Tag: Windows Incident Response

Analysis Process

Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?”  This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book…

Read more →

Rundown

I ran across a fascinating post from Cyber Sundae DFIR recently that talked about the Capability Access Manager, and how with Windows 11 it includes database of applications that have accessed devices such as the mic or camera, going beyond just…

Read more →

Exploiting LNK Metadata

Anyone who’s followed me for a bit knows that I’m a huge proponent of metadata, and in particular, exploiting metadata in LNK files that threat actors create, use as lures, and send to their targets. I read an article not…

Read more →

Shell Items

I ran across a Cyber5W article recently titled, Windows Shell Item Analysis. I’m always very interested in not only understanding parsing of various data sources from Windows systems, but also learning a little something about how others view the topic. …

Read more →

RegRipper Educational Materials

A recent LinkedIn thread led to a question regarding RegRipper educational materials, as seen in figure 1; specifically, are there any. Figure 1: LinkedIn request There are two books that address the use of RegRipper; Windows Registry Forensics, and Investigating…

Read more →

What is “Events Ripper”?

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

Read more →

What is “Events Ripper”?

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

Read more →

The Myth of “Fileless” Malware

Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…

Read more →

The Myth of “Fileless” Malware

Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…

Read more →

Threat Actors Dropping Multiple Ransomware Variants

I ran across an interesting LinkedIn post recently, “interesting” in the sense that it addressed something I hadn’t seen a great deal of reporting on; that is, ransomware threat actors dropping multiple RaaS variants within a single compromised organization. Now,…

Read more →