Digital Forensic Survival Podcast

Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.

DFSP # 457 WSL 11/19/2024

DFSP # 457 WSL The Linux subsystem for Windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take advantage of the many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the Linux subsystems for forensic investigators /episode/index/show/digitalforensicsurvivalpodcast/id/33544487

DFSP # 456 network triage primer 11/12/2024

DFSP # 456 network triage primer In this episode, we’ll explore the fundamentals of network triage, focusing on the key aspects of network traffic that are central to many investigations. Additionally, we’ll discuss some of the essential tools you can use to analyze and manage network data effectively. /episode/index/show/digitalforensicsurvivalpodcast/id/33544462

DFSP # 455 Security Control Circumvention 11/05/2024

DFSP # 455 Security Control Circumvention Today, we’re going to explore how to handle a critical security event: Unauthorized Modification of Information. This type of event occurs when a user alters information in a system—whether it’s an application, database, website, server, or configuration files—without prior authorization. These modifications can range from impersonation and unauthorized system updates to more sophisticated techniques such as SQL injections, privilege escalations, and configuration file tampering. /episode/index/show/digitalforensicsurvivalpodcast/id/33544422

DFSP # 454 MFA Bypass Attacks 10/29/2024

DFSP # 454 MFA Bypass Attacks This week I talk about the attack methods being used to bypass MFA. We'll learn about real-world cases where MFA was circumvented, and discover best practices to strengthen defenses against these types of attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941212

DFSP # 453 Windows Startup Locations 10/22/2024

DFSP # 453 Windows Startup Locations In today’s episode, we’ll focus on startup folders, which are perhaps the easiest to triage among all persistence mechanisms. But before diving in, let’s recap the journey so far to underscore the importance of a comprehensive approach rather than a one-off tactic. Each triage area we've covered plays a crucial role in identifying and stopping attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941187

DFSP # 452 AI and DFIR 10/15/2024

DFSP # 452 AI and DFIR In 2024, AI has not only revolutionized how we defend against cyber threats but also how those threats are being carried out. We'll explore how AI is enabling faster, more efficient security incident responses, with real-world examples of its application in automated threat detection and response, advanced forensics, and more. But with every technological leap forward, there's a dark side and attackers are harnessing AI to orchestrate sophisticated attacks... /episode/index/show/digitalforensicsurvivalpodcast/id/32941167

DFSP # 451 SQL Triage 10/08/2024

DFSP # 451 SQL Triage SQL injection poses significant risks by enabling attackers to access sensitive metadata, execute dynamic SQL commands, and alter system parameters. These actions can lead to unauthorized data access and system disruptions, especially if attackers gain elevated privileges. This week I'm talking about SQL attack patterns from a triage point of view to help you detect such activity when doing log analysis... /episode/index/show/digitalforensicsurvivalpodcast/id/32941142

DFSP # 450 Secure coding and DFIR 10/01/2024

DFSP # 450 Secure coding and DFIR I decided to talk this week about the Importance of Secure Coding Knowledge for Security Incident Response Investigations. Knowing secure coding principles helps identify the root causes of vulnerabilities and recognize attack patterns. It facilitates effective communication and collaboration with developers, ensuring accurate incident reports and actionable recommendations. Secure coding knowledge enhances forensic analysis by aiding in code reviews and log analysis to detect anomalies. It also allows responders to suggest mitigation strategies and improve the security posture of applications. Ultimately, this knowledge leads... /episode/index/show/digitalforensicsurvivalpodcast/id/32941127

DFSP # 449 Zero-Day or Hero-Day 09/24/2024

DFSP # 449 Zero-Day or Hero-Day This week, we're covering zero-day vulnerability response from a Digital Forensics and Incident Response professional's perspective. In our roles, we often get involved in various tasks that require a security mindset, and one critical task is responding to zero-day vulnerabilities. To provide a real-world context, we'll integrate the recently disclosed zero-day exploit "Copy2Pwn" (CVE-2024-38213) and discuss the specific forensic artifacts and methods used to achieve the objectives of a DFIR response. /episode/index/show/digitalforensicsurvivalpodcast/id/32723422

DFSP # 448 WebShell Forensics 09/17/2024

DFSP # 448 WebShell Forensics Welcome to this week’s session, where we’ll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I’ll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations: /episode/index/show/digitalforensicsurvivalpodcast/id/32723397

DFSP # 447 Linux Root Kits 09/10/2024

DFSP # 447 Linux Root Kits Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limited visibility of standard security tools further complicates the identification of rootkits. However, This week I'm going to talk about how to identify root kits on a Linux systems using only the command line. /episode/index/show/digitalforensicsurvivalpodcast/id/32723387

DFSP # 446 Registry by EVTX 09/03/2024

DFSP # 446 Registry by EVTX In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs /episode/index/show/digitalforensicsurvivalpodcast/id/32723367

DFSP # 445 Bash Triage 08/27/2024

DFSP # 445 Bash Triage Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific investigative questions, facilitating focused analysis amidst potentially extensive Bash history records... /episode/index/show/digitalforensicsurvivalpodcast/id/32176382

DFSP # 444 A little assistance 08/20/2024

DFSP # 444 A little assistance The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of program execution and file access... /episode/index/show/digitalforensicsurvivalpodcast/id/32176377

DFSP # 443 - Standard Actions 08/13/2024

DFSP # 443 - Standard Actions Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investigation. /episode/index/show/digitalforensicsurvivalpodcast/id/32176357

DFSP # 442 - Database Response 08/06/2024

DFSP # 442 - Database Response Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations enables investigators to effectively... /episode/index/show/digitalforensicsurvivalpodcast/id/32176322

DFSP # 441 - CIS Benchmarks 07/30/2024

DFSP # 441 - CIS Benchmarks CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and network devices to enhance their security posture. In the context of security response investigations, adhering to CIS Benchmarks helps ensure that systems are resilient against common threats and vulnerabilities. By implementing these benchmarks, organizations can better detect, respond to, and recover from security incidents, thereby minimizing potential damage and improving overall cybersecurity hygiene. /episode/index/show/digitalforensicsurvivalpodcast/id/31847122

DFSP # 440 - ABCs of BECs 07/23/2024

DFSP # 440 - ABCs of BECs Business Email Compromise (BEC) forensics involves the meticulous investigation of cyberattacks where attackers infiltrate email systems to manipulate business communications for financial gain. These attacks often entail phishing, social engineering, and credential theft to impersonate trusted entities within or outside an organization. Forensic analysis of BEC incidents focuses on tracing the attacker's entry point, examining email headers, metadata, and logs to uncover the methods used for unauthorized access. It also involves identifying compromised accounts, understanding the scope of the attack, and preserving evidence for legal proceedings. Effective BEC forensics is crucial for mitigating financial losses, strengthening cybersecurity defenses, and preventing future incidents. /episode/index/show/digitalforensicsurvivalpodcast/id/31847107

DFSP # 439 - Remoting Windows 07/16/2024

DFSP # 439 - Remoting Windows Remote Desktop Protocol (RDP) is a crucial artifact in digital forensics due to its extensive use for remote system access. Analyzing RDP activities can uncover vital information about unauthorized access, insider threats, and attacker lateral movement within a network. Forensic examination of RDP logs enables investigators to trace an attacker's steps, identify compromised accounts, and assess the breach's extent. For instance, RDP forensics can detect brute force attacks on login credentials, track the use of stolen credentials, and monitor suspicious reconnection attempts to previously established sessions. /episode/index/show/digitalforensicsurvivalpodcast/id/31847087

DFSP # 438 - Old Nix 07/09/2024

DFSP # 438 - Old Nix This week, I will be discussing the Linux operating system from a DFIR perspective. It is highly recommended for every examiner to become proficient in Linux, especially with the increasing prevalence of cloud-based infrastructures in enterprise environments. As these platforms become the norm, you can expect to encounter Linux systems frequently during your investigations. /episode/index/show/digitalforensicsurvivalpodcast/id/31847077

DFSP # 437 - Windows Autoruns 07/02/2024

DFSP # 437 - Windows Autoruns In Windows forensics, understanding the intricacies of autorun functionalities and the Windows Registry is essential for effective incident response and investigation. Autorun mechanisms, which allow programs to execute automatically when the system starts or specific actions are performed, can be exploited by malicious actors to persist on a system. The Windows Registry, a hierarchical database that stores low-level settings for the operating system and applications, plays a crucial role in tracking these autorun entries. Forensic analysis of the Windows Registry can reveal information about auto-starting applications, system configurations, and user activities, providing insights into potential security breaches and unauthorized changes. /episode/index/show/digitalforensicsurvivalpodcast/id/31847062

DFSP # 436 - Ja-Who? 06/25/2024

DFSP # 436 - Ja-Who? The JOHARI methodology simply provides a structure for something that you're probably already doing. However, with the structure comes a standard, which is the benefit to any security team. The team should be speaking the same language, especially in fast moving, dynamic situations. Going into a situation and asking for the "known – knowns” and “Blindspots" should register with every team member without any question about their definitions... /episode/index/show/digitalforensicsurvivalpodcast/id/31398452

DFSP # 435 - Good Ol’ Powershell 06/18/2024

DFSP # 435 - Good Ol’ Powershell Threat actors often exploit PowerShell in cyber attacks due to its capabilities and integration with Windows operating systems. Microsoft has cited powershell as one of the most commonly used tools in the attack chain. It also comes up in phishing campaigns and other attacks that include infecting URL links. The challenge lies in the fact that it is a commonly used administration tool. As an analyst, you can expect to have lots of powershell scripts and commands come up during your investigations. Your job is to be able to differentiate between the good and bad. Fortunately, this episode is going to give you some tips and tricks on how to do exactly that... /episode/index/show/digitalforensicsurvivalpodcast/id/31398447

DFSP # 434 - The Reg 06/11/2024

DFSP # 434 - The Reg The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as for applications running on the platform. In order to make use of any of this information, you must understand the registry from a DFIR point of view, and that's exactly what I'm doing in this episode... /episode/index/show/digitalforensicsurvivalpodcast/id/31398422

DFSP # 433 - SU DOs and DONTS 06/04/2024

DFSP # 433 - SU DOs and DONTS On a Linux or Mac system, there can be user accounts that have the ability of privilege escalation. Knowing how to triage, for this has a twofold benefit: (1) you obviously want to know which account may elevate to route privileges. If you're doing account triage, these are the ones you should prioritize. The other benefit (2) is to identify any account that can escalate. This fact alone ... /episode/index/show/digitalforensicsurvivalpodcast/id/31398407

DFSP # 432 - Control Bits 05/28/2024

DFSP # 432 - Control Bits TCP control bits are part of the TCP header and are used to manage the connection between two devices. These control bits are single-bit flags that indicate various aspects of the TCP connection and are important for understanding and analyzing network traffic... /episode/index/show/digitalforensicsurvivalpodcast/id/30964688

DFSP # 431 - Finding Needles 05/21/2024

DFSP # 431 - Finding Needles The time it takes from an initial escalation to the initial discovery of compromise is a key metric. Teams strive to do this as quickly as possible, but there are a number of challenges. You do not know what you're going to be handed, but you're pretty much guaranteed It's going to be a unique set of circumstances that require some type of customized or mostly customized response. So how do you accomplish this? Most analyst rely on a set of tried and true various techniques that can be used at scale. This week I'm going to cover a few of them, each being a critical technique you should be familiar with for forensic investigations... /episode/index/show/digitalforensicsurvivalpodcast/id/30964658

DFSP # 430 - Targeting Tasks 05/14/2024

DFSP # 430 - Targeting Tasks Windows Scheduled Tasks are often used by attackers to establish persistence. As an analyst, you want to be aware of the different windows event codes that record these details. These artifacts come up in just about every windows compromise assessment, consider them core triage skills. There are several events, all of which I will go over in this episode. I will break them down from a DFIR point of view and give you the triage methodology... /episode/index/show/digitalforensicsurvivalpodcast/id/30964638

DFSP # 429 - Career Moves 05/07/2024

DFSP # 429 - Career Moves This week I talk about career moves for the DFIR professional. The skill set is valuable, but it must be combined with the right additional technical skills to maximize future job opportunities. Of course, there is one skill set that stands out above the rest... /episode/index/show/digitalforensicsurvivalpodcast/id/30964608

DFSP # 428 - It’s all about that XML 04/30/2024

DFSP # 428 - It’s all about that XML When you're triaging a Windows system for evidence of compromise, it's ideal if your plan is focused on some quick wins upfront. There are certain artifacts that offer this opportunity, and Windows Events for New Scheduled Tasks are one of them. Sometimes overlooked, at least in part, because the good stuff contained within the XML portion of the log. This week I'm covering the artifact from a DFIR point of view, I'll go over all the elements of the log entry that are of interest for investigations, and I'll provide a triage methodology that you can employ to find evidence quickly. /episode/index/show/digitalforensicsurvivalpodcast/id/30509283

Digital Forensic Survival Podcast

TOPICS