tag:blogger.com,1999:blog-9518042.comments2024-03-19T07:46:20.437-05:00Windows Incident ResponseUnknownnoreply@blogger.comBlogger3903125tag:blogger.com,1999:blog-9518042.post-6375516174306325572024-03-07T11:07:34.824-05:002024-03-07T11:07:34.824-05:00"Do you have any insights into the listed exi..."Do you have any insights into the listed exit codes? Would it help us understand the success-rate of the executed software?"<br /><br />No, I don't...not right now. But this is why I'm looking to use this on a real-world incident, to begin developing that visibility, through a timeline.<br /><br />"...what does "Fossilization on Windows systems" mean? Are you speaking to the fact that artefacts or evidence might remain for a long time - without being taken advantage of by the investigator?"<br /><br />Pretty much, yeah. <br /><br />"Stuff" is written to various locations, based on activity that occurs on endpoints. I once investigated an endpoint based on the detection of malicious activity, and found that about two months prior to the EDR agent being added to the endpoint, the customer had installed Sophos AV along with Hitman Pro, which generated a log entry based on the same file name and path that I'd seen in the recent alert. The Sophos products were subsequently uninstalled, but the records were still available two months later, providing additional insight that allowed us to determine root cause.<br /><br />This is a different (albeit similar) "fossilization" from what Farmer and Venema discussed in their book.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-82814794605249510932024-03-06T17:04:39.161-05:002024-03-06T17:04:39.161-05:00Great article.
Do you have any insights into the...Great article. <br /><br />Do you have any insights into the listed exit codes? Would it help us understand the success-rate of the executed software?<br /><br />Also, what does "Fossilization on Windows systems" mean? Are you speaking to the fact that artefacts or evidence might remain for a long time - without being taken advantage of by the investigator?<br /><br />Thank you Azkurkennoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89364198051505870932024-02-12T23:13:48.551-05:002024-02-12T23:13:48.551-05:00That looks like the company contact information, n...That looks like the company contact information, not that for the authors of the publication. How do I contact the authors of the publication or leave a comment?<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12021870082584020092024-02-12T07:21:44.883-05:002024-02-12T07:21:44.883-05:00Social media.
The Contact link off of their main ...Social media.<br /><br />The Contact link off of their main web page.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-52483393541769363642024-02-12T00:49:56.503-05:002024-02-12T00:49:56.503-05:00How to contact them? The information you link to h...How to contact them? The information you link to has no such information. Where can someone find their contact information?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68833161190853175922024-02-11T07:12:26.340-05:002024-02-11T07:12:26.340-05:00It might be best to ask the ArsenalRecon folks.It might be best to ask the ArsenalRecon folks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80499797209198839422024-02-11T00:08:46.530-05:002024-02-11T00:08:46.530-05:00And where are the links for these?And where are the links for these?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86324073637232213942024-02-10T06:59:41.620-05:002024-02-10T06:59:41.620-05:00I downloaded the spreadsheet this morning...column...I downloaded the spreadsheet this morning...column N has the download links. I only see about 6 or 7 without download links, where column N is "N/A".H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22970127718993283952024-02-10T04:16:37.439-05:002024-02-10T04:16:37.439-05:00"The folks at ArsenalRecon posted a list of p..."The folks at ArsenalRecon posted a list of publicly available images" why do a large number of these images have no download link? Are these not public?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58045188544576960692024-01-20T13:07:57.316-05:002024-01-20T13:07:57.316-05:00"So, what?. Who cares? What are the benefits ... "So, what?. Who cares? What are the benefits of understanding human behavior rendered via digital forensics? Why does it even matter?"<br /><br />The end client (prosecutor, attorney, C-level execs, etc...) probably cares or should care. <br /><br />It is one thing to recover data and describe an event. It takes quite another skill to articulate the event's who/what/where/when/why/how that tells more than just the event, but gives the human element too.<br /><br />The most effective examiner is one who can see the case both as a whole and in detail, and in being able to articulate everything that happened as if s/he had been there watching the event happen in real-time. This makes for the most effective witness who can make the audience feel as if they were also there.<br /><br />An investigated event (aka: case) makes decision-making for the decision-makers much easier, whether it be in a courtroom or in a conference room.<br /><br />Some do this already. Most neglect it. Many don't even know what they don't know about it. Brett Shavershttps://www.blogger.com/profile/08207321430604828713noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-83017215697763277602024-01-11T07:15:39.421-05:002024-01-11T07:15:39.421-05:00I have to agree with you, Brett.
IMHO, most inst...I have to agree with you, Brett. <br /><br />IMHO, most instances I've seen, data isn't so much "interpreted", as it is "reported". <br /><br />When there is interpretation of data, it's most often the analyst finding data staging (threat actor collecting files and creating an archive), but stating in the report that "data exfiltration" occurred, even with no direct evidence of the data actually leaving the endpoint.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4671206301443334882024-01-11T00:22:02.926-05:002024-01-11T00:22:02.926-05:00Most tend to choose the path of least resistance i...Most tend to choose the path of least resistance in life and work. Paying (in time and money) for a technical course is easy if the software does a good job because it requires less thinking.<br /><br />Looking at the human aspect, aka "investigating the human actor" requires making assumptions, guesses, theories, inferences, critical thinking, making mistakes, taking risks in decisions, admiting mistakes, taking responsibility for outcomes (ie: accusations!), and knowing how to investigate. That is a lot of work that you can't get from a book or a tool-focused class.<br /><br />The sexy part of DFIR is using the tools. It is not report writing, testifying, presenting, or trying to identify the actor through a conviction if necessary. Tools are a necessary part of DFIR (can't build a house without a hammer...).<br /><br />But, the technical work in DFIR is maybe 50% of the job. Those who focus only on the technical side will only be 50% effective compared to a competitor/peer/opposing expert/adversary who spends an equal amount of effort on the human aspect.<br /><br />In practice, once you are competent in the human aspect, cases are easier to work because you can observe what happened, not just interpret data. Brett Shavershttps://www.blogger.com/profile/08207321430604828713noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26528581551888885032024-01-10T16:34:11.591-05:002024-01-10T16:34:11.591-05:00Chris,
> I think this is primarily due to the ...Chris,<br /><br />> I think this is primarily due to the current market appetite won't sustain this increased level of scrutiny - <br /><br /><br />That's an interesting perspective...can you elaborate?<br /><br />Thanks!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42245449030692401742024-01-10T15:34:50.999-05:002024-01-10T15:34:50.999-05:00Really compelling Harlan. Like you, I have been i...Really compelling Harlan. Like you, I have been interested in the human element of cybersecurity and DFIR for years, but also like you, I have seen little in the way of market traction. I think this is primarily due to the current market appetite won't sustain this increased level of scrutiny - unless of course there is a way to monetize it.<br /><br />To Brett's point, tool usage continues to be given too much attention while thinking through the nuance of a case, and trying to see how it connects to other cases, or other threat actor groups or other campaigns gets far too little.<br /><br />I think another aspect that we have to talk about in the same vein, is communication skills. Being able to clearly and succinctly, articulate what you did, why you did it, why it's important to the case, and why anyone should care is an equally uncommon skill. <br /><br />I think if we can start at least talking about it, and making it part of the DFIR lexicon, we can begin the process of turning the battleship with a boat oar. I don't anticipate it changing anytime soon, but it's at least a start.cepoguehttps://www.blogger.com/profile/15373293682953028712noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-20719146623644539772024-01-07T07:56:00.767-05:002024-01-07T07:56:00.767-05:00No kidding, right?
For me, it was, "...file ...No kidding, right?<br /><br />For me, it was, "...file this one away, we'll see what the data says...".<br /><br />Funny thing is, the threat actor proved the admin wrong before I even had a chance to look...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-82558623216224853652024-01-07T07:52:47.062-05:002024-01-07T07:52:47.062-05:00Every strange unsolicited statement from a client ...Every strange unsolicited statement from a client (or suspect or computer user) is a clue where to start looking.<br /><br />“Nothing in my trunk, Officer. No need to look there..”Brett Shaversnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-33206181741704685242024-01-06T08:12:41.467-05:002024-01-06T08:12:41.467-05:00When one doesn't know what they need to know, ...When one doesn't know what they need to know, they will never seek it out, even if it is the missing piece of their competence puzzle. <br /><br />The DFIR toolbox of hardware and software gives us a false impression that this is all that we need to work a case/incident. We know the buttons to push/scripts to write, and therefore, we know DFIR.<br /><br />Many in the field simply run the tools with default settings, never question the output, and think that it was a good job.Brett Shavershttps://www.blogger.com/profile/08207321430604828713noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-71749362268505038112024-01-06T07:39:09.840-05:002024-01-06T07:39:09.840-05:00Brett,
Thanks for the comment. This is an area I&...Brett,<br /><br />Thanks for the comment. This is an area I've been interested in for some time, but it just doesn't seem to get much traction.<br /><br />Even if "profiling" is too formalized a word...after all, look what it takes for an FBI to be a certified profiler...even just looking at the totality of data and gaining insights into the threat actors activities is a valuable outcome. <br /><br />Or, perhaps, more valuable to some than others. <br /><br />For example, maybe the reason this sort of thing isn't done is because there's no appetite for it...not from the analyst (to get the training to do it), nor from the end "customer".H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18541341074212027062024-01-05T17:54:44.673-05:002024-01-05T17:54:44.673-05:00I have felt this to be the most ignored aspect in ...I have felt this to be the most ignored aspect in the DFIR field. We tend to focus our efforts on analysis of data and not the person behind that data. Vendors train tool usage (appropriately so). College programs teach to technology. Few teach investigation and investigative mindset (which profiling is part). <br /><br />It’s funny, but you’d be hard pressed to find this taught at police academies..detectives most always learn through experience, because the training is scarce.<br /><br />IMHO, if one in DFIR does not take the human aspect with an investigative mindset into account with every ‘data analysis’, they are only 75% (at best) effective in that case. Brett Shavershttps://brettshavers.com/entry/dfir-is-a-mindset-not-a-skillsetnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-34666426716081123572023-10-14T10:52:28.829-05:002023-10-14T10:52:28.829-05:00Happy to help.
I'm sorry you were given bad i...Happy to help.<br /><br />I'm sorry you were given bad information.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-88201299751949391762023-10-14T10:51:36.142-05:002023-10-14T10:51:36.142-05:00Again, go back to whomever provided that to you......Again, go back to whomever provided that to you...it doesn't seem legit.<br /><br />The RegRipper I wrote does NOT parse XML files, and I never write a "lastwrite" plugin.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-28612322484086561802023-10-14T10:50:52.235-05:002023-10-14T10:50:52.235-05:00I see, thank you so much. I appreciate the quick r...I see, thank you so much. I appreciate the quick response and clarification! Thought I was going in circles and that explains why.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55820699449294155832023-10-14T10:49:22.634-05:002023-10-14T10:49:22.634-05:00Additional information I was provided: Use RegRipp...Additional information I was provided: Use RegRipper to analyze the provided registry file as follows:<br /><br />./rip.pl -r HKEY_CURRENT_USER.reg.xml -p lastwrite<br /><br />Note: This command instructs RegRipper to analyze the "HKEY_CURRENT_USER.reg.xml" file and extract information related to the "lastwrite" time, which can provide insights into the last actions performed in the registry.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-14102575886397571452023-10-14T10:49:09.895-05:002023-10-14T10:49:09.895-05:00RegRipper doesn't parse XML files...at least, ...RegRipper doesn't parse XML files...at least, not the one I wrote and maintain.<br /><br />Also, I don't think I ever wrote a "lastwrite" plugin.<br /><br />Maybe go back to whomever gave you that command line and ask them...I honestly have no idea where that command line came from.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-81200652483521528462023-10-14T10:46:06.379-05:002023-10-14T10:46:06.379-05:00I was given this - ./rip.pl -r HKEY_CURRENT_USER.r...I was given this - ./rip.pl -r HKEY_CURRENT_USER.reg.xml -p lastwrite - to run s part of the challenge and linux returns that what it calls the lastwrite.pl is not available.Anonymousnoreply@blogger.com