Blogspot - windowsir.blogspot.com - Windows Incident Response
General Information:
Latest News:
HowTo: Investigate an Online Banking Fraud Incident 23 Jul 2013 | 06:36 pm
A recent comment over on Google Plus caught my attention, and I thought it was important enough to incorporate into a HowTo post. The comment was made with respect to the HowTo: Detecting Persistence...
HowTo: Determine/Detect the use of Anti-Forensics Techniques 23 Jul 2013 | 04:25 pm
The use of anti-forensics techniques to hide malicious activity (malware installation, intrusion, data theft, etc.) can be something of a concern during an examination; in fact, in some cases, it's si...
HowTo: Add Intelligence to Analysis Processes 22 Jul 2013 | 06:38 pm
How many times do we launch a tool to parse some data, and then sit there looking at the output, wondering how someone would see something "suspicious" or "malicious" in the output? How many times do...
HowTos 18 Jul 2013 | 08:29 pm
I've offered up a number of HowTo blog posts thus far, and hopefully DFIR folks out there have found use in them. In the comments of one of the posts, a reader offered up a list of proposed some HowT...
HowTo: Data Exfiltration 18 Jul 2013 | 05:18 pm
One of the questions I see time and again, in forums as well as from customers, is "what data was taken from the system?" Sometimes, an organization will find out what data was taken when they get a ...
HowTo: Detecting Persistence Mechanisms 15 Jul 2013 | 09:01 pm
This post is about actually detecting persistence mechanisms...not querying them, but detecting them. There's a difference between querying known persistence mechanisms, and detecting previously unkn...
HowTo: Malware Detection, pt I 15 Jul 2013 | 07:25 pm
Many times we'll come across a case where we need to determine the presence of malware on a system. As many of us are aware, AV products don't always work the way we hope they would...they don't prov...
Programming and DFIR 11 Jul 2013 | 06:24 pm
I was browsing through an online list recently and I came across an older post that I'd written, that had to do with tools. In it, I'd made the statement, "Tweaked my browser history parser to add ot...
HowTo: Track Lateral Movement 10 Jul 2013 | 07:53 pm
A reader recently commented and asked that the topic of scoping an incident and tracking lateral movement be addressed. I've performed incident response for some time and been involved in a wide vari...
HowTo: Determine User Access To Files 8 Jul 2013 | 06:35 pm
Sometimes during an examination, it is important for the analyst to determine files that the user may have accessed, or at least had knowledge of. There are a number of artifacts that can be used to ...
