AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

AboutDFIR Blog Posts Archive

19 Jun 2018
By Tony Knutson

Travel: It Is Not Just For Airline Status Pt. 2

In my last post, we were merely discussing things very pre-planning stages. While much of that was most likely already information known by the masses, it is still very important information for anyone who has never traveled abroad before for business. It is a different animal than when you do it for personal leisure. For the continuance of this, we are going to look at what is in my carry on bag when I am…
Read More
18 Jun 2018
By Tony Knutson

Travel: It Is Not Just For Airline Status Pt. 1

I elected to make this my first "real" posting to not only elaborate on the amazing work of my friend Lesley's post back in November, but to also provide my insight as someone who does it quite a bit. First, I'm not going into the "do's and don'ts" of a particular region or how to have proper OPSEC. Your security folks should be properly preparing you if you're going to austere conditions...not a blog. I will…
Read More
17 Jun 2018
By Tony Knutson

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won't go into my background too much...if you want to know it you'll probably be able to ask around to put the pieces together. Also, I'm not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave…
Read More
16 Jun 2018
By Tony Knutson

Removing the Cloak

So I was basically challenged into starting up a blog in relation to giving back to the community. This was largely pushed by many of the SANS instructors within the digital forensics curriculum as there is a large gap within the field as a whole. Coming from my previous employer, this was just something that couldn't be done. We are always pushed to err on the side of caution while conducting any activity online as…
Read More
27 Apr 2018
By Devon

Forensic 4:cast 2018

This year, I have been nominated by the #DFIR industry for two categories of the Forensic 4:Cast awards (https://forensic4cast.com/). Please vote for Devon Ackerman as "Digital Forensic Investigator of the Year" and vote for this website, AboutDFIR.com, for "Digital Forensic Resource of the Year" for 2018. Regardless of who you cast your Forensic 4:cast 2018 votes for, please consider joining Mary Ellen and I in Austin, Texas at the SANS conference to celebrate no matter…
Read More
28 Mar 2018
By Devon

AMD and Intel Chipset Vulnerabilities & Exploits: March 2018 Update

Author: ShadowSherlock Editor: Devon Ackerman UPDATE: March 2018 It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point. INTEL Patches for older versions of Intel Chipsets has been released - Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets. All microcode updates are now being deployed…
Read More
12 Dec 2017
By Devon

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More
11 Aug 2017
By Devon

Digital Forensics & CPUs

Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to…
Read More
22 Jul 2017
By Devon

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More
28 Jun 2017
By Devon

Petya Ransomware Recap

Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it…
Read More
24 Jun 2017
By Devon

SANS DFIR Summit 2017 Wrapup

Awesome presentations, great humor throughout and well deserved wins across all of the forensic4:cast awards.  It was tough to compete in the same category as Magnet Forensics and Cellebrite and having been nominated to the top 3 with these 2 alone was humbling.  It was my first SANS Summit, but it certainly won't be my last - already blocking off my calendar for next year.  It also got me thinking about a book that I had started about a…
Read More
21 Jun 2017
By Devon

Here in Austin Texas!

SANS DFIR Summit 2017 is beginning with pre-registration this evening and the first two days Thursday and Friday.  Can't wait to meet everyone.
Read More