Just two more weeks to the Magnet Virtual Summit 2025! If you’ve been procrastinating on registering, don’t miss out. It’s completely free! The conference is scheduled for February 10th through the 14th.
I’m excited to present two talks this year. The first one is titled “Unlocking DFIR: Free Resources for Efficient Triage and Acquisition.” In this talk, I’ll cover free triage acquisition solutions for Windows, Mac, and Linux.
The second talk is called “Zen & the Art of Digital Forensics: Enhancing Insight through Mindfulness.” In this talk, I’ll explore how applying Zen principles like mindfulness, non-attachment, and the ‘beginner’s mind’ can lead to improved investigations and mental well-being.
At this point, we’ve all heard the expression ‘There is no cloud; It’s just someone else’s computer.’ While there is some truth to that, there are some fundamental differences when it comes to digital forensics when cloud resources are part of the investigation.
I’ve been doing DFIR for about 15 years now. In the early days, almost all investigations involved having hands on access to the data or devices being investigated. As I moved into Enterprise Incident Response, it became more and more frequent that the devices I would be investigating would be in a remote location, be it another state – or even another country. As the scope of my investigations grew, so did my techniques need to evolve and adapt.
Cloud Forensics is the next phase of that evolution. While the systems under investigation may still be in another state or country, extra factors come into play like multi-tenancy and shared responsibility models. Cloud Forensics Demystified does a solid job of shedding light on those nuances.
The book is divided into three parts.
Part 1: Cloud Fundamentals
Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud
Part 1: Cloud Fundamentals
This section provides a baseline knowledge of the three major cloud providers, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. It breaks down the different architectural components of each, and how the platforms each handle the functions of virtual systems, networking and storage.
Part 1 also includes a broad yet thorough introduction to the different Cyber and Privacy legislation that come into play for cloud investigations. This section is not only valuable to investigators. Whether you’re a lawyer providing legal counsel for an organization, or responsible for an organizations overall security at a CISO level, this material is beneficial in understanding the challenges and responsibilities that come from hosting your data or systems in the cloud, and the different legislation and regulations that follow those choices.
Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
As with enterprise investigations, logging is often where the hunting for incident indicators begins with telemetry and the correlation of different log sources. This section focuses on the different log sources available in AWS, GCP, and Azure. It also provides a detailed list of log types that are enabled by default and those that require manual activation to ensure that you have access to the most relevant data for your investigations when an incident occurs. This section also covers the different providers offerings for log analysis in the cloud including AWS Cloud Watch, Microsoft Sentinel and Google’s Cloud Security Command Center (Cloud SCC) as examples.
Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud
As an Incident Responder, this was the section I enjoyed the most. While the first two sections are foundational for understanding the architectures of networking and storage, part three provides detailed information on how to acquire evidence for cloud investigations. The section covers both log analysis techniques as well as recommendations for host forensics and memory analysis tools. The book covers the use of commercial forensic suites, like Magnet Axiom, as well as open-source tools like CyLR and HAWK. Besides covering investigations of the three Cloud Service Providers (CSPs), there is also a section covering the cloud productivity services of Microsoft M365 and Google Workspace, as well as a brief section on Kubernetes.
Summary
Whether you’re a gray-haired examiner like me, or a neophyte in the world of digital forensics, chances are high that if you’re not running investigations in the cloud yet – you will be soon enough. Preparation is the first step in the Incident Response lifecycle. To properly prepare for incidents you need to know both what sources will be most informative to your investigations, as well as the methodology to capture and process that evidence efficiently.
Cloud Forensics Demystified is a comprehensive guide that covers cloud fundamentals, forensic readiness, and incident response. It provides valuable insights into cloud investigation techniques, log analysis, and evidence acquisition for major cloud providers and productivity services. The book is valuable for both experienced and novice digital forensics professionals to prepare for cloud investigations.
In an earlier post titled “Growing Your Malware Corpus”, I outlined methods for building a comprehensive test corpus of malware for detection engineering. It covers using sources like VX-Underground for malware samples and details how to organize and unzip these files using Python scripts.
In today’s post we’re going to cover using Python to apply a standard naming methodology to all our malware samples.
Depending on where you curate your samples from, they could be named by their hash, or as they were identified during investigation, like invoice.exe. Depending on the size of your collection, I’d surmise it’s highly unlikely that they have a consistent naming format.
I don’t know about you, but a title that indicates the malware family and platform is a lot more useful to me than a hash value when perusing the corpus for a juicy malware sample. We can rename all our malware files using Python and the command line utility for Windows Defender.
Step 1: You’ll need to install Python on a Windows box that has Windows Defender.
Install Python
If you don’t have Python installed on your Windows machine, you can do so by downloading the installer from python.org, or alternatively, installing from the Windows store.
Windows Store installer for Python versions 3.7 to 3.12
Directory Exclusion
Within the Windows Defender Virus & Threat protection settings, add an exclusion for the directory you’re going to be using with the malware. Make sure the exclusion is in place before connecting the drive with the malware so it doesn’t get nuked.
Note: Doing this assumes you’ve evaluated the potential risks associated with handling malware, even in controlled settings, and have taken safety precautions. This is not an exercise to be conducted on your corporate workstation.
Screenshot of the D:\Malware Directory being excluded from Windows Defender.
Automatic Sample submission
It’s up to you if you want to disable the Automatic Sample submission. If you do, you’ll still may get prompted to send some.
Automatic Sample Submission turned off in Windows Defender Configuration.Windows Defender requesting to send samples to Microsoft for further analysis.
Rename_Malware.py
The star of this show is the python script that was shared on twitter from vx-underground.
The post walks through various options for utilizing Windows Defender command line, MpCPmdRun.exe. Using that information a Python script was developed to loop through the contents of a directory, analyze those files with Windows Defender, and then rename the files accordingly based on the malware identification.
Python code for rename_malware.py in VS Code.
You can grab the code from the linked post, or a copy on my Github here.
Once you’ve got Python installed, directory exclusion configured, and a pocketful of kryptonite (malware), – you’re ready to go.
python rename_malware.py D:\Malware
Windows Defender command line will run through each file and rename them based on its detection.
The script recursively renames the analyzed files.
I’m running this on a copy of my malware corpus of 30,000+ malware samples.
Counting the Corpus
A bit of handy PowerShell math. Before and after the process I wanted to be sure of how many files were present to ensure that the antivirus didn’t remove any. I also wanted to exclude counting pdfs as many of the samples in my corpus also have accompanying write-ups.
The script continues recursively renaming the analyzed files.Energizer Rabbit. “Still Going!”
Finally… not begrudgingly at all considering over 30,000 samples were analyzed, the script has reached the end of the samples.
Script has reached the end of the files.
If we do a directory listing on the contents of the malware directory, we see that the majority of the files have all been renamed based on their malware identification.
File listing showing malware files named Trojan.Powershell… Trojan.Script… etc.
Hooray!
That makes it much easier to search and query through the malware repository.
I have an obsession with mini computers. I’ve got a number of NUCs as lab devices, and some off brand models too. There is also not quite a bakery’s worth of Raspberry Pi’s. Having small purpose driven appliances works perfectly for how my lab setup has evolved. As needs and missions change, different components can be repurposed and built into something else. In a way it’s like playing with Legos; another proclivity I’ve held on to from my earliest days as a tinkerer.
One of my favorite (and ever evolving) projects has been the Lack Rack. I’d already had a set of Raspberry Pi’s rack mounted.
As I was rewiring some other components, I rack mounted 2 NUCs and improvised on a third pc. There was another mini computer that I was looking to mount, but the dimensions weren’t compatible with the rack hardware. That led to a separate project that worked out so well I figured I’d share it.
There’s really only one component to the build, though you could use multiple kits depending on how many levels (or computers) you want to accommodate. The kit isn’t Lego brand, but it’s essentially interchangeable with other Lego pieces.
The (4) base plates are 6×6 and come with (30) 2 inch risers. As such the shelves can be 2 or 4 inches between. I used the risers not just for the corner posts, but also on the sides of the devices to fix them in position. Besides mini computers it was very easy to accommodate a 5-port switch for networking.
If you’re looking for an easy way to rack and stack a few mini computers, and perhaps want to add some Lego accoutrements, this could be just what you need.
Baker Street Forensics 