hashlookup/hashlookup-forensic-analyser/releases/tag/v1.3

@circl

RDP Snitch
6 days ago

2023-09-23 RDP #Honeypot IOCs - 8649 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
117.0.192.97 - 1302
43.156.59.42 - 180
43.134.160.120 - 177

Top ASNs:
AS132203 - 4419
AS20473 - 2703
AS7552 - 1302

Top Accounts:
142.93.8.59 - 8379
hello - 69
Domain - 63

Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 2583
The Constant Company - 1629
Viettel Corporation - 1302

Top Clients:
Unknown - 8649

Top Software:
Unknown - 8649

Top Keyboards:
Unknown - 8649

Top IP Classification:
hosting - 6441
Unknown - 1428
hosting & proxy - 768

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/DsDi2pvG

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
6 days ago

2023-09-23 RDP #Honeypot IOCs - 5766 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
117.0.192.97 - 868
43.156.59.42 - 120
43.134.160.120 - 118

Top ASNs:
AS132203 - 2946
AS20473 - 1802
AS7552 - 868

Top Accounts:
142.93.8.59 - 5586
hello - 46
Domain - 42

Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 1722
The Constant Company - 1086
Viettel Corporation - 868

Top Clients:
Unknown - 5766

Top Software:
Unknown - 5766

Top Keyboards:
Unknown - 5766

Top IP Classification:
hosting - 4294
Unknown - 952
hosting & proxy - 512

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/pPdChzVh

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch
6 days ago

2023-09-23 RDP #Honeypot IOCs - 2883 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
117.0.192.97 - 434
43.156.59.42 - 60
43.134.160.120 - 59

Top ASNs:
AS132203 - 1473
AS20473 - 901
AS7552 - 434

Top Accounts:
142.93.8.59 - 2793
hello - 23
Domain - 21

Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 861
The Constant Company - 543
Viettel Corporation - 434

Top Clients:
Unknown - 2883

Top Software:
Unknown - 2883

Top Keyboards:
Unknown - 2883

Top IP Classification:
hosting - 2147
Unknown - 476
hosting & proxy - 256

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/yRdfNY1C

#CyberSec #SOC #Blueteam #SecOps #Security

Doug Metz
6 days ago

Sending this one around again for the weekend #DFIR warriors. The blog has links to the #PowerShell script and an upcoming webinar you can register for, “Responding at Scale with Magnet RESPONSE”. https://infosec.exchange/@dwmetz/111091660638834820

Short snippet of the latest podcast. Check it out below.
🎙️ Available on all major podcasting directories.
🙏 Thanks to everyone that watched the show live.
🔊 Listen here: https://digitalforensicsnow.buzzsprout.com/
📽️ Watch here: https://youtube.com/live/5GQb_7SC8rg

#DigitalForensics #DFIR #MobileForensics

New Digital Forensics Now Podcast episode for Sept. 21, 20203 is out!

Watch it below or listen to it on all major podcasting directories.

https://www.youtube.com/live/5GQb_7SC8rg?feature=shared

#DigitalForensics #MobileForensics #DFIR

Volexity :verified:
1 week ago

@volexity Volcano Server & Volcano One v23.09.16 adds 75 new YARA rules & IOCs to detect LNK malware, persistence via port monitors, Linux secret memory and Linux fileless malware. This release also adds alert timelines, a universal memory/disk registry API, extensive audit logs, automatic online updates, and MITRE ATT&CK integration.

For more information about Volcano Server & Volcano One, contact us: https://volexity.com/company/contact/

#dfir #memoryforensics #memoryanalysis

Volexity :verified:
1 week ago

@volexity's #theatintel team works with some of the most targeted groups in the world. Today, at the LABScon conference, we are sharing details of a long-running campaign by EvilBamboo. We have also just published details on our blog: https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/.

Our analysis has uncovered evidence of the attacker building online communities on various social media & messaging platforms, creating fake personas on social media sites, and using other #socialengineering techniques in order to distribute #Android malware, including #BADBAZAAR. Additionally, there is strong evidence of #iOS device targeting and likely exploitation using IRONSQUIRREL.

#dfir #security

Quietly released a small update with bug fixes to SQLiteWalker the other day, check it out if you'd like #DFIR https://github.com/stark4n6/SQLiteWalker/releases/tag/v0.0.5

SOC Prime :donor:
1 week ago

#Cybersecurity heads-up! #FBI & #CISA warns cyber defenders of a growing volume of #cyberattacks spreading #Snatch #ransomware. Detect associated malicious activity with a set of #Sigma rules in the SOC Prime Platform.

https://socprime.com/blog/snatch-ransomware-detection-fbi-cisa-issue-a-joint-alert-warning-of-growing-attacks-by-snatch-raas-operators/ #DFIR #threathunting #malware #SOC

This applies to a lot of other data types.

#DigitalForensics #MobileForensics #DFIR

Terryn :verified:
1 week ago

Will be officially speaking about #DFIR analysis at @GrrCON! Hope to see some of you there!

https://grrcon.com/schedule/

🎙️ Getting more color into my corner of the room makeshift studio. 😀
✨ New Digital Forensics Now Podcast this Thursday September 21st @ 6 PM EDT.
👥 Come hang out live with us on:
- YouTube: https://www.youtube.com/@AlexisBrignoni/streams
- Twitch: https://www.twitch.tv/digitalforensicsnow
- LinkedIn: https://www.linkedin.com/in/abrignoni
🔊 Listen later on all major podcast directories and here:
- Main: https://digitalforensicsnow.buzzsprout.com/
📖 Read the episode's blog-post & also listen here:
- Blog: https://digitalforensicsnow.blogspot.com/

#DigitalForensics #DFIR

Doug Metz
1 week ago

Magnet RESPONSE #PowerShell - a new script for enterprise #DFIR #triage collections leveraging Magnet Forensics’ newest free tool.

http://bakerstreetforensics.com/2023/09/18/magnet-response-powershell/

Does anyone have any good samples or VirusTotal links of the libwebp exploit being using in the wild?

#Malware #libwebp #Exploit #DFIR #IOC #InfoSec

New #ALEAPP artifact for #Android extractions: Libre Torrent
⛈️ Torrent Information
☔ Torrent Fast Resume Information
📝 Infohash, saved path, bencoded data, filenames, statistics, & more
🔗 Get ALEAPP: https://github.com/abrignoni/aleapp

#DigitalForensics #MobileForensics #DFIR

🚨 New Digital Forensics Now Podcast blog.
You can read a summary of each episode an listen to them as well.
Check it out here: https://digitalforensicsnow.blogspot.com/

#DigitalForensics #MobileForensics #DFIR

RyanDFIR
2 weeks ago

Why do we care about timestamps embedded in UUIDs?

A UUIDv1 timestamp often correlates with when the object it represents was created. Extracting this timestamp gives us another point in our timeline (or just more context).

For example, the timestamp from the UUID in this GitHub image = time of image upload ⏰

Unfurl: https://dfir.blog/unfurl/?url=https://repository-images.githubusercontent.com/219613650/92534a80-17ab-11ea-9217-fe06f144cdb2?width=441&height=110

#DFIR #OSINT #Unfurl

Volexity :verified:
2 weeks ago

Donut, an open-source project, is a set of tools to generate position-independent code to obfuscate, load & execute embedded/remote payloads. Today, @volexity released "donut-decryptor" to help analyze payloads created with Donut: http://github.com/volexity/donut-decryptor

The Volexity donut-decryptor tool, created by Sr. Malware Reverse Engineer @oldetymer, consists of a Python module + a command-line utility for enabling simple usage. Both the tool and cipher implementation are available for download.

#dfir #threatintel

Doug Metz
2 weeks ago

If you’re looking for a new gig and want to join a company with a great mission, Magnet Forensics has several openings for a Software Engineer- DevOps role. Details in linked post. #DevOps #Linux #CI/CD #jobs #DFIR https://www.linkedin.com/jobs/view/3712730498

Forensic Focus
3 weeks ago
Mike Sheward
4 weeks ago

It’s that time of year again where I’m reminded that my book Digital Forensic Diaries is on a couple of college reading lists (which is both awesome and humbling). To this end, I’ve made the Kindle versions of the stories in the book free to download for the next few days, since everything is already expensive enough. You can grab them here: https://www.amazon.com/dp/B095J8K7SD?binding=kindle_edition&ref=dbs_dp_awt_sb_pc_tukn

#dfir #digitalforensics #blueteam #cybersecurity #infosec

Mike Sheward
4 weeks ago

Mini Blue Team Diaries story:

Microsoft exchange stopped working on a Sunday of a long weekend, IT on-call got paged. On-call engineer couldn’t remote in to a couple of the key exchange servers. Networking got paged, no issues on the network. KVM didn’t work either.

We (secops) get paged to see if anything is up. We haven’t seen anything.

IT on-call engineer heads into the office datacenter to figure out what’s up. Finds out a bunch of servers are no longer there. They’ve been stolen. No sign of damage or break in though.

We all respond, figure out that the crooks had stolen the Knox Box, a fire department mandated box on the outside of the building with keys in it, to have their run of the place over a couple of days.

A hasty migration to MS365 follows.

#DFIR #BlueTeam #infosec

It's 4pm on the US east coast on the Friday before a 3-day weekend.

How you east coast #IncidentResponse and #DFIR folks doing?

#Cybersecurity #InformationSecurity

Malcat
1 month ago

Tip of the week #4: #malcat can compare 2 binaries using either a 1-to-1 algorithm or Myers's algorithm, a diff algorithm used in bioinformatics.
The later can realign and spot added/substracted bytes.

More info there: https://doc.malcat.fr/ui/files.html#compare-two-files

#malware #dfir #reverseengineering

Astra Kernel :verified:
1 month ago

@ #infosec people, have you heard of the term "Indie Hacker"?

At first, i thought it was an "Indian hacker" 😅

It has nothing to do with infosec btw

#hacking #dfir #redteam

RyanDFIR
1 month ago

Toots and tweets aren't the only IDs with embedded timestamps... #TikTok IDs have them too!

TikTok uses these IDs in many places - to uniquely identify videos, accounts, and more. This means if you have the ID for any of these, you can tell when it was generated. For a video, that's effectively when it was posted, and for an account, that's when it was created.

And since this is all contained within the ID itself (no APIs or external lookups required), it works just as well for deleted or private items!

If you'd like to learn more, I wrote a peer-reviewed paper on this topic ("Tinkering with TikTok Timestamps") at the DFIR Review:
🔗 https://dfir.pubpub.org/pub/9llea7yp/release/1

And of course, Unfurl can parse TikTok IDs as well:
🔗 https://dfir.blog/unfurl/?url=https://www.tiktok.com/@billnye/video/6854717870488702213?lang=en

#DFIR #OSINT #Unfurl

Showing the steps to extract a timestamp from inside a TikTok ID.
Jamie Levy 🦉
1 month ago

In light of all the news about qakbot being dismantled, it’s time to let people know about something we did at @huntress :
@JohnHammond discusses the qakbot “vaccine” we used to prevent the spread of qakbot in our customer base:

https://www.huntress.com/blog/qakbot-malware-takedown-and-defending-forward

#dfir #malware #qakbot #edr #mdr

Hal Pomeranz
1 month ago

Looks like I'm adding a trip to Melbourne in December to my public training calendar! Thanks to my friends at CDFS for arranging this one.

Sep 12-15, Linux Forensics (Live, Virtual), https://www.antisyphontraining.com/event/linux-forensics/2023-09-12/

Oct 17-18, Linux Command Line (Live, In-Person and Virtual), https://wildwesthackinfest.com/event/linux-command-line-for-analysts-operators-w-hal-pomeranz/2023-10-17/

Dec 4-7, Linux Forensics (Live, In-Person), https://cdfs.com.au/product/linux-forensics-melbourne-4d/

Hope to see you at one of these events!

#Linux #DFIR #CommandLine #Training

RyanDFIR
1 month ago

A useful thing for analysis of #Twitter activity was that each tweet has the time in was created embedded in the ID - and #Unfurl can extract it!

Like tweets, #Mastodon IDs also have embedded timestamps in them, and Unfurl can parse them:

🔗 https://dfir.blog/unfurl/?url=https://infosec.exchange/@RyanDFIR/110968271932496136

This means that as long as you have the URL of the tweet/toot, you can determine when it was posted - even if it has been deleted or made private!

#DFIR #OSINT

Unfurl parsing a toot URL and extracting the time it was posted.
Jamie Levy 🦉
1 month ago

✅Another #memoryforensics training finished

Thank you for having me @BlueTeamCon 🙏

And thank you to the students for showing up and asking engaging questions! That totally makes teaching so much more fun! 📚

#dfir #malware

Jamie Levy (@gleeda) standing in front of students, teaching a class on memory forensics at BlueTeamCon
Jamie Levy 🦉
1 month ago

I did a talk on something different this year for @pancakescon on making making decisions in #cybersecurity and on your #farm and creating a functional ecosystem in both realms https://www.youtube.com/watch?v=brtVKehGCak

#dfir #farming #jacobsheep #shetlandsheep

When you start teaching the unparsed apps block in a #DigitalForensics class...

#MobileForensics #DFIR #

Taggart :donor:
1 month ago

At this point I have taught or advised hundreds of aspiring hackers. I've provided instructional content to thousands more.

I can count on one hand the number of times an aspirant has told me they want to go into defensive cybersecurity.
#DFIR, #ThreatHunting, #DetectionEngineering...these ain't lighting up the imagination of the padawans.

But I constantly see mid-career pentesters/red teamers decide to move over to defense for one reason or another.

Which leads me to conclude that we've made a fatal flaw in
#CyberSecurity training. Since a defender must understand attacks anyhow, I am coming to the conclusion that all technical cybersecurity training should begin with the offensive skills. Then mix in the defense. I believe seeing both sides like this might make defense more appealing earlier—and produce better defenders.

tomchop
2 months ago

My team just released https://dfiq.org, which is "a collection of Digital Forensics Investigative Questions and the approaches to answering them."

The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec

New #VLEAPP artifact for Hunday Sonata:
🚗 Call history
🚙 Contacts
🚕 Connected devices
🛻 Diagnostics
🙏 Thanks to @joedinsmoor
🔗 Get it here: https://github.com/abrignoni/VLEAPP
#DFIR #DigitalForensics

Android Airtag detection is live in the latest OS update. Works well. It even rings the following airtag in order to find it. Awesome capability. Need to find if any artifacts are present.

#DFIR #DigitalForensics #MobileForensics #Android

Jamie Levy 🦉
2 months ago

There’s still time to sign up for my class on Advanced Memory Forensics at @BlueTeamCon hurry before it fills up!

#memoryforensics #dfir

An advertisement for a class on Advanced Memory Forensics at BlueTeamCon

My love language is pretty clear...
#DigitalForensics #DFIR #MobileForensics

Jamie Levy 🦉
3 months ago

I'm giving a training on #memoryforensics at @BlueTeamCon on August 25th! Sign up soon if you don't want to miss it!

https://blueteamcon.com/2023/training/

#DFIR #malware

Advert for Memory Forensics training at Blue Team Con
Jamie Levy 🦉
3 months ago

This shit is why people stop contributing to open source and releasing open source projects: predatory companies taking open source projects and calling them their own with little or not contributions back. It burns innovation and demoralizes creators who keep pushing the needle.

As hard as it is for people to break into infosec, people often release open source projects to prove their worth. This kind of shit can ruin that spirit. As a long time member of the #DFIR open source community, I feel like I need to call BS where I see it. Companies must be held accountable and should abide by licensing and contribute back as warrented by said licensing. I hope to see some contributions and good faith back to https://cipp.app/

https://www.linkedin.com/posts/matthe_so-excited-about-this-one-microsoft-365-activity-7080485615812653056-7UXq

#opensource #theft #predatory #datto #msp

Screenshot of original post on LinkedIn where Dayton is excited about their ripped off project

@Lorry @obscuretenet @nyaeko @miah @hacks4pancakes maybe a dedication over enthusiasm in that case? Or a balance?

There’s a short list of material that I dread running into in my #DFIR career and #CSAM is at the top of that list. :(

Hal Pomeranz
3 months ago

Here's what's on my public live training calendar for the back half of the year:

Sep 12-15, Linux Forensics (Live, Virtual), https://www.antisyphontraining.com/event/linux-forensics/2023-09-12/

Oct 17-18, Linux Command Line (Live, In-Person and Virtual), https://wildwesthackinfest.com/event/linux-command-line-for-analysts-operators-w-hal-pomeranz/2023-10-17/

Hope to see you at one of these events!

#Linux #DFIR #CommandLine #Training

DMs by randos. Also happens IRL.🏃💨

#DigitalForensics #DFIR #Infosec #MobileForensics #eDiscovery

Hal Pomeranz
4 months ago

I'm happy to announce that a new version of my Linux Forensics class is available from https://archive.org/details/HalLinuxForensics

Some of the major changes in this version:

-- Memory forensics material updated with Volatility 3
-- All new memory forensics labs, including one on LD_PRELOAD style rootkits
-- UAC updates
-- Brand new Lab VM based on Debian 11

As always, the course material and labs are freely available under Creative Commons license. Use the torrent link to download everything because we're talking >70GB of data with the new VM.

I hope to be announcing some public teaching dates in the near future. Or reach out to me and we can discuss private training for your team.

#Linux #DFIR #Training

keefer
4 months ago

I finally finished another blog post! It's called "Monitoring Command Execution In Containers With Sysdig".

It's kinda purple-teamy? I go through setting up Sysdig, building a vulnerable Docker image, and then attacking it. Then we look at how we can detect the attack with Sysdig.

https://keefer.io/posts/sysdig-monitoring/

#cybersecurity #infosec #purpleteam #blueteam #dfir

Jamie Levy 🦉
4 months ago

I am happy to announce that I will be giving a training at @defcon this summer on Windows Memory Forensics!

This class demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that we’ve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.

Students will leave the class with the ability to investigate modern malware techniques, and quickly answer questions posed in DFIR investigations and help get to root cause of an attack.

https://training.defcon.org/products/jamie-levy-windows-memory-forensics

#dfir #memoryforensics #defcon #Defcon31

hackNpatch :donor:
4 months ago

The newest #dfir report is live, "IcedID Macro Ends in Nokoyawa Ransomware".

https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

Josh Lemon
5 months ago

This is still one of the best #memes in #cybersecurity and #DFIR......funny and highly accurate. Happy Friday!

You know what they say when you assume...
Assumptions are only good if they can be tested and proven.
Anything less is just opinions and not facts. A problem in the making if not discarded.

#DFIR #DigitalForensics
#Infosec #eDiscovery #MobileForensics

Chris Sanders 🔎 🧠
6 months ago

I'm excited to share something new...

I just opened up access to my Analyst Skills Vault. 🚀

The Vault is a subscription-based service that provides access to our growing collection of standalone video lessons.

You can learn more and register here: https://www.networkdefense.co/skillsvault/

Not everything needs its own course, so I'm excited to be able to provide some bite-sized knowledge across a variety of defensive security topics design to help you level up just a bit more with each one you watch.

We're adding new videos every month. Some of those are from me, but you'll also recognize other AND course authors and see a few new faces!
We've got lots of things already there, including w clipboard forensics tutorial from Joshua Brower, an AsyncRAT malware analysis walkthrough from Tony Lambert, and a few things from like how to create event baselines in Excel, how to use Chainsaw in your investigations, and a lot more.

Something else... you'll also get access to previews of new courses. For example, the vault already includes a lesson from our new Splunk for Security Analysis course.

One more thing... If you've ever purchased one of our full-length courses, your subscription extends/reactivates access to any of those courses as long as it's active.

Skills Vault Access is also a great way to support our work. It's $20/month or $220/year (you get a free month with the annual subscription).

Even more to come soon, but I'm excited to get this one open and available to everyone. I hope you enjoy what we've put together for you. 🚀

#DFIR #SOC #cybersecurity #infosec

And it so happens that doing from scratch is actually better...
🔗 #DFIR Python Study Group: https://youtu.be/D9EIdniCNPQ

#DigitalForensics #MobileForensics #Python