Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here. If you missed the presentation, just look to the previous post and you’ll find a link for YouTube. Does the CSIRT script check for […]
If you missed my presentation for Magnet Forensics Enterprise Pulse: PowerShell Tools for IR Forensics Collection, (or if you’d like to re-watch the presentation) – it’s now available on YouTube. PDF of the slides is available on the CSIRT-Collect GitHub site.
A PowerShell script to collect memory and (triage) disk forensics for incident response investigations There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they […]
We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where […]
Pre-Requisites: 4-port USB hub Flash Drive (Paladin bootable) – https://sumuri.com/make-your-own-paladin-usb-2/ created with unetbootin –https://unetbootin.github.io/ USB hard drive for evidence collection, minimum 1.5x capacity of device being imaged Keyboard Mouse *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth) UEFI Configuration: Make sure the device is fully powered down (not in standby […]
The final challenge (#12) – Part 1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! The first thing I did was open the memdump file in HxD Hex Editor. A quick search found several hits. I considered […]
Challenge 11, Part 1: What is the IPv4 address that myaccount.google.com resolves to? I was able to find this pretty quick going back to last week’s artifacts. In week 10, I used bulk_extractor to carve a PCAP out of the memory image. Opening the same PCAP file I applied a String filter for ‘myaccount’. In […]
This weeks challenge was another round of memory forensics. As with the previous weeks challenge most* of my solves were done using a REMnux VM. REMnux includes both Volatility 2.61 (SSL support deprecated) and the beta of Volatility 3. Challenge 10, Part 1: At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was […]
This weeks challenge was the first of the challenges to deal with Memory forensics. The ‘question’ provided by Aaron Sparling (@OSINTlabworks) was a 7 parter! For most of the challenges so far I’ve been using Magnet Axiom and supplementing with other tools as needed. For this weeks solution you’ll see that all is being done […]
I only managed to get half the solution to last weeks challenge. Finding the first half of the solution was pretty straight-forward. In the File system view (or via your image mounting directory traversal of choice) navigate to \var\log\apt. Here we find the history.log file which keeps track of applications installed via apt. If you […]
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.