Build your own NSRL Server
It's been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn't let the year end without getting at least a few posts up. I...
View ArticleKnow your Windows Processes or Die Trying
I have been talking with quite a few people lately tasked with "security" inside their organizations and couldn't help but notice their lack of understanding when it came to Windows process...
View ArticleDo not fumble the lateral movement
I posted a blog post about Windows Processes and how knowing what's "normal" can be used to spot malicious activity. You can find it here Know your Windows Processes or Die Trying I got quite a bit of...
View ArticleClik here to view.
Parsing Landesk Registry Entries FTW
I was on a case the other day and I could see the malware dropped, At jobs created (typical), then I went to work on parsing the job files and noticed two of them were pointing to what appeared to be...
View ArticleInterview well or Die Trying
Ok, so I am taking a bit of a different direction and I am writing a quick post on interviewing. I don't claim to be an expert in conducting or participating in them. I have; however, conducted what...
View ArticleClik here to view.
Automating Data Reduction via Whitelists
In a previous post Build your own NSRL Server I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn't like that method and...
View ArticleClik here to view.
Forensics in the Amazon Cloud - EC2
Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or...
View ArticleClik here to view.
Python Registry Parser (regparse)
I released a tool called, Python Registry Parser (or regparse for short), which is a plugin based Windows Registry parser written in Python. Main reasons for writing regparse I don't like the output...
View ArticleClik here to view.
WinZip MRU Tool Check
I was playing around with WinZIP today and noticed something and wanted to write it down before I forgot to document it. I still need to do some analysis, but wanted to make it known if it wasn't...
View ArticleExtract Attachments (extachment) from Emails
Update 8APR15 - Works on .msg files now. I wasn't going to write a blog post on this, but figured I would go ahead and share it anyway. I often find myself searching VirusTotal for tag:email and...
View ArticleClik here to view.
Unpacking Pyinstaller Packed Python Malware
I do not consider these next steps complex but I still wanted to document it because I didn't really find much online except a few Stack Overflow comments here and there and I had it in my draft posts...
View ArticleYour Registry Blobs Belong to Me (RegHexDump)
So I was reading Trend's blog post Without a Trace: Fileless Malware Spotted in the Wild and although not totally new, it got me thinking a bit. I downloaded some of the MD5s they posted and started...
View ArticleIntroduction to Hardware and Embedded Forensics
Blog Series Part 1: Introduction to Hardware and Embedded Forensics Part 2: UART Intro. and Sniffing UART with a Logic Analyzer Part 3: TBD Introduction to Hardware and Embedded Forensics I started...
View ArticleClik here to view.
UART Intro. and Sniffing UART with a Logic Analyzer
DISCLAIMER: EVERYTHING HERE WILL VOID YOUR PRODUCT WARRANTY This is Part II in a series of blog posts I will be doing. The main tracking page is here. Before we get into the process I used for sniffing...
View ArticleClik here to view.
SQLite Artifact Recovery Framework (SLARF)
I got this idea awhile back when I wrote a tool called, BARFF - Browser Artifact Recovery Forensic Framework. It was more or less a glorified SQLite parser, which is again, more or less what SLARF is,...
View ArticleI am Currently Offline
A few people have asked me recently why I have not posted any blogs or updated any of my code on GitHub. Simply put, my employer does not allow it. I knew upfront that I would not be able to blog so...
View ArticleClik here to view.
Home Automation Hub Forensics
In Part 1: Introduction to Hardware and Embedded Forensics I went over some tools I am using to perform hardware and embedded forensics analysis. In Part 2: UART Intro. and Sniffing UART with a Logic...
View ArticleBack Online
I am back online after a year. My previous employer did not allow blogging or code contributions, but that's behind me now so I am free to do what I want. I actually debated whether or not to start...
View ArticleClik here to view.
Arduino Forensics
I started playing around with the Arduino Uno Rev 3 awhile back but never got around to documenting anything via a blog post (until now). I read Steve Watson's slide series here on Arduino forensics,...
View ArticleClik here to view.
JTAGing Mobile Phones
Overview I always thought JTAG was hard, then I tried it, and realized it was actually very easy (most of the time). Pretty much anyone can learn to do this in 8 hours of soldering practice. Really,...
View Article