AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

AboutDFIR Blog Posts Archive

20 Sep 2019
By Andrew Rathbun

New AboutDFIR Contributor

Greetings all, my name is Andrew Rathbun. For more about my background, see my entry on this page. I am excited to be given the opportunity to contribute to AboutDFIR as it is a project I have admired from afar for as long as I knew of its existence. This compendium is akin to something I would create myself had it not already existed. A compendium of this magnitude caters to my interests as a…
Read More
19 Aug 2019
By Andrew Rathbun

InfoSec News Nuggets 08/19/2019

1 Apple's warning: Break Safari's web-tracking rules and we'll hit back ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads. The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. The company warns it will…
Read More
17 Aug 2019
By Devon

Holiday Hack Sneak Peek 2019

It seems the SANS Annual Holiday Hack Challenge buzz begins earlier and earlier every year.  This year is no exception.  My first HolidayHack CheatSheet of the season is here! HUGE shout-out to our Red Team mole, Stephen Sampana for infiltrating Ed Skoudis' party in Vegas during BlackHat/DEFCON/BSides week and reporting back clues. Download v1.0 of my Kringle Con CheatSheet NOW! Enjoy! In other news, I've added some new items to our site that may interest…
Read More
11 May 2019
By Devon

Weekend of Updates

Looking for Annual Reports on Industry Threats and Trends? https://aboutdfir.com/annual-industry-reports/ Overhauled Blog page to now focus on corporate and blogs not associated with any one specific author.  All of the author specific data has been pulled out and dropped into Men of #DFIR and Women of #DFIR pages. https://aboutdfir.com/reading/blogs/
Read More
10 May 2019
By Devon

#women in #dfir

Across the Cyber Security, Info. Security, and DFIR industries, women are enhancing the ranks of investigative digital sciences to solve problems, investigate crimes, and protect networks. Many organizations have been formed to recognize women who are entering the market, completing higher education in Digital Forensics, and leading in innovation, speaking engagements, and research projects. https://aboutdfir.com/women-of-dfir/ is now live and dedicated to those women.  More to be added in the coming months.
Read More
17 Apr 2019
By Devon

Site Update to DFIR Research page

Jessica Hyde (@B1N2H3X) and Jonathan Wiley with a fresh idea for creation of a forensic image for public consumption, testing, and educational purposes of device running iOS 10 with robust documentation! https://aboutdfir.com/dfir-research/ page updated!
Read More
13 Apr 2019
By Devon

Site Updates

Busy weekend with new Certification and Training courses added, new Incident Response/Breach report added, DFIR Research additions and updated links, and even new tool updates.
Read More
04 Apr 2019
By Tony Knutson

Magnet User Summit 2019 Impressions

I wanted to make a quick note to start the blogging back up again (yes, I know -- don't judge me!) by discussing a recent Digital Forensics Summit that took place during the first week of April here in the United States. While there is some bias to this since both Devon and myself did present at the Summit, there is in no way, shape or form any endorsement or payment from Magnet for what…
Read More
19 Mar 2019
By Devon

Catching Up 3/19/2019

I’m overdue for an update, so here we go!  I came across some pretty cool stuff recently.  I know I’ve said this before, but it really is a fantastic time to be involved in DFIR! Nick Caldwell won me over with the very first article of his I came across, and he hasn’t disappointed me since!  He’s such a solid force of wisdom: https://hackernoon.com/the-worst-career-advice-i-ever-received-54aaf2a50c93 https://medium.com/@nickcaldwell/latest @NickCald Unless you live in a cave, you probably already knew this, but Eric…
Read More
27 Jan 2019
By Devon

Catching Up

I took some time this weekend to catch-up a bit with AboutDFIR and add some of the content I've been too busy to share.  I've got tons more, so that will be coming as time allows.  I know Devon has stated it, but I'll reiterate, the links that we add often have context and so I've decided to take a few minutes to add some backstory around the new additions I've made this weekend. First,…
Read More
20 Jan 2019
By Devon

AboutDFIR.com updates across the board

Tons of updates across the website this weekend to include the new Tools section: Tools & Artifacts - Android Tools & Artifacts - File Systems Tools & Artifacts - Windows In addition, the existing Conferences page received a big update with the addition of CFP information.
Read More
13 Jan 2019
By Devon

Forensic Tools

Forensic tools, whether software or hardware, or just like traditional forensic science tools - they are designed by humans and typically meant to be used by trained users who understand both the artifacts they are processing as well as the results produced by the tool. Some tools are as simple as a USB write blocker - you plug one end into a computer, you plug a USB device into the other end, and it "just…
Read More
06 Jan 2019
By Devon

Episode 886: The Price Of A Hack

"The Price of a Hack" w/Chris DiIenno of Mullen Coughlin LLC law firm, experts in legal advice following or during a cyber security event, along w/Dina Temple-Raston of NPR. This piece was born out of a prior Kroll Cyber Risk digital forensics and incident response-related investigation, directed by legal counsel, to assist a client they was preyed upon via a Business Email Compromise-oriented targeting scheme. NPR Planet Money - Episode 886 "The Price Of A…
Read More
03 Jan 2019
By Devon

Android Nougat Image Available to the DFIR Community

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage - everything from testing tools to training to teaching. It was created using a stock Android image from Google.  Several popular applications (apps) were populated with user data utilizing the capabilities of each individual app.  The stock Android apps were also populated with user data. An LG Nexus 5x,…
Read More
01 Jan 2019
By Devon

Threat Hunting for Non-Threat Hunters

Posted by MIKE ART REBULTAN at https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa. Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly. However, security is not…
Read More
10 Dec 2018
By Tony Knutson

SANS SEC401 – Comprehensive Review

To get started in InfoSec, One must drink from the fire hose eventually  First, I want to apologize for the very late and posts over the last month or so. My life has been a little chaotic bouncing between a few different things and I went on holiday for a few weeks and was told no laptop :). But alas. For this post, I wanted to jump into something that has been very near and…
Read More
18 Nov 2018
By Devon

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office…
Read More
06 Aug 2018
By Tony Knutson

Dissecting Official Reddit App, What Your Tools Don’t Tell You

Sometimes, Some Light Reversing is in Order! Reddit in general So this is probably not new to much of the readers of this blog, Reddit is kind of a big deal at this moment in its lifespan. For those who do not know though, Reddit is a social media platform that touts itself as the "Frontpage of the Internet"  What makes this social media platform so much different than say Facebook or Twitter -- is…
Read More
27 Jul 2018
By Tony Knutson

Reddit, Lets Talk About It

Sorry for the very long delay. Between heading out to DC to TA/Moderate the FOR585 class and work, it has been very chaotic! No excuse, but just very busy. One thing though that I have been working on has been reversing the Reddit App that came out about a year or so ago. Now, what really drew me to this is I'm not seeing a lot of support from the main forensic tools out there…
Read More
28 Jun 2018
By Tony Knutson

So You Want to Get into DFIR? Social Media Edition

Posting 365 days straight is definitely a lot harder of a challenge than you would think! Even with scheduling, time just gets away from you. With this blog, I wanted to at least give my own opinion on something that could have some grave consequences against you as a DFIR specialist: Social Media. This was inspired by a post I saw on LinkedIn from a colleague who is a Senior Forensic Examiner within the public…
Read More
26 Jun 2018
By Tony Knutson

So You Want to Get into DFIR? Private Sector Edition

So you've decided that public sector is just not for you. Nothing wrong with that! We just need to work on getting you ready for different suits. This is a different animal all together! If you have a love for white collar issues, you'll see there is no end to the work you can do. If you love threat hunting, this will be a joy! What am I going to work?  This is going to…
Read More
25 Jun 2018
By Tony Knutson

So You Want to Get into DFIR? Public Sector Edition

So you've decided to go into the Public Sector for your Digital Forensics job? That is you've passed the rigorous background checks and the long awaited clearance background if you're going to a Federal entity. Awesome! What you'll probably see is that you'll already have some sort of training program put into place to get you going. On top of that you'll be working closely with folks who have "seen it all, done it all"…
Read More
24 Jun 2018
By Tony Knutson

So you want to get into DFIR?

For this week, I felt the need to touch on things for those who are looking for their pathway towards InfoSec, particularly with Digital Forensics & Incident Response.  So this will be a multi-part posting through the week with each day a different aspect. My hope is those who are looking to get into it will get something out of it, and for those within it may consider some things they had not yet...especially if…
Read More
23 Jun 2018
By Tony Knutson

Preparing for a GIAC Test….This is not the CISSP

I'm late for the day! Largely because my cities "summer festival" was last night and was out with friends, so blame them...not me :) This is a topic that has been touched on by others such as my good friend Lesley in her article in respects to making a good index for a GIAC exam. Lesley's template is still something I use, only over the course of my cert attempts I've tweaked it ever so…
Read More
22 Jun 2018
By Tony Knutson

Command Line or: How I learned to stop relying on GUI interfaces and love the syntax

So this is a little later than I thought I would post this, but life gets in the way! This is something very near and dear to me for a specific reason, my mentor was extremely anti GUI software. Not because he didn't understand (although he was about as G-Man you could imagine), but because he felt that to really understand the data, you needed to get into the weeds. Most vendor software out there…
Read More
20 Jun 2018
By Tony Knutson

Playing Nice in the Sandbox Together

Tell me how many of these you've heard of: Blue Team, Red Team, Purple Team, Green Team, Sprinkles Team ...okay that last one I just made up. Also, why doesn't DFIR ever have its own "team?" I'm not going to explain them all to you, but yes, these are in-fact terms of explanation of the many facets of IT Security in some way. In the mil days, they were a way of distinguishing who would…
Read More
19 Jun 2018
By Tony Knutson

Travel: It Is Not Just For Airline Status Pt. 2

In my last post, we were merely discussing things very pre-planning stages. While much of that was most likely already information known by the masses, it is still very important information for anyone who has never traveled abroad before for business. It is a different animal than when you do it for personal leisure. For the continuance of this, we are going to look at what is in my carry on bag when I am…
Read More
18 Jun 2018
By Tony Knutson

Travel: It Is Not Just For Airline Status Pt. 1

I elected to make this my first "real" posting to not only elaborate on the amazing work of my friend Lesley's post back in November, but to also provide my insight as someone who does it quite a bit. First, I'm not going into the "do's and don'ts" of a particular region or how to have proper OPSEC. Your security folks should be properly preparing you if you're going to austere conditions...not a blog. I will…
Read More
17 Jun 2018
By Tony Knutson

So, who am I?

Many are probably wondering who I am and if this is worth their own time. My hope is that it will be! To start, I won't go into my background too much...if you want to know it you'll probably be able to ask around to put the pieces together. Also, I'm not of the kind of person who thinks degrees and certs make the person. Do I have those? Yes, I do. We will leave…
Read More
16 Jun 2018
By Tony Knutson

Removing the Cloak

So I was basically challenged into starting up a blog in relation to giving back to the community. This was largely pushed by many of the SANS instructors within the digital forensics curriculum as there is a large gap within the field as a whole. Coming from my previous employer, this was just something that couldn't be done. We are always pushed to err on the side of caution while conducting any activity online as…
Read More
27 Apr 2018
By Devon

Forensic 4:cast 2018

This year, I have been nominated by the #DFIR industry for two categories of the Forensic 4:Cast awards (https://forensic4cast.com/). Please vote for Devon Ackerman as "Digital Forensic Investigator of the Year" and vote for this website, AboutDFIR.com, for "Digital Forensic Resource of the Year" for 2018. Regardless of who you cast your Forensic 4:cast 2018 votes for, please consider joining Mary Ellen and I in Austin, Texas at the SANS conference to celebrate no matter…
Read More
28 Mar 2018
By Devon

AMD and Intel Chipset Vulnerabilities & Exploits: March 2018 Update

Author: ShadowSherlock Editor: Devon Ackerman UPDATE: March 2018 It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point. INTEL Patches for older versions of Intel Chipsets has been released - Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets. All microcode updates are now being deployed…
Read More
12 Dec 2017
By Devon

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More
11 Aug 2017
By Devon

Digital Forensics & CPUs

Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to…
Read More
22 Jul 2017
By Devon

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More
28 Jun 2017
By Devon

Petya Ransomware Recap

Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it…
Read More
24 Jun 2017
By Devon

SANS DFIR Summit 2017 Wrapup

Awesome presentations, great humor throughout and well deserved wins across all of the forensic4:cast awards.  It was tough to compete in the same category as Magnet Forensics and Cellebrite and having been nominated to the top 3 with these 2 alone was humbling.  It was my first SANS Summit, but it certainly won't be my last - already blocking off my calendar for next year.  It also got me thinking about a book that I had started about a…
Read More
21 Jun 2017
By Devon

Here in Austin Texas!

SANS DFIR Summit 2017 is beginning with pre-registration this evening and the first two days Thursday and Friday.  Can't wait to meet everyone.
Read More