Memory Forensics with Vshot and Remnux (rogue process identification,2)

We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let's have a quick look at the plugins … Continue reading Memory Forensics with Vshot and Remnux (rogue process identification,2)

Memory Forensics with Vshot and Remnux (1)

This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which … Continue reading Memory Forensics with Vshot and Remnux (1)

Book: Android Malware and Analysis by Ken Dunham.

I needed  to get an intro to Android Malware Analysis and some of the tools you can use for Analysis. This books is very easy to read and provides a good foundation to start doing Android Malware Analysis. It covers current malware landscape until 2014 an existing techniques and tools in static and dynamic analysis. … Continue reading Book: Android Malware and Analysis by Ken Dunham.

Hunting down Threat Infrastructure (2, with PassiveTotal)

It's been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here. The first post explained how attackers … Continue reading Hunting down Threat Infrastructure (2, with PassiveTotal)

Book: Incident Response & Computer Forensics 3rd edition

As part of the training I took this year, GCFA ( https://www.sans.org/course/advanced-incident-response-threat-hunting-training) I was given this book together with the course. Thumbs up for the people at SANS again. I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it … Continue reading Book: Incident Response & Computer Forensics 3rd edition

Lateral Movement Artefacts

This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/

The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id's for their detection. Another must read. http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10