Digital Forensic Survival Podcast
This week, we're covering zero-day vulnerability response from a Digital Forensics and Incident Response professional's perspective. In our roles, we often get involved in various tasks that require a security mindset, and one critical task is responding to zero-day vulnerabilities. To provide a real-world context, we'll integrate the recently disclosed zero-day exploit "Copy2Pwn" (CVE-2024-38213) and discuss the specific forensic artifacts and methods used to achieve the objectives of a DFIR response.
info_outline DFSP # 448 WebShell ForensicsDigital Forensic Survival Podcast
Welcome to this week’s session, where we’ll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I’ll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations:
info_outline DFSP # 447 Linux Root KitsDigital Forensic Survival Podcast
Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limited visibility of standard security tools further complicates the identification of rootkits. However, This week I'm going to talk about how to identify root kits on a Linux systems using only the command line.
info_outline DFSP # 446 Registry by EVTXDigital Forensic Survival Podcast
In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs
info_outline DFSP # 445 Bash TriageDigital Forensic Survival Podcast
Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific investigative questions, facilitating focused analysis amidst potentially extensive Bash history records...
info_outline DFSP # 444 A little assistanceDigital Forensic Survival Podcast
The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of program execution and file access...
info_outline DFSP # 443 - Standard ActionsDigital Forensic Survival Podcast
Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investigation.
info_outline DFSP # 442 - Database ResponseDigital Forensic Survival Podcast
Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations enables investigators to effectively...
info_outline DFSP # 441 - CIS BenchmarksDigital Forensic Survival Podcast
CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and network devices to enhance their security posture. In the context of security response investigations, adhering to CIS Benchmarks helps ensure that systems are resilient against common threats and vulnerabilities. By implementing these benchmarks,...
info_outline DFSP # 440 - ABCs of BECsDigital Forensic Survival Podcast
Business Email Compromise (BEC) forensics involves the meticulous investigation of cyberattacks where attackers infiltrate email systems to manipulate business communications for financial gain. These attacks often entail phishing, social engineering, and credential theft to impersonate trusted entities within or outside an organization. Forensic analysis of BEC incidents focuses on tracing the attacker's entry point, examining email headers, metadata, and logs to uncover the methods used for unauthorized access. It also involves identifying compromised accounts, understanding the scope of the...
info_outlineUnderstanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations enables investigators to effectively...