#DFIR
Happy Friday, another 35% sale happening now on TeePublic #DFIR https://www.teepublic.com/user/stark4n6
Another new Unfurl feature is parsing DoH (DNS over HTTPS) requests! I haven't run into these often in URLs, but hey, it's nice that Unfurl can parse them for you if you do!
Forensic Focus Digest, September 29 2023 https://www.forensicfocus.com/news/forensic-focus-digest-september-29-2023/ #ForensicFocus #DFIR
"Victim" says, her laptop is being accessed by her neighbor "over the power grid".
Guess who is going to spend a day to examine the device only to write a 3 line note in the end about in how many ways this is bs?
But hey.. if the attorney wants it, he gets it.
2023-09-28 RDP #Honeypot IOCs - 1455 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 1110
108.136.224.204 - 51
141.98.11.128 - 30
Top ASNs:
AS14061 - 1122
AS16509 - 51
AS132203 - 48
Top Accounts:
hello - 1191
Administr - 63
Domain - 54
Top ISPs:
DigitalOcean, LLC - 1122
Amazon.com - 51
Google LLC - 36
Top Clients:
Unknown - 1455
Top Software:
Unknown - 1455
Top Keyboards:
Unknown - 1455
Top IP Classification:
hosting - 1272
Unknown - 159
hosting & proxy - 9
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/Phi5aer3
2023-09-28 RDP #Honeypot IOCs - 970 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 740
108.136.224.204 - 34
141.98.11.128 - 20
Top ASNs:
AS14061 - 748
AS16509 - 34
AS132203 - 32
Top Accounts:
hello - 794
Administr - 42
Domain - 36
Top ISPs:
DigitalOcean, LLC - 748
Amazon.com - 34
Google LLC - 24
Top Clients:
Unknown - 970
Top Software:
Unknown - 970
Top Keyboards:
Unknown - 970
Top IP Classification:
hosting - 848
Unknown - 106
hosting & proxy - 6
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/CbYXUFL5
2023-09-28 RDP #Honeypot IOCs - 485 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 370
108.136.224.204 - 17
141.98.11.128 - 10
Top ASNs:
AS14061 - 374
AS16509 - 17
AS132203 - 16
Top Accounts:
hello - 397
Administr - 21
Domain - 18
Top ISPs:
DigitalOcean, LLC - 374
Amazon.com - 17
Google LLC - 12
Top Clients:
Unknown - 485
Top Software:
Unknown - 485
Top Keyboards:
Unknown - 485
Top IP Classification:
hosting - 424
Unknown - 53
hosting & proxy - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/kTmJDcVp
#Stark4N6: Cyber5W's CCDFA Certification - A Review #DFIR https://www.stark4n6.com/2023/09/cyber5ws-ccdfa-certification-review.html
Warning: Geeky, technical content ahead! Dive into the world of #cybersecurity #pentesting. Watch this week's technical video in our new series, #Pentest Pro Tips with @tompohl & learn how old broadcast protocols can cause a #databreach. https://youtu.be/_ok1-UbFTe0
#DFIR #ITsecurity
Digital Forensics Round-Up, September 28 2023 https://www.forensicfocus.com/news/digital-forensics-round-up-september-28-2023/ #ForensicFocus #DFIR
Unfurl can parse JSON Web Tokens!
At the highest level, JWTs have three parts: header, payload, and signature. Unfurl first splits a #JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.
Here's an example: https://dfir.blog/unfurl/?url=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
Advance Your Investigations With ADF Solutionsโ Enhanced Screen Recording And Streamlined Features https://www.forensicfocus.com/news/advance-your-investigations-with-adf-solutions-enhanced-screen-recording-and-streamlined-features/ #ADFSolutions #DFIR
Webinar - Intro To DEI PRO: Assessing All Devices In A Timely Manner https://www.forensicfocus.com/webinars/intro-to-dei-pro-assessing-all-devices-in-a-timely-manner/ #ADFSolutions #DEIPRO #DFIR
2023-09-27 RDP #Honeypot IOCs - 2970 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 1107
139.162.9.149 - 189
43.156.6.9 - 153
Top ASNs:
AS132203 - 1314
AS14061 - 1113
AS63949 - 192
Top Accounts:
hello - 1506
142.93.8.59 - 1197
Domain - 108
Top ISPs:
DigitalOcean, LLC - 1113
Shenzhen Tencent Computer Systems Company Limited - 753
Aceville Pte.ltd - 333
Top Clients:
Unknown - 2970
Top Software:
Unknown - 2970
Top Keyboards:
Unknown - 2970
Top IP Classification:
hosting - 2604
Unknown - 243
hosting & proxy - 105
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/RjwxRnvd
2023-09-27 RDP #Honeypot IOCs - 1980 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 738
139.162.9.149 - 126
43.156.6.9 - 102
Top ASNs:
AS132203 - 876
AS14061 - 742
AS63949 - 128
Top Accounts:
hello - 1004
142.93.8.59 - 798
Domain - 72
Top ISPs:
DigitalOcean, LLC - 742
Shenzhen Tencent Computer Systems Company Limited - 502
Aceville Pte.ltd - 222
Top Clients:
Unknown - 1980
Top Software:
Unknown - 1980
Top Keyboards:
Unknown - 1980
Top IP Classification:
hosting - 1736
Unknown - 162
hosting & proxy - 70
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/CbTwnyt1
2023-09-27 RDP #Honeypot IOCs - 990 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
206.189.35.235 - 369
139.162.9.149 - 63
43.156.6.9 - 51
Top ASNs:
AS132203 - 438
AS14061 - 371
AS63949 - 64
Top Accounts:
hello - 502
142.93.8.59 - 399
Domain - 36
Top ISPs:
DigitalOcean, LLC - 371
Shenzhen Tencent Computer Systems Company Limited - 251
Aceville Pte.ltd - 111
Top Clients:
Unknown - 990
Top Software:
Unknown - 990
Top Keyboards:
Unknown - 990
Top IP Classification:
hosting - 868
Unknown - 81
hosting & proxy - 35
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/h1TjYzAz
A new Unfurl release is here! v2023.09 adds new features and some fixes. The release adds:
๐น Parsing of JWTs (JSON Web Tokens)
๐น Parsing of DoH (DNS over HTTPS) URLs
๐น More recognized #Mastodon servers
Blog post with more details: https://dfir.blog/unfurl-parsing-jwt-and-doh/
Still time to register for todayโs webinar, Responding at Scale with Magnet RESPONSE. Iโll be online for Q&A for the 1pm and 4pm sessions. #DFIR #PowerShell #triage #IncidentResponse https://www.magnetforensics.com/resources/responding-at-scale-with-magnet-response/
Interview: Ana Cash, Technology & Cybersecurity Instructor, College of Western Idaho https://www.forensicfocus.com/interviews/ana-cash-technology-cybersecurity-instructor-college-of-western-idaho/ #ForensicFocus #DFIR
New #ALEAPP parser for #Discord in #Android:
๐ฌ Chats
โฐ Timestamps
๐ธ URLs for sent/received attachment media
๐๏ธ Attachment filename
๐ค Username
๐บ Conversation channel & ID
โ And more
๐ Get ALEAPP: https://github.com/abrignoni/ALEAPP
#DigitalForensics #DFIR #MobileForensics
2023-09-26 RDP #Honeypot IOCs - 522 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
34.211.111.74 - 171
144.126.208.72 - 129
141.98.11.128 - 18
Top ASNs:
AS16509 - 171
AS14061 - 129
AS396982 - 36
Top Accounts:
hello - 324
Domain - 66
Administr - 51
Top ISPs:
Amazon.com, Inc. - 171
DigitalOcean, LLC - 129
Flyservers S.A. - 42
Top Clients:
Unknown - 522
Top Software:
Unknown - 522
Top Keyboards:
Unknown - 522
Top IP Classification:
hosting - 342
Unknown - 177
mobile - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/YpNUy8ge
2023-09-26 RDP #Honeypot IOCs - 348 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
34.211.111.74 - 114
144.126.208.72 - 86
141.98.11.128 - 12
Top ASNs:
AS16509 - 114
AS14061 - 86
AS396982 - 24
Top Accounts:
hello - 216
Domain - 44
Administr - 34
Top ISPs:
Amazon.com, Inc. - 114
DigitalOcean, LLC - 86
Flyservers S.A. - 28
Top Clients:
Unknown - 348
Top Software:
Unknown - 348
Top Keyboards:
Unknown - 348
Top IP Classification:
hosting - 228
Unknown - 118
mobile - 2
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/2GkSZMwK
2023-09-26 RDP #Honeypot IOCs - 174 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
34.211.111.74 - 57
144.126.208.72 - 43
141.98.11.128 - 6
Top ASNs:
AS16509 - 57
AS14061 - 43
AS396982 - 12
Top Accounts:
hello - 108
Domain - 22
Administr - 17
Top ISPs:
Amazon.com, Inc. - 57
DigitalOcean, LLC - 43
Flyservers S.A. - 14
Top Clients:
Unknown - 174
Top Software:
Unknown - 174
Top Keyboards:
Unknown - 174
Top IP Classification:
hosting - 114
Unknown - 59
mobile - 1
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/giABHzqV
A great post that should have as a subtitle: โor why iPhone in lockmode rocksโ :)
#mobilesecurity #dfir #nationalsecurity #cybersecurity #infosec
โbackdoor commands are not implemented in the Deadglyph binary; instead, they are dynamically received from its C&C server in the form of additional modules that exist in memory only briefly, to perform the commandsโ #cybersecurity #infosec #blueteam #malware #dfir
https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html
IT'S DONE!!
Passed the presentation and answering of questions of my bachelor thesis! Got a 1.0 (german gradeing scale) which is the best possible. I now officially earned my degree as bachelor of engineering in "Forensic Engineering" being 44yrs old.
4 years of blood, sweat and tears studying while in a full time job are finally over. Time for the bottle of beer I had kept in the fridge for this exact moment! Cheers everybody!
The FBI and CISA have issued a new advisory on Snatch #ransomware. This RaaS is evading AV and endpoint detection by rebooting infected devices into Safe Mode. Check out their overview and mitigation tips: https://www.hackread.com/fbi-cisa-joint-advisory-snatch-ransomware-threat/
#cybersecurity #DFIR #CISO #security #infosec
2023-09-25 RDP #Honeypot IOCs - 321 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
54.217.58.4 - 72
216.71.28.109 - 18
45.143.201.62 - 15
Top ASNs:
AS16509 - 72
AS396982 - 36
AS48721 - 18
Top Accounts:
hello - 153
Administr - 42
Test - 36
Top ISPs:
Amazon.com, Inc. - 72
Google LLC - 36
Flyservers S.A. - 30
Top Clients:
Unknown - 321
Top Software:
Unknown - 321
Top Keyboards:
Unknown - 321
Top IP Classification:
hosting - 153
Unknown - 150
hosting & proxy - 15
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/qzrapxZw
2023-09-25 RDP #Honeypot IOCs - 214 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
54.217.58.4 - 48
216.71.28.109 - 12
45.143.201.62 - 10
Top ASNs:
AS16509 - 48
AS396982 - 24
AS48721 - 12
Top Accounts:
hello - 102
Administr - 28
Test - 24
Top ISPs:
Amazon.com, Inc. - 48
Google LLC - 24
Flyservers S.A. - 20
Top Clients:
Unknown - 214
Top Software:
Unknown - 214
Top Keyboards:
Unknown - 214
Top IP Classification:
hosting - 102
Unknown - 100
hosting & proxy - 10
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/rxH5xGiD
2023-09-25 RDP #Honeypot IOCs - 107 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
54.217.58.4 - 24
216.71.28.109 - 6
45.143.201.62 - 5
Top ASNs:
AS16509 - 24
AS396982 - 12
AS48721 - 6
Top Accounts:
hello - 51
Administr - 14
Test - 12
Top ISPs:
Amazon.com, Inc. - 24
Google LLC - 12
Flyservers S.A. - 10
Top Clients:
Unknown - 107
Top Software:
Unknown - 107
Top Keyboards:
Unknown - 107
Top IP Classification:
hosting - 51
Unknown - 50
hosting & proxy - 5
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/9Qvp8881
It all depends...
Listen to the latest Forensic Focus podcast, where Ryan joins Si and Desi to discuss his research into SS7 hacking and cell phone tracking. https://www.forensicfocus.com/podcast/cell-phone-tracking-and-ss7-hacking-security-vulnerabilities-to-save-lives/ #ForensicFocus #DFIR
@cyb_detective Truly offensive! *gasp*
BTW, thank you for always posting such good #DFIR and #OSINT resources!
Extracting Google Chrome Using Android Agent https://www.forensicfocus.com/articles/extracting-google-chrome-using-android-agent/ #OxygenForensics #DFIR
2023-09-24 RDP #Honeypot IOCs - 531 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
172.232.159.85 - 252
193.142.146.17 - 18
193.142.147.9 - 18
Top ASNs:
AS63949 - 255
AS57523 - 42
AS208046 - 36
Top Accounts:
hello - 297
Domain - 72
Administr - 72
Top ISPs:
Akamai Technologies, Inc. - 255
Chang Way Technologies Co. Limited - 42
ColocationX Ltd. - 36
Top Clients:
Unknown - 531
Top Software:
Unknown - 531
Top Keyboards:
Unknown - 531
Top IP Classification:
hosting - 312
Unknown - 204
hosting & proxy - 9
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/vHwC9TD8
2023-09-24 RDP #Honeypot IOCs - 354 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
172.232.159.85 - 168
193.142.146.17 - 12
193.142.147.9 - 12
Top ASNs:
AS63949 - 170
AS57523 - 28
AS208046 - 24
Top Accounts:
hello - 198
Domain - 48
Administr - 48
Top ISPs:
Akamai Technologies, Inc. - 170
Chang Way Technologies Co. Limited - 28
ColocationX Ltd. - 24
Top Clients:
Unknown - 354
Top Software:
Unknown - 354
Top Keyboards:
Unknown - 354
Top IP Classification:
hosting - 208
Unknown - 136
hosting & proxy - 6
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/13sfEwRg
2023-09-24 RDP #Honeypot IOCs - 177 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
172.232.159.85 - 84
193.142.146.17 - 6
193.142.147.9 - 6
Top ASNs:
AS63949 - 85
AS57523 - 14
AS208046 - 12
Top Accounts:
hello - 99
Domain - 24
Administr - 24
Top ISPs:
Akamai Technologies, Inc. - 85
Chang Way Technologies Co. Limited - 14
ColocationX Ltd. - 12
Top Clients:
Unknown - 177
Top Software:
Unknown - 177
Top Keyboards:
Unknown - 177
Top IP Classification:
hosting - 104
Unknown - 68
hosting & proxy - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/z3z9wY0q
๐ Congrats to Cellebrite on the CTF.
๐ฅฒ We have loved & hated it at the same time.
๐
The true hallmark of a job well done.
hashlookup-forensic-analyser version 1.3 has been released - including Bloom filter improvements and bugs fixed. You can now specify the hash algorithm used for the Bloom filter sets.
#hashlookup #dfir #forensics #forensic #infosec
hashlookup-forensic-analyser analyses a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service.
๐ Source code - https://github.com/hashlookup/hashlookup-forensic-analyser
๐ Release notes - https://github.com/hashlookup/hashlookup-forensic-analyser/releases/tag/v1.3
2023-09-23 RDP #Honeypot IOCs - 8649 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
117.0.192.97 - 1302
43.156.59.42 - 180
43.134.160.120 - 177
Top ASNs:
AS132203 - 4419
AS20473 - 2703
AS7552 - 1302
Top Accounts:
142.93.8.59 - 8379
hello - 69
Domain - 63
Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 2583
The Constant Company - 1629
Viettel Corporation - 1302
Top Clients:
Unknown - 8649
Top Software:
Unknown - 8649
Top Keyboards:
Unknown - 8649
Top IP Classification:
hosting - 6441
Unknown - 1428
hosting & proxy - 768
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/DsDi2pvG
2023-09-23 RDP #Honeypot IOCs - 5766 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
117.0.192.97 - 868
43.156.59.42 - 120
43.134.160.120 - 118
Top ASNs:
AS132203 - 2946
AS20473 - 1802
AS7552 - 868
Top Accounts:
142.93.8.59 - 5586
hello - 46
Domain - 42
Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 1722
The Constant Company - 1086
Viettel Corporation - 868
Top Clients:
Unknown - 5766
Top Software:
Unknown - 5766
Top Keyboards:
Unknown - 5766
Top IP Classification:
hosting - 4294
Unknown - 952
hosting & proxy - 512
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/pPdChzVh
2023-09-23 RDP #Honeypot IOCs - 2883 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
117.0.192.97 - 434
43.156.59.42 - 60
43.134.160.120 - 59
Top ASNs:
AS132203 - 1473
AS20473 - 901
AS7552 - 434
Top Accounts:
142.93.8.59 - 2793
hello - 23
Domain - 21
Top ISPs:
Shenzhen Tencent Computer Systems Company Limited - 861
The Constant Company - 543
Viettel Corporation - 434
Top Clients:
Unknown - 2883
Top Software:
Unknown - 2883
Top Keyboards:
Unknown - 2883
Top IP Classification:
hosting - 2147
Unknown - 476
hosting & proxy - 256
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
https://pastebin.com/yRdfNY1C
Sending this one around again for the weekend #DFIR warriors. The blog has links to the #PowerShell script and an upcoming webinar you can register for, โResponding at Scale with Magnet RESPONSEโ. https://infosec.exchange/@dwmetz/111091660638834820
Short snippet of the latest podcast. Check it out below.
๐๏ธ Available on all major podcasting directories.
๐ Thanks to everyone that watched the show live.
๐ Listen here: https://digitalforensicsnow.buzzsprout.com/
๐ฝ๏ธ Watch here: https://youtube.com/live/5GQb_7SC8rg
New Digital Forensics Now Podcast episode for Sept. 21, 20203 is out!
Watch it below or listen to it on all major podcasting directories.
@volexity Volcano Server & Volcano One v23.09.16 adds 75 new YARA rules & IOCs to detect LNK malware, persistence via port monitors, Linux secret memory and Linux fileless malware. This release also adds alert timelines, a universal memory/disk registry API, extensive audit logs, automatic online updates, and MITRE ATT&CK integration.
For more information about Volcano Server & Volcano One, contact us: https://volexity.com/company/contact/
@volexity's #theatintel team works with some of the most targeted groups in the world. Today, at the LABScon conference, we are sharing details of a long-running campaign by EvilBamboo. We have also just published details on our blog: https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/.
Our analysis has uncovered evidence of the attacker building online communities on various social media & messaging platforms, creating fake personas on social media sites, and using other #socialengineering techniques in order to distribute #Android malware, including #BADBAZAAR. Additionally, there is strong evidence of #iOS device targeting and likely exploitation using IRONSQUIRREL.
Quietly released a small update with bug fixes to SQLiteWalker the other day, check it out if you'd like #DFIR https://github.com/stark4n6/SQLiteWalker/releases/tag/v0.0.5
#Cybersecurity heads-up! #FBI & #CISA warns cyber defenders of a growing volume of #cyberattacks spreading #Snatch #ransomware. Detect associated malicious activity with a set of #Sigma rules in the SOC Prime Platform.
https://socprime.com/blog/snatch-ransomware-detection-fbi-cisa-issue-a-joint-alert-warning-of-growing-attacks-by-snatch-raas-operators/ #DFIR #threathunting #malware #SOC
This applies to a lot of other data types.
๐๏ธ Getting more color into my corner of the room makeshift studio. ๐
โจ New Digital Forensics Now Podcast this Thursday September 21st @ 6 PM EDT.
๐ฅ Come hang out live with us on:
- YouTube: https://www.youtube.com/@AlexisBrignoni/streams
- Twitch: https://www.twitch.tv/digitalforensicsnow
- LinkedIn: https://www.linkedin.com/in/abrignoni
๐ Listen later on all major podcast directories and here:
- Main: https://digitalforensicsnow.buzzsprout.com/
๐ Read the episode's blog-post & also listen here:
- Blog: https://digitalforensicsnow.blogspot.com/
Magnet RESPONSE #PowerShell - a new script for enterprise #DFIR #triage collections leveraging Magnet Forensicsโ newest free tool.
http://bakerstreetforensics.com/2023/09/18/magnet-response-powershell/
New #ALEAPP artifact for #Android extractions: Libre Torrent
โ๏ธ Torrent Information
โ Torrent Fast Resume Information
๐ Infohash, saved path, bencoded data, filenames, statistics, & more
๐ Get ALEAPP: https://github.com/abrignoni/aleapp
๐จ New Digital Forensics Now Podcast blog.
You can read a summary of each episode an listen to them as well.
Check it out here: https://digitalforensicsnow.blogspot.com/
Why do we care about timestamps embedded in UUIDs?
A UUIDv1 timestamp often correlates with when the object it represents was created. Extracting this timestamp gives us another point in our timeline (or just more context).
For example, the timestamp from the UUID in this GitHub image = time of image upload โฐ
Donut, an open-source project, is a set of tools to generate position-independent code to obfuscate, load & execute embedded/remote payloads. Today, @volexity released "donut-decryptor" to help analyze payloads created with Donut: http://github.com/volexity/donut-decryptor
The Volexity donut-decryptor tool, created by Sr. Malware Reverse Engineer @oldetymer, consists of a Python module + a command-line utility for enabling simple usage. Both the tool and cipher implementation are available for download.
Wow, MS figured out the consumer keys were captured via crash dump!!
#supercool
https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
#dfir #infosec #sectoot
Podcast #61 Recap: Digital Image Authenticity And Integrity With Amped Authenticate https://www.forensicfocus.com/news/podcast-61-recap-digital-image-authenticity-and-integrity-with-amped-authenticate/ #ForensicFocus #DFIR
Itโs that time of year again where Iโm reminded that my book Digital Forensic Diaries is on a couple of college reading lists (which is both awesome and humbling). To this end, Iโve made the Kindle versions of the stories in the book free to download for the next few days, since everything is already expensive enough. You can grab them here: https://www.amazon.com/dp/B095J8K7SD?binding=kindle_edition&ref=dbs_dp_awt_sb_pc_tukn
Mini Blue Team Diaries story:
Microsoft exchange stopped working on a Sunday of a long weekend, IT on-call got paged. On-call engineer couldnโt remote in to a couple of the key exchange servers. Networking got paged, no issues on the network. KVM didnโt work either.
We (secops) get paged to see if anything is up. We havenโt seen anything.
IT on-call engineer heads into the office datacenter to figure out whatโs up. Finds out a bunch of servers are no longer there. Theyโve been stolen. No sign of damage or break in though.
We all respond, figure out that the crooks had stolen the Knox Box, a fire department mandated box on the outside of the building with keys in it, to have their run of the place over a couple of days.
A hasty migration to MS365 follows.
It's 4pm on the US east coast on the Friday before a 3-day weekend.
How you east coast #IncidentResponse and #DFIR folks doing?
Tip of the week #4: #malcat can compare 2 binaries using either a 1-to-1 algorithm or Myers's algorithm, a diff algorithm used in bioinformatics.
The later can realign and spot added/substracted bytes.
More info there: https://doc.malcat.fr/ui/files.html#compare-two-files
#Stark4N6: Forensics StartMe Updates (9/1/2023) #DFIR https://www.stark4n6.com/2023/09/forensics-startme-updates-912023.html
Toots and tweets aren't the only IDs with embedded timestamps... #TikTok IDs have them too!
TikTok uses these IDs in many places - to uniquely identify videos, accounts, and more. This means if you have the ID for any of these, you can tell when it was generated. For a video, that's effectively when it was posted, and for an account, that's when it was created.
And since this is all contained within the ID itself (no APIs or external lookups required), it works just as well for deleted or private items!
If you'd like to learn more, I wrote a peer-reviewed paper on this topic ("Tinkering with TikTok Timestamps") at the DFIR Review:
๐ https://dfir.pubpub.org/pub/9llea7yp/release/1
And of course, Unfurl can parse TikTok IDs as well:
๐ https://dfir.blog/unfurl/?url=https://www.tiktok.com/@billnye/video/6854717870488702213?lang=en
In light of all the news about qakbot being dismantled, itโs time to let people know about something we did at @huntress :
@JohnHammond discusses the qakbot โvaccineโ we used to prevent the spread of qakbot in our customer base:
https://www.huntress.com/blog/qakbot-malware-takedown-and-defending-forward
Looks like I'm adding a trip to Melbourne in December to my public training calendar! Thanks to my friends at CDFS for arranging this one.
Sep 12-15, Linux Forensics (Live, Virtual), https://www.antisyphontraining.com/event/linux-forensics/2023-09-12/
Oct 17-18, Linux Command Line (Live, In-Person and Virtual), https://wildwesthackinfest.com/event/linux-command-line-for-analysts-operators-w-hal-pomeranz/2023-10-17/
Dec 4-7, Linux Forensics (Live, In-Person), https://cdfs.com.au/product/linux-forensics-melbourne-4d/
Hope to see you at one of these events!
A useful thing for analysis of #Twitter activity was that each tweet has the time in was created embedded in the ID - and #Unfurl can extract it!
Like tweets, #Mastodon IDs also have embedded timestamps in them, and Unfurl can parse them:
๐ https://dfir.blog/unfurl/?url=https://infosec.exchange/@RyanDFIR/110968271932496136
This means that as long as you have the URL of the tweet/toot, you can determine when it was posted - even if it has been deleted or made private!
โ Another #memoryforensics training finished
Thank you for having me @BlueTeamCon ๐
And thank you to the students for showing up and asking engaging questions! That totally makes teaching so much more fun! ๐
I did a talk on something different this year for @pancakescon on making making decisions in #cybersecurity and on your #farm and creating a functional ecosystem in both realms https://www.youtube.com/watch?v=brtVKehGCak
A tale as old as time...
#DigitalForensics #DFIR #MobileForensics #Python #SoftwareDevelopment #Coding
When you start teaching the unparsed apps block in a #DigitalForensics class...
Tracking Airtags with Android by @joshua_hickman1. Excellent #DFIR, #DigitalForensics read.
https://thebinaryhick.blog/2023/08/13/android-airtags-part-ii/
At this point I have taught or advised hundreds of aspiring hackers. I've provided instructional content to thousands more.
I can count on one hand the number of times an aspirant has told me they want to go into defensive cybersecurity. #DFIR, #ThreatHunting, #DetectionEngineering...these ain't lighting up the imagination of the padawans.
But I constantly see mid-career pentesters/red teamers decide to move over to defense for one reason or another.
Which leads me to conclude that we've made a fatal flaw in #CyberSecurity training. Since a defender must understand attacks anyhow, I am coming to the conclusion that all technical cybersecurity training should begin with the offensive skills. Then mix in the defense. I believe seeing both sides like this might make defense more appealing earlierโand produce better defenders.
My team just released https://dfiq.org, which is "a collection of Digital Forensics Investigative Questions and the approaches to answering them."
The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec
New #VLEAPP artifact for Hunday Sonata:
๐ Call history
๐ Contacts
๐ Connected devices
๐ป Diagnostics
๐ Thanks to @joedinsmoor
๐ Get it here: https://github.com/abrignoni/VLEAPP
#DFIR #DigitalForensics
Android Airtag detection is live in the latest OS update. Works well. It even rings the following airtag in order to find it. Awesome capability. Need to find if any artifacts are present.
Thereโs still time to sign up for my class on Advanced Memory Forensics at @BlueTeamCon hurry before it fills up!
My love language is pretty clear...
#DigitalForensics #DFIR #MobileForensics
I'm giving a training on #memoryforensics at @BlueTeamCon on August 25th! Sign up soon if you don't want to miss it!
This shit is why people stop contributing to open source and releasing open source projects: predatory companies taking open source projects and calling them their own with little or not contributions back. It burns innovation and demoralizes creators who keep pushing the needle.
As hard as it is for people to break into infosec, people often release open source projects to prove their worth. This kind of shit can ruin that spirit. As a long time member of the #DFIR open source community, I feel like I need to call BS where I see it. Companies must be held accountable and should abide by licensing and contribute back as warrented by said licensing. I hope to see some contributions and good faith back to https://cipp.app/
@Lorry @obscuretenet @nyaeko @miah @hacks4pancakes maybe a dedication over enthusiasm in that case? Or a balance?
Thereโs a short list of material that I dread running into in my #DFIR career and #CSAM is at the top of that list. :(
Here's what's on my public live training calendar for the back half of the year:
Sep 12-15, Linux Forensics (Live, Virtual), https://www.antisyphontraining.com/event/linux-forensics/2023-09-12/
Oct 17-18, Linux Command Line (Live, In-Person and Virtual), https://wildwesthackinfest.com/event/linux-command-line-for-analysts-operators-w-hal-pomeranz/2023-10-17/
Hope to see you at one of these events!
DMs by randos. Also happens IRL.๐๐จ
#DigitalForensics #DFIR #Infosec #MobileForensics #eDiscovery
I'm happy to announce that a new version of my Linux Forensics class is available from https://archive.org/details/HalLinuxForensics
Some of the major changes in this version:
-- Memory forensics material updated with Volatility 3
-- All new memory forensics labs, including one on LD_PRELOAD style rootkits
-- UAC updates
-- Brand new Lab VM based on Debian 11
As always, the course material and labs are freely available under Creative Commons license. Use the torrent link to download everything because we're talking >70GB of data with the new VM.
I hope to be announcing some public teaching dates in the near future. Or reach out to me and we can discuss private training for your team.
I finally finished another blog post! It's called "Monitoring Command Execution In Containers With Sysdig".
It's kinda purple-teamy? I go through setting up Sysdig, building a vulnerable Docker image, and then attacking it. Then we look at how we can detect the attack with Sysdig.
I am happy to announce that I will be giving a training at @defcon this summer on Windows Memory Forensics!
This class demonstrates the importance of including Volatile memory in your investigations by covering several attack methodologies that weโve seen in the field. It also includes an overview of the most widely used memory forensics tool, Volatility, by one of its developers.
Students will leave the class with the ability to investigate modern malware techniques, and quickly answer questions posed in DFIR investigations and help get to root cause of an attack.
https://training.defcon.org/products/jamie-levy-windows-memory-forensics
The newest #dfir report is live, "IcedID Macro Ends in Nokoyawa Ransomware".
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
This is still one of the best #memes in #cybersecurity and #DFIR......funny and highly accurate. Happy Friday!
You know what they say when you assume...
Assumptions are only good if they can be tested and proven.
Anything less is just opinions and not facts. A problem in the making if not discarded.
#DFIR #DigitalForensics
#Infosec #eDiscovery #MobileForensics
@chrissanders88 you might want to adjust your image ๐คฃ
I'm excited to share something new...
I just opened up access to my Analyst Skills Vault. ๐
The Vault is a subscription-based service that provides access to our growing collection of standalone video lessons.
You can learn more and register here: https://www.networkdefense.co/skillsvault/
Not everything needs its own course, so I'm excited to be able to provide some bite-sized knowledge across a variety of defensive security topics design to help you level up just a bit more with each one you watch.
We're adding new videos every month. Some of those are from me, but you'll also recognize other AND course authors and see a few new faces!
We've got lots of things already there, including w clipboard forensics tutorial from Joshua Brower, an AsyncRAT malware analysis walkthrough from Tony Lambert, and a few things from like how to create event baselines in Excel, how to use Chainsaw in your investigations, and a lot more.
Something else... you'll also get access to previews of new courses. For example, the vault already includes a lesson from our new Splunk for Security Analysis course.
One more thing... If you've ever purchased one of our full-length courses, your subscription extends/reactivates access to any of those courses as long as it's active.
Skills Vault Access is also a great way to support our work. It's $20/month or $220/year (you get a free month with the annual subscription).
Even more to come soon, but I'm excited to get this one open and available to everyone. I hope you enjoy what we've put together for you. ๐
And it so happens that doing from scratch is actually better...
๐ #DFIR Python Study Group: https://youtu.be/D9EIdniCNPQ