As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with … Continue reading Business Email Compromise Check List| PwnDefend
If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know … Continue reading Business Email Compromise: Impact Assessment| PwnDefend
When a suspected email mailbox compromise is reported, initiating an investigation promptly is critical. However, to ensure the investigation is effective, certain minimum intelligence requirements must be met. This blog outlines the bare minimum data needed to start investigating a suspected email mailbox compromise, whether the intelligence comes from an internal team or a third-party source.| PwnDefend
Over the past few years, we have had the opportunity to conduct several Purple Teaming exercises together with our customers. Some of the customers have their own Blue Team, others use an external provider for this service. Sometimes it is a mix, where an external company supports the internal Blue Team in its daily tasks.| blog.compass-security.com
In my previous blog post I demonstrated a method for persisting a Linux LKM rootkit across reboots by leveraging systemd-modules-load. For this method to work, we needed to add the evil module into the /usr/lib/modules/$(uname -r) directory and then run depmod. As I pointed out in the article, while the LKM could hide the module… Continue reading A Little More on LKM Persistence→| Righteous IT
Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regul…| Fox-IT International blog
Some thoughts on how to persist your Linux LKM rootkits and some ideas for detection.… Continue reading Linux LKM Persistence→| Righteous IT
Hello again, this one took some time to release, but I hope it helps! iCloud Shared Photo Library (SPL) was introduced during WWDC 2022 as a new feature within iOS 16. Since that time, there have been several articles and how-to videos regarding setting up and using iCloud Shared Photo Library, but I am notContinue reading "iCloud Shared Photo Library: Forensic Artifacts Explained"| The Forensic Scooter
The actual largest date that can be represented in an EXT4 file system is 2446-05-10 22:38:55. Curious about why? Read on for a breakdown of how EXT4 timestamps are encoded, or skip ahead to “…| Righteous IT
While I haven’t been happy about Systemd’s continued encroachment into the Linux operating system, I will say that the Systemd journal is generally an upgrade over traditional Syslog. We’ve reached the point where some newer distributions are starting to forgo Syslog and traditional Syslog-style logs altogether. The challenge for DFIR professionals is that the Systemd… Continue reading Systemd Journal and journalctl→| Righteous IT
Lately I’ve been thinking about Stephan Berger’s recent blog post on hiding Linux processes with bind mounts. Bottom line here is that if you have an evil process you want to hide, use a bind mount to mount a different directory on top of the /proc/PID directory for the evil process. In the original article,… Continue reading Hiding Linux Processes with Bind Mounts→| Righteous IT
In my earlier write-ups on XFS, I noted that when a file is deleted: This combination of factors should make it straightforward to recover deleted files. Let’s see if we can document this recovery process, shall we? For this example, I created a directory containing 100 JPEG images and then deleted 10 images from the… Continue reading Recovering Deleted Files in XFS→| Righteous IT
In my last blog post, I covered Systemd timers and some of the forensic artifacts associated with them. I’m also a fan of Thiago Canozzo Lahr’s UAC tool for collecting artifacts during incident response. So I wanted to add the Systemd timer artifacts covered in my blog post to UAC. And it occurred to me… Continue reading Working With UAC→| Righteous IT
You know what Linux needs? Another task scheduling system! said nobody ever Important Artifacts Command output: File locations: Also Syslog logs sent to LOG_CRON facility. The Basics If you’ve been busy trying to get actual work done on your Linux systems, you may have missed the fact that Systemd continues its ongoing scope creep and… Continue reading Systemd Timers→| Righteous IT
This update addresses a question regarding the correlation between Shared with You assets and conversation identifiers in the Apple iOS Photos.sqlite ZGENERICALBUM table. Through testing and resear…| The Forensic Scooter
This post provides an update on Local Photo Library (LPL) Photos.sqlite decoding in response to a DFIR Discord community member question. The update covers artifacts related to data transfer betwee…| The Forensic Scooter
A new employee gets a call from the “IT department”, who is actually a malicious actor. They get a TeamViewer connection and launch a Merlin C2 agent. I’ll see through the logs the processes it runs, where Defender catches it, and how it tries to mess with forensics by constantly changing the system time.| 0xdf hacks stuff
Knock Knock is a Sherlock from HackTheBox that provides a PCAP for a ransomware incident. I’ll find where the attacker uses a password spray to compromise a publicly facing FTP server. In there, the attacker finds a configuration file for a port-knocking setup, and uses that to get access to an internal FTP server. On that server, they find lots of documents, including a reference to secrets on the company GitHub page. In that repo, the attacker found SSH creds, and used an SSH session to d...| 0xdf hacks stuff
Overview I recently attended the awesome SANS DFIR, Mac and iOS Forensics and Incident Response course with Sarah Edwards. This has obviously given me lots of great inspiration on how to negotiate …| Salt Forensics
If you’ve been working in Digital Forensics or Incident Response in Australia then you should be aware of the new legislation relating to notifiable data breaches by the Office of the Austral…| Salt Forensics
We are proud and excited to annonce the availability of TheHive v4.1.0. This release is the new beginning of TheHive’s future, because all the upcoming features and enhancements will be based…| TheHive Project
Dear TheHive and Cortex users, If you are running TheHive v3.5.0 and / or Cortex v3.1.0, the underlying database is Elasticsearch v7.x. Elastic recently released two new versions: v7.11.0 and v7.11…| TheHive Project
Hello everyone! During previous research, I’ve mentioned a few times that my test devices were using the Apple Photos application setting Optimize iPhone Storage in lieu of Download and Keep Origin…| The Forensic Scooter
The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within…| The Forensic Scooter