Book: Incident Response & Computer Forensics 3rd edition

As part of the training I took this year, GCFA ( I was given this book together with the course. Thumbs up for the people at SANS again.

I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it at the time. Today, I can say that this is a must have book  in IR and Forensics. It goes from defining the IR process and the common pitfalls and how to avoid them, to deep technical chapters covering threat hunting from the perspective of DFIR. The book is indeed very well built, covering hunting in the 3 different spheres we can hunt today which are network, endpoint and application.



The book is solid in the topics that it covers and the chapters that I believe are more interesting are:  ‘Investigating Windows Systems’, ‘Investigating Applications’ and ‘Malware Triage’.

These 3 chapters set this book apart from many other incident response books, all of them very solid in topics around incident response and tools but they fail to explain what the artefacts are to investigate in windows systems. This book contains an exhaustive list of artefacts plus memory forensics and file system.

As a bonus it also packs a full chapter on how to investigate Mac OS X systems. To sum up I only see benefits in paying the price for reading this book if you are into DFIR and threat hunting.




The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read.

Windows Commands abused by attackers (Japan CERT)

One more interesting article about the most abused commands in windows. It is a must read if you are interesting in endpoint hunting.


Detecting Lateral Movement in APT’S by Japan CERT

I am not going to add much to this article, I know is not very original but you should go straight into the presentation. It is worth your time if you are looking to understand lateral movement, examples with windows event id’s and Kerberos KDC vulnerability.


Book: Learn about firewall design, Juniper Networks



Mini-book oriented to firewall design. The book explains very well the role that the company policy plays when designing the firewall. It is a very easy to read, well written and a refresher if you are studying firewall design and monitoring. I particularly used it to refresh and get ideas on those indicators that are interesting to monitor in firewalls.


Intrusion Detection with Windows Event ID’s

This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!