As a computer forensic practitioner, I often find myself scouring the internet looking for that tidbit of information that is relevant to my case. I generally find many different sites with either extremely technical information that I don’t have time to learn or information that is somewhat useful but has little relevance to computer forensic practices.
While it’s fun to get into the technical aspects of a topic, often we are just looking for a push in the right direction to get the job done. These blogs are written with this in mind, hoping to strike a balance in providing the information in a useful and usable way but with enough technical information to support the conclusions or concepts.
|Posted by M. Gene Shantz on September 8, 2016 at 7:00 PM||comments (723)|
During an incident response engagement, it is common to find the original malware that wreaked havoc in the network was deleted as part of the anti-forensics built into the code or by an over eager first responder. To make matters worse, the deleted malware is often overwritten by the time the IR team gets on site, which can make it difficult to collect and reverse engineer the code to identify Indicators of Compromise (IOCs). However, sometimes we can get lucky and one or more workstations w...Read Full Post »
|Posted by M. Gene Shantz on December 30, 2015 at 4:05 PM||comments (54)|
I have come across the executable “net.exe” several times during engagments and heard it referred to as a tool commonly used by nefarious intruders to do bad things in a network. So I decided that it would make a good forensic topic.
For those of us who do not come from an IT background, learning and understand that intruders can and will often use IT administrative tools that are already in the environment they are compromising is important for us to be able to ...Read Full Post »
|Posted by M. Gene Shantz on December 29, 2015 at 6:45 PM||comments (47)|
Recently during an engagement, I encountered Linux Unified Key Setup (LUKS), a partition encryption method used in various versions of Linux. Some companies require PGP full disk encryption for their Windows workstations and LUKS is the Linux alternative to maintaining the company encryption policies for those that allow Linux workstations.
This Blog is not to tell you how LUKS works but to explain the way to deal with it should you come across it du...Read Full Post »