Digital Forensic Survival Podcast
Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
info_outline
DFSP # 426 - SSH Forensics: Log Analysis
04/16/2024
DFSP # 426 - SSH Forensics: Log Analysis
This week I'm wrapping up my series on SSH forensics with a discussion on SSH log triage. Logs are usually what an analyst will start with, so this episode is important. There are a few different log types, and there is a pitfall with one of them, which is something you must be aware of to avoid making inaccurate conclusions. I'll provide the artifact breakdown, triage methodology, and more.
/episode/index/show/digitalforensicsurvivalpodcast/id/30509258
info_outline
DFSP # 425 - SSH Forensics: Host-Based Artifacts
04/09/2024
DFSP # 425 - SSH Forensics: Host-Based Artifacts
In the last episode on this topic, I covered SSH from a investigation point of view. I explained SSH and the artifacts that typically come up when your investigating. In this episode, we're getting into the triage methodology. This includes the artifacts targeted for a fast, but yet effective triage for notable SSH activity on a given host.
/episode/index/show/digitalforensicsurvivalpodcast/id/30509243
info_outline
DFSP # 424 - SSH Forensics: Understanding Secure Shell
04/02/2024
DFSP # 424 - SSH Forensics: Understanding Secure Shell
SSH is a protocol used to secure remote access to systems, making it a cornerstone in safeguarding sensitive information and ensuring secure communications. In this podcast, we will delve into the basics of SSH, its key concepts and other useful elements important for context when investigating for notable SSH activity.
/episode/index/show/digitalforensicsurvivalpodcast/id/30509238
info_outline
DFSP # 423 - Guiding Lights: Cyber Investigations Investigation Lifecycle
03/26/2024
DFSP # 423 - Guiding Lights: Cyber Investigations Investigation Lifecycle
This week I'm discussing a fundamental aspect of cybersecurity: incident response preparation. Effective incident response is paramount, and preparation is the key to success. This preparation includes comprehensive documentation, training, having the right tools and resources in place, and developing incident response plans and playbooks. It also involves ensuring clear communication protocols and conducting regular training and testing. I'll explore preparation from the perspective of the investigation life cycle, where success is the reward for preparation. Join me as I uncover the importance of preparation in incident response and how it lays the foundation for success in investigations.
/episode/index/show/digitalforensicsurvivalpodcast/id/30090203
info_outline
DFSP # 422 - EVTX Express: Cracking into Windows Logs Like a Pro
03/19/2024
DFSP # 422 - EVTX Express: Cracking into Windows Logs Like a Pro
Today I'm talking Windows forensics, focusing on Windows event logs. These logs are very valuable for fast triage, often readily available in your organization's SIEM. But have you ever wondered about the processes enabling this quick access? Not only are the logs automatically collected and fed into the appliance, but they are also formatted and normalized for easy data searchability. This is crucial, as the logs are originally in a complex format challenging to natively interpret. Now, picture a scenario where event logs are inaccessible through a security appliance—enter this week's topic: EVTX analysis options. Don't be caught unprepared.
/episode/index/show/digitalforensicsurvivalpodcast/id/30090183
info_outline
DFSP # 421 - Memory Lane: Fileless Linux Attacks Unraveled
03/12/2024
DFSP # 421 - Memory Lane: Fileless Linux Attacks Unraveled
In this podcast episode, we talk about Linux's `memfd` – a virtual file system allowing the creation of anonymous memory areas for shared memory or temporary data storage. Threat actors exploit `memfd` for fileless malware attacks, as its memory areas exist only in RAM, evading traditional file-based detection methods. Join me as I `memfd` as a forensic artifact, its implications in DFIR, and strategies for detecting its abuse.
/episode/index/show/digitalforensicsurvivalpodcast/id/30090158
info_outline
DFSP # 420 - Failing, Stopping and Crashing
03/05/2024
DFSP # 420 - Failing, Stopping and Crashing
This week we explore into the world of Windows service event codes and their role in forensic investigations. Windows services are background processes crucial for system functionality, running independently of user interaction- making them ideal. Target were exploitation. Join me to explore the intricate details of Windows services and their significance in digital forensics.
/episode/index/show/digitalforensicsurvivalpodcast/id/30090138
info_outline
DFSP # 419 - What the Flux
02/27/2024
DFSP # 419 - What the Flux
This week, we're delving into the realm of fast flux, a cunning technique employed by attackers to cloak their true, malicious domains. Its effectiveness is the reason behind its widespread use, making it crucial for analysts to grasp its nuances and avoid chasing elusive ghosts during investigations. Stay tuned as I unravel the intricacies of fast flux, providing insights into what it entails and offering valuable tips on how to effectively detect it. All this and more coming your way!
/episode/index/show/digitalforensicsurvivalpodcast/id/29590473
info_outline
DFSP # 418 - Core Insights: Navigating MFT in Forensics
02/20/2024
DFSP # 418 - Core Insights: Navigating MFT in Forensics
In this week's exploration, I'm delving into the intricate realm of the Master File Table (MFT), a pivotal forensic artifact in Windows investigations. The MFT provides a valuable gateway to decode evidence across various scenarios. Join me in this episode as we unravel the forensic basics, explore diverse use cases, and discover a range of tools that empower you to unlock the full potential of this invaluable artifact.
/episode/index/show/digitalforensicsurvivalpodcast/id/29590443
info_outline
DFSP # 417 - Unlocking Linux Secrets
02/13/2024
DFSP # 417 - Unlocking Linux Secrets
This week I delve into the intriguing domain of Linux malware triage. The Linux platform presents forensic analysts with a unique opportunity to excel in performing malware triage effortlessly. The beauty of it lies in the fact that you don't require any specialized tools; all you need is a solid grasp of a few commands and the ability to decipher their output. With these skills in your arsenal, any analyst can swiftly and efficiently navigate through the process of malware triage. Stay tuned for more insights on this in the upcoming discussion!
/episode/index/show/digitalforensicsurvivalpodcast/id/29590398
info_outline
DFSP # 416 - Persistence Mechanisms on Windows
02/06/2024
DFSP # 416 - Persistence Mechanisms on Windows
This week I’m going to talk about New Service Installation details recorded in Windows event logs. These have a number of advantages for your triage methodology and I will have all the details coming up.
/episode/index/show/digitalforensicsurvivalpodcast/id/29590343
info_outline
DFSP # 415 - Dealing with Third-Party Incidents
01/30/2024
DFSP # 415 - Dealing with Third-Party Incidents
Organizations leverage third-party services more and more for business advantages. For the security professional, this means the organizational data you're charged with protecting is under the control of a third-party in some way shape or form. In this episode, I cover third-party risk landscape for security professionals with a special focus on identifying scope and responsibility.
/episode/index/show/digitalforensicsurvivalpodcast/id/29085133
info_outline
DFSP # 414 - CRON Forensics
01/23/2024
DFSP # 414 - CRON Forensics
Cron become important and Linux forensics when you’re talking about persistence. Think scheduled tasks if you want a Windows equivalent. The artifact is not that difficult to analyze once you understand the elements to focus on and it is typically readily available. It’s something that you can check out a live system, gather with a collection script, and more and more security appliances are designed to access the artifact as well. I’ll...
/episode/index/show/digitalforensicsurvivalpodcast/id/29085088
info_outline
DFSP # 413 - Ransomware Initial Response
01/16/2024
DFSP # 413 - Ransomware Initial Response
Ransomware cases can be particularly challenging, especially during the initial response. They tend to be fast-paced and require the responder to simultaneously prioritize a number of tasks. Each of these tasks can have critical impact upon the outcome of the response and subsequent investigation. In this episode I am going to cover some immediate response actions. The goal here is to provide a framework that will allow responders to get off on the right foot…
/episode/index/show/digitalforensicsurvivalpodcast/id/29085033
info_outline
DFSP # 412 - Conhost Forensics
01/09/2024
DFSP # 412 - Conhost Forensics
Conhost, or the Console Application Host, often comes up during investigations. Understanding what it is, the evidence may contain and how to extract that information becomes important...
/episode/index/show/digitalforensicsurvivalpodcast/id/29085008
info_outline
DFSP # 411 - NTLM Credential Validation
01/02/2024
DFSP # 411 - NTLM Credential Validation
This week I'm talking about detecting evidence of lateral movement on Window systems using NTLM credential validation events. Much like the episode I did on Kerberos, NTLM events offer the same advantage of being concentrated on domain controllers, which allows you, as the analyst, leverage a great resource for user account analysis. I will have the background, artifact breakdown, and triage strategy coming up right after this…..
/episode/index/show/digitalforensicsurvivalpodcast/id/29084963
info_outline
DFSP # 410 - Linux Temp Directories
12/26/2023
DFSP # 410 - Linux Temp Directories
Temporary directories play a significant role in computer forensic investigations as they can potentially contain valuable digital evidence. When conducting a computer forensic investigation, these temporary directories can provide insights into user activities, application usage, and potentially malicious behavior...
/episode/index/show/digitalforensicsurvivalpodcast/id/28670503
info_outline
DFSP # 409 - Regsvcs and Regasm Abuse
12/19/2023
DFSP # 409 - Regsvcs and Regasm Abuse
This week I’m talking about Regsvcs /Regasm exploitation, which is a Windows tactic attackers use to evade defense mechanisms and execute code. Specifically, this technique can be used to bypass process whitelisting and digital certificate validation. I'll break down some interpretation methods that may be used to identify such exploitation....
/episode/index/show/digitalforensicsurvivalpodcast/id/28670488
info_outline
DFSP # 408 - Nesting
12/12/2023
DFSP # 408 - Nesting
This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week I’ll break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.
/episode/index/show/digitalforensicsurvivalpodcast/id/28670473
info_outline
DFSP # 407 - More About Lateral Movement and Kerberos
12/05/2023
DFSP # 407 - More About Lateral Movement and Kerberos
This week it's more about lateral movement and kerberos events.
/episode/index/show/digitalforensicsurvivalpodcast/id/28670453
info_outline
DFSP # 406 - All the BIN Directories
11/28/2023
DFSP # 406 - All the BIN Directories
In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What is the purpose and difference between these BIN directories? What do you need to know about them for forensic investigations? The answers to those questions and more are coming up...
/episode/index/show/digitalforensicsurvivalpodcast/id/28345613
info_outline
DFSP # 405 - Werfault Attacks
11/21/2023
DFSP # 405 - Werfault Attacks
Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways. Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean different things. Add to that a layer of apparent obscurity as to exactly how to interpret the information makes it even more difficult for newer examiners. I took on the question...
/episode/index/show/digitalforensicsurvivalpodcast/id/28345574
info_outline
DFSP # 404 - Certutil Attacks
11/14/2023
DFSP # 404 - Certutil Attacks
Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common indicators of misuse. In this episode, we will delve into the utility of Certutil and identify effective methods to promptly detect and address potential abuses. Stay tuned as we explore these topics in depth...
/episode/index/show/digitalforensicsurvivalpodcast/id/28345559
info_outline
DFSP # 403 - Lateral Movement Kerberos Auth Events
11/07/2023
DFSP # 403 - Lateral Movement Kerberos Auth Events
This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or password spraying attacks. It may also be used to detect attack or probing activities. The artifact breakdown and triage methodology is coming up….
/episode/index/show/digitalforensicsurvivalpodcast/id/28345523
info_outline
DFSP # 402 - Linux Root Directory Files for DFIR
10/31/2023
DFSP # 402 - Linux Root Directory Files for DFIR
In Linux and Unix-based operating systems, the "root" account is the superuser or administrator account with the highest level of privileges. It has complete control over the system and can perform any action, including modifying system files, installing software, and managing user accounts. The root account is sometimes referred to as the "root user" or simply “root"....
/episode/index/show/digitalforensicsurvivalpodcast/id/28055499
info_outline
DFSP # 401 - INF Fetch Execute
10/24/2023
DFSP # 401 - INF Fetch Execute
This week we are taking a bit of a deep dive into an advanced attack technique to accomplish remote execution called “fetch and execute.” While there are different methods to accomplish the sort of thing what I am going to be focusing on is exploitation using a common Windows executable and installation file. Think of this as one of the touted “living off the land” attack techniques. It has value for compromise assessment methods as well as for threat hunting strategies...
/episode/index/show/digitalforensicsurvivalpodcast/id/28055496
info_outline
DFSP # 400 - CMSTP
10/17/2023
DFSP # 400 - CMSTP
This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that conducted due diligence exams for evidence of malware. I have covered remote execution in the past from different angles and I have done so because it is one of the red flags that an analyst should be looking for. In order to be effective in recognizing either an actual malicious execution or the risk of an attempted remote execution you must be reversed in the clever ways attackers attempt to compromise a host using Microsoft applications. The highlight this week will be CMSTP.exe abuse...
/episode/index/show/digitalforensicsurvivalpodcast/id/28055490
info_outline
DFSP # 399 - Lateral Movement Failed Logon Events
10/10/2023
DFSP # 399 - Lateral Movement Failed Logon Events
Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps attempted activity by an attacker. A standard move in the attack chain is to compromise an account and use it to move within the breached environment. However, it doesn't always work as planned for the attacker, and you may find failed activity a valid signal for identifying, malicious actions. This episode, I'm going to take a look at failed logon events from an investigation point of you.
/episode/index/show/digitalforensicsurvivalpodcast/id/28055481
info_outline
DFSP # 398 - OODA & JOHARI
10/03/2023
DFSP # 398 - OODA & JOHARI
This week I will discuss the use of the OODA loop and JOHARI window in security incident response investigations. These two frameworks are designed to help organizations quickly and effectively respond to security incidents, and can be used in combination to enhance incident response capabilities....
/episode/index/show/digitalforensicsurvivalpodcast/id/28055478
info_outline
DFSP # 397 - Linux Home Directory Files for DFIR
09/26/2023
DFSP # 397 - Linux Home Directory Files for DFIR
This week I'm talking about the linux file system from the point of view of a forensic analyst. In general, it's a good idea to have a solid working knowledge of the linux file system so you understand what directories hold what artifacts… Or if you're looking for a specific category of artifact, you at least have an idea of where you may find it. I will cover the home directory this week and breakdown the typical forensic artifacts you find there……
/episode/index/show/digitalforensicsurvivalpodcast/id/27830166