解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 42 – 2023 - MISCELLANEOUS

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

MISCELLANEOUS

Anton Chuvakin

How to Banish Heroes from Your SOC?Anton Chuvakin·FollowPublished inAnton on Security·3 min read·2 days ago--ListenShareThis blog was born from two parents: my never-finished blog on why relying on heroism in a Security Operations Center (SOC) is bad and Phil Venables “superb+” blog titles “Delivering Security at Scale: From Artisanal to Industrial.”BTW, what is heroism? Isn’t that a good thing? Well, an ancient SRE deck defines “IT heroism” as relying on “individuals taking upon themselves to m...

Atola Technologies

Report this article Atola Technology Atola Technology Fast forensic imaging. Even with bad drives. Published Oct 9, 2023 + Follow Hi there! 🖐Welcome back to Plug, Image, Repeat, the monthly newsletter where we share practical tips and tricks to help you use our imagers efficiently. We're delighted to have you with us. In our extensive experience of dealing with damaged drives, we've seen countless types of damage. Some of them require physical (PCB, motor issues) or firmware repair.However, we s...

Jonathan Tanner at Barracuda

Topics: Oct. 12, 2023 | Jonathan Tanner Tweet Share Share Tweet Share Share Malware authors are human, and humans sometimes make mistakes. Ransomware authors sometimes make mistakes that prevent the data from being decrypted when a ransom is paid, or sometimes there is no intention of ever restoring the data. Malware that renders data unrecoverable is referred to as wiperware and may come in the form of miscoded ransomware, malware masquerading as ransomware, or simply destroy the files without ...

Belkasoft

Introduction The surge in volumes of data stored by digital devices has created a headache for forensic examiners—too many devices piling up due to limited resources available in digital forensic labs. The core problem? A shortage of space to store evidence and insufficient computing resources to efficiently process it. However, there is a smart solution already making waves in other sectors. It involves moving a Digital Forensics and Incident Response (DFIR) lab to the cloud. This shift simplif...

Binary Defense

James Schweitzer at Corelight

How to Configure the Corelight App for Splunk Configuring the CIM is as easy as clicking the “Apps” drop-down menu and then selecting “Manage Apps”. Next, select “Setup” from the Splunk Common Information Model app under the action column. You will be presented with a UI for each of the data models. In this example we have configured acceleration and an index whitelist. Download the Corelight for Splunk and Splunk CIM apps and see for yourself how easy it is to get Corelight data into Splunk and...

Dirk-jan Mollema

11 minute read In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods...

Tim Helming at DomainTools

Doug Burks at Security Onion

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for Security Onion 2.4!Thanks to Richard Bejtlich for writing the inspiring foreword!Proceeds go to the Rural Technology Fund!This edition has been updated for Security Onion 2.4 and includes a 20% discount code for our on-demand training and certification! It is also the first edition of our book that is in FULL COLOR!This book covers the following Security Onion topics:First Ti...

Doug Metz at Baker Street Forensics

Baker Street Forensics Where Irregulars are part of the Game Menu Blog Presentations Merch Stickers The Shirt Baker Street Forensics joins the Fediverse Social Just about a year ago I switched my default social platform of choice to Mastodon and created an account at Infosec.Exchange. If you’d like to follow me there directly, here is my profile. What’s the Fediverse? In short, it’s a network of networks, without a central control, using open standards to communicate. Baker Street Forensics join...

Fabian Mendoza at AboutDFIR

AboutDFIR Site Content Update – 10/13/2023 By Fabian MendozaOn October 13, 2023October 14, 2023 Tools & Artifacts – Windows – new entries added – Intrusion Analysis – Windows Artifacts For Intrusion Analysis: A Treasure Trove of Evidence, TeraCopy – Introducing TeraLogger, Timeline Analysis – Timeline Creation for Forensic Analysis Tools & Artifacts – macOS – new entry added – macOS – Sonoma – Sonoma’s log gets briefer and more secretive Tools & Artifacts – Linux – new entry added – Linux Forens...

Forensic Focus

Plainbit

평기문 2023년 10월 11일 6 분 소요 Magnet OUTRIDER란?Magnet Outrider는 PC나 모바일 기기의 스캔으로 특정 정보를 식별하고, 추출해 내부 콘텐츠의 빠른 분류를 목표하는 도구이다.Magnet Outrider는 속도, 간편함을 중시하여 개발되었는데, 사용자가 수집하고자 하는 항목들을 템플릿으로 만들어 추후 다른 기기의 데이터 수집 시에 해당 설정을 그대로 사용할 수 있다.실행 화면>사진 1< Magnet OUTRIDER 실행 화면프로그램을 실행하면 >사진 1<과 같은 화면이 나온다.간편함을 중시하는 도구인 만큼 사전 설정 또한 매우 간략한 것을 볼 수 있다.순서는 다음과 같다.케이스 이름 설정스캔 템플릿 선택증거물 선택증거물 선택은 동시에 2개 이상을 진행할 수 있어 번거롭게 여러 번의 작업을 진행할 필요가 없으며, 템플릿의 경우 Magnet AXIOM과 같이 상세하지는 않지만 대상 장비의 전반적인 정보를 확인할 수 있는 수준의 정보를 제공한다.템플릿 ...

안혜송 2023년 09월 24일 7 분 소요 IGNITE는 사고 대응 조사를 위한 클라우드 기반의 초기 사례 평가 도구이다. 신속한 원격 스캔과 엔드포인트 분석을 수행하고 사고 범위와 다음 단계를 결정한다. 데이터 유출이나 주요 자산 접근을 확인할 수 있다. 또한, 자산 오용 및 정책 위반 파악하고 악의적인 활동을 한 엔드포인트를 분류할 수 있다.IGNITEChrome, Firefox, Edge에서 지원되고 웹사이트(Magnet IGNITE)에서 이메일 주소를 사용해 로그인한 후 사용할 수 있다. 일정 시간 활동이 없으면 로그아웃된다.[그림 1] 사이트(Magnet IGNITE)IGNITE 수집 단계IGNITE 수집은 3단계(케이스 생성 & Agnet 생성 → Agnet 배포 → 수집)로 이루어진다. 케이스를 생성하면서 수집을 원하는 메모리 수집 및 아티팩트를 선택해 Agent를 생성한다. 생성된 Agent를 엔드포인트에 배포한 후 실행하면 자동으로 수집이 진행된다. 수집이 끝나...

Grace Chi at Pulsedive

Peek into Pulsedive's Threat Researcher hiring process from start to finish. We share tips and lessons learned for both job seekers and startups. Grace Chi Oct 10, 2023 • 10 min read A peek behind the curtains of Pulsedive's "building the plane in the air" hiring process, with examples and details of each step along the way.If I post, will they come?Before I hit post on Pulsedive’s Threat Researcher consultant listing, I was cautiously optimistic about the response we would get. Little did I kno...

Gerry Johansen at Red Canary

Robin Dimyan

Predictive Defense: How to do cyber crime forecasting with examplesRobindimyan·Follow10 min read·3 days ago--ListenShareHi everyone,In this article, we will examine how to do forecasts on financially motivated cyber crime with examples. If you haven’t read my previous article on this topic yet, I recommend reading the following one://medium.com/@robindimyan/trend-forecasting-whats-the-next-big-thing-in-cyber-crime-849494bf15Before delving into the methodology, let’s examine the basic dynamics of...

Salvation DATA

Others 2023-10-09 Content Introduction Why Choose SalvationDATA? Main Products of SalvationDATA FAQs about SalvationDATA Conclusion Content Introduction Why Choose SalvationDATA? Main Products of SalvationDATA FAQs about SalvationDATA Conclusion Introduction In today’s rapidly evolving digital era, the rise of cybercrimes has become an alarming concern. From data breaches to malicious cyber-attacks, individuals and organizations alike are facing threats on a scale previously unseen. Our reliance...

SANS DFIR

Agree & Join LinkedIn By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy. Skip to main content LinkedIn Articles People Learning Jobs Join now Sign in Latest Must-Read Malware Analysis Articles Report this article SANS Digital Forensics and Incident Response SANS Digital Forensics and Incident Response Published Oct 10, 2023 + Follow In this blog post, Certified SANS Instructor Anuj Soni presents a curated selection of recent articles that include mal...