Goto Message #
Re: Application Experience and Compatibility feature Tim, Sorry for being a bit vague. I left the question somewhat open ended because I think I have only seen a small subset of what's there to be seen, and
DFIRCON APT Malware and Memory Challenge #DFIRCON DFIRCON APT Malware & Memory Challenge The memory image contains real APT malware launched a test system. Your job? Find it. The object of our challenge is
Re: Application Experience and Compatibility feature In the example I have shown, it is an exe on a removable disk, I have also tested with files on local drives. Havent tested with network drives yet! Yogesh
Fetching Sponsored Content...
Re: Application Experience and Compatibility feature Troy In regards to 8.1, can you elaborate on what u have noticed. #curious Tim ... -- Tim Mugherini @bug_bear
Re: Shellbags Forensics: Addressing a Misconception (interpretation, ... Awesome stuff, Dan. Thanks a lot for sharing. Cheers, Stefan. -- Stefan Kelm BFK edv-consulting GmbH
Re: Application Experience and Compatibility feature Excellent research. I have been telling people that they needed to look at the amcache.hve file without being able to go into much detail. The values in the
Shellbags Forensics: Addressing a Misconception (interpretation, tes Hi everyone, Just wanted to pass this along to the list. I posted a write-up on shellbags forensics that covers interpretation, testing, real-world scenarios,
Re: Application Experience and Compatibility feature No network shares on the hive I just grabbed but all i have under the File key is executables run from removable media (nothing from local volume either) see
Re: Application Experience and Compatibility feature Yogesh, Outstanding research and excellent write-up. I agree with you about the Amcache.hve being a gold mine. Thanks for sharing this. I updated my post to
Re: Application Experience and Compatibility feature OK, here it is, details about the Amcache.hve: http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html I put some time in last night to
The 2014 BSidesNOLA (New Orleans) CFP is now open! We are very happy to announce that the 2nd annual BSides New Orleans will take place near the French Quarter on May 17, 2014 and that the CFP is now open. Last
Re: Application Experience and Compatibility feature One of the most interesting aspects of this artifact and this will make every malware analyst's eyes gleam is that in here, you can find the SHA-1 hash of the
Re: Application Experience and Compatibility feature Yogesh, The Amcache.hive was one of the remaining artifacts I was going to discuss. I look forward to your write-up. Corey Harrell "Journey Into Incident
Re: Application Experience and Compatibility feature Excellent detailed writeup Corey! I've been investigating a similar artifact on Windows 8, the Amcache.hve file. On a windows 8 machine, Amcache.hve, a new
Re: Application Experience and Compatibility feature Excellent post Corey! Great info and thank you for sharing your research. Sent from my iPhone Dnardoni@...
Fetching Sponsored Content...
Application Experience and Compatibility feature I wanted to share with the list some information about artifacts created by the Application Experience and Compatibility feature. Mandiant has already
Re: Win 8 registry SAM Good point. Note, too, that logging on locally makes no difference with respect to the SAM. I didn’t check any events to see whether they’re created in
Re: Win 8 registry SAM ... That, and you can use data seen in a timeline to approximate that the user account had been used to log in to the system. Also:
Re: Win 8 registry SAM I've been looking at win8 registries and have noticed this too. The timestamp for last logon is simply zeroed out in the SAM F file. I am inclined to believe
Win 8 registry SAM My last blog post (soon to be updated), described Win 8, MS Account users. As a "heads up" for those who don't care about hacking these accounts in VMware, be
Re: Perl script artifacts Bobby, Can you perhaps share some perspective with respect to the context surrounding why you're looking for Perl scripts in particular? My first thought is
Re: Perl script artifacts Andrew, Very good suggestions...one question. ... What would one look for? ... A few things pop out: -- Does the disk have a hibernation file? Memory analysis
Re: Perl script artifacts Yes, there are definitely ways to run scripts w/o it, but programmers are creatures of habit as are we all ;) Robin Jackson Security+, CISSP, ITIL (406)
Re: Perl script artifacts That'd depend on the context of the writing of the perl script, since perl scripts need not have the hashbang to run ("perl myscript.pl" or even "perl
Re: Perl script artifacts don't know if you thought about it, but every perl script usually starts with #!/usr/bin/perl or an equivalent string pointing to the path of the perl binary.
Re: Perl script artifacts Thank you all for the responses: Unfortunately, the first responder executed the old play book of pulling the plug before volatile memory could be captured.
Re: Perl script artifacts Do you have a memory image? If so you could see command line activity from the command prompt by using volatility and the cmdscan and consoles plugins Dave
Fetching Sponsored Content...
Re: Perl script artifacts A few things pop out: -- Does the disk have a hibernation file? Memory analysis could be really useful here to look for signs of perl.exe invocations. I can
Perl script artifacts I'm examining a Windows 7 image for evidence of Perl scripts being run and possible data exfiltration. I've got a target date to narrow down the timeline, but
Re: ASCII in page file Thanks again , Yogesh. Now it makes perfect sense. Jimmy MT DCI From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of Yo Y Sent: Tuesday,
View First Topic Go to
Loading 1 - 30 of total 9,127 messages