Mastodon Chapril

14 messages9 participants2 messages aujourd’hui

13reak :fedora:<a href="https://infosec.exchange/@chrissanders88" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@chrissanders88</a> Getting the volatile data first with velociraptor Windows.System.DLLs. (Maybe the dll is still loaded)Then of course, getting the dll from the file system. Maybe dumping it in a sandbox /checking the hash on virus total.Otherwise evidence of execution. I think e.g. AppCompatCache also lists dlls.<a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/velociraptor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#velociraptor</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎The process explorer.exe spawned rundll32.exe on a system on your network.What do you look for to investigate whether an incident occurred?Assume you have access to whatever digital evidence source you need.<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Alexis Brignoni :python: :donor:Sadly some actually do 😬<a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

The DFIR ReportPassionate about Digital Forensics and Incident Response? Want to share your expertise with the security community while collaborating with talented analysts worldwide?We're looking for volunteer analysts to join the team! We dive deep into real-world threats and publish monthly public reports detailing threat actor TTPs and how they achieve their goals.As part of the team, you will:➡️Analyze intrusion data and contribute to impactful DFIR reports. ➡️Help shape how we share findings 📄🎨 ➡️Collaborate with and learn from amazing analysts across the globe. ➡️Access our internal group to ask questions, share insights, and improve processes. 🧠 ➡️ Have the unique opportunity to present our collective findings at security conferences and talks! 🎤Ready to join the team? Follow the process ➡️ <a href="https://github.com/The-DFIR-Report/DFIR-Artifacts" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/The-DFIR-Report/DFIR-Artifacts</a><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/IncidentResponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IncidentResponse</a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntelligence</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a>

Resilience Theatre @38C3RaspberryPi Zero2w serves whole world and terrain from 256 GB MicroSD card. Pictured white box contains RPi and creates wifi access point. Phone attached to AP and browser allows you to browse full world map. No need for Internet connectivity or SIM card in you phone. Perfect tool for preparedness and denied area planning. <a href="https://youtube.com/shorts/TAY2yY8TAoY?si=Xg8AUInWEFspJsMe" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtube.com/shorts/TAY2yY8TAoY?si=Xg8AUInWEFspJsMe</a><a href="https://infosec.exchange/tags/edgemap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#edgemap</a> <a href="https://infosec.exchange/tags/prepping" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#prepping</a> <a href="https://infosec.exchange/tags/redetam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redetam</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/deniedarea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#deniedarea</a> <a href="https://infosec.exchange/tags/opsec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#opsec</a> <a href="https://infosec.exchange/tags/offline" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#offline</a>

Alexis Brignoni :python: :donor:"Good work is done with dignity, and there is no dignity in rushing." <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/Mobile" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mobile</a> Forensics

brettshaversWe are all screw-ups in DF/IR (at some point or many points in our career!). <a href="https://www.linkedin.com/pulse/mistake-error-misconduct-brett-shavers-kfbvf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.linkedin.com/pulse/mistake-error-misconduct-brett-shavers-kfbvf</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

Terryn :unverified:Why Learning Through Books is Key in Cybersecurity📚 Types of Books ☯️ The Tao of Books 🏫 Other Sources of Information<a href="https://chocolatecoat4n6.com/2025/04/09/why-learning-through-books-is-key-in-cybersecurity/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://chocolatecoat4n6.com/2025/04/09/why-learning-through-books-is-key-in-cybersecurity/</a><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/books" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#books</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Alexis Brignoni :python: :donor:LevelDB is one of the most underrated and under utilized data sources. Excellent article by Alex Caithness from CCL Solutions Group on LevelDB and its importance: <a href="https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb</a><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

Alexis Brignoni :python: :donor:How to install and run <a href="https://infosec.exchange/tags/iLEAPP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iLEAPP</a> on your computer or using the Atrio MK II from Arcpoint Forensics.<a href="https://www.arcpointforensics.com/news-1/ileapp" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.arcpointforensics.com/news-1/ileapp</a><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎A user reports that all the files in their documents/desktop folders are gone after returning to the office on Monday. They swear they didn’t delete them.What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Alexis Brignoni :python: :donor:🏦 From the meme vault<a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

Jessica HydeCheck out our first episode of the <a href="https://infosec.exchange/tags/TruthInData" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TruthInData</a> podcast! Our topic this week: Evidence Gone: The Perils of Delayed Mobile Acquisition <a href="https://youtu.be/vb0G-uLvwMM?si=C6JDr9UI046J5R__" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtu.be/vb0G-uLvwMM?si=C6JDr9UI046J5R__</a>With Debbie Garner & Kim Bradley <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

The DFIR Report“In this specific case, thanks to the capabilities of Sysmon, and particularly Event ID 22, we can easily gain insight into the subdomains that were used. For this case we observed TXT records being utilized for C2 communication rather than MX records. This can be identified by the "type: 16" in the Sysmon logs seen above. Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”The above is from a recent Private Threat Brief: "A MadMXShell Encore" Services: <a href="https://thedfirreport.com/services/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thedfirreport.com/services/</a> Contact Us: <a href="https://thedfirreport.com/contact/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thedfirreport.com/contact/</a><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/IncidentResponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IncidentResponse</a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cti</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a>

Jessica HydeSo excited to collab with Debbie Garner and Kim Bradley on the <a href="https://infosec.exchange/tags/TruthInData" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TruthInData</a> podcast to bring a weekly deep dive into a different digital forensic topic each week! Subscribe to the Hexordia YouTube channel and never miss the conversation. <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://youtube.com/@hexordia" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtube.com/@hexordia</a>

Alexis Brignoni :python: :donor:Current <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> extraction order of volatility to mitigate log wiping by <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> tools:0) Extract iOS Sysdiagnose/Unified logs from the device. 1) Conduct a full file system extraction.<a href="https://infosec.exchange/tags/VendorsNeedToAdress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VendorsNeedToAdress</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

cyb_detectiveDIGITAL FORENSICS GUIDELong and detailed guide for beginners:- Digital Forensics Tools, Libraries, and Frameworks- Virtualization- File systems- Security Tools and Frameworks- Networking<a href="https://github.com/mikeroyal/Digital-Forensics-Guide" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/mikeroyal/Digital-Forensics-Guide</a>Contributor x.com/MikeR256 <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a>

Alexis Brignoni :python: :donor:0) IYKYK 1) The order of volatility is important and changes with time. 2) Preservation is foundational.<a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iOS</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

Alexis Brignoni :python: :donor:The buttons have to be pressed but that is just the start, not the end.Trust no tool. Thinking is a non optional requirement.Great read: <a href="https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai</a><a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

Alexis Brignoni :python: :donor:It's all about how you articulate the situation.<a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a>

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#dfir