Category: Windows Incident Response

Lina’s Write-up

Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…

Read more →

Lina’s Write-up

Lina recently posted on LinkedIn that she’d published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint. In short, Lina says that she found a bunch…

Read more →

The Role of AI in DFIR

The role of AI in DFIR is something I’ve been noodling over for some time, even before my wife first asked me the question of how AI would impact what I do. I guess I started thinking about it when…

Read more →

Artifacts: Jump Lists

In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The foundational methodology starts with your goals…what are you…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

Carving

Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.  For example, I’ve used X-Ways to recover deleted…

Read more →

UEPOTB, LNK edition

A while back, Jesse Kornblum published a paper titled, “Using Every Part of the Buffalo in Windows Memory Analysis“. This was, and still is, an excellent paper, based on it’s content and how it pertained to the subject (Windows memory…

Read more →

FTSCon

I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different…

Read more →

Artifact Tracking: Workstation Names

Very often in cybersecurity, we share some level of indicators of compromise (IOCs), such as IP addresses, domain names, or file names or hashes. There are other indicators associated with many compromises or breaches that can add a great deal…

Read more →