Day 4 – Excerpt from Chapter 4 – User Causality in the context of DFIR

Day 4 - Excerpt from my newly released book, "Diving In - An Incident Responder’s Journey: A Guide for Executives, Lawyers, Insurance, Brokers & Audiences Eager to Learn" which you can get your copy here -> https://www.amazon.com/Diving-Responders-Executives-Insurance-Audiences/dp/B0CCCHTN8R "User causality in the context of Digital Forensics science refers to the relationship between a user's actions (cause) and the resulting impact on a digital system (effect) which fundamentally underpins Locard’s Exchange Principle. Understanding this cause-and-effect relationship is…
Read More

AboutDFIR Site Content Update 10/9/22

Tools & Artifacts - Windows - new entries added - Slack, Event Log Access, ProtonVPN, Hintfo Tools & Artifacts - Android - new entry added - Device Health Services Tools & Artifacts - iOS - new entries added - AppInstalls, AppLaunch, & AppIntents, Carplay, Safari, Siri, Unsent Messages, KnowledgeC.db Jobs - old entries cleaned up, new entries added - ZenDesk, Binary Defense, Circle, Charles Schwab, and AllState AboutDFIR stickers are still a thing! If you're interested…
Read More

App Timeline Provider – SRUM Database

The System Resource Usage Monitor (SRUM) is a currently parsed artifact available on Windows 8+ systems. On a basic level, SRUM appears to be the backend database supporting the Task Manager. These tables are stored in an Extensible Storage Engine (ESE) database saved as SRUDB.dat. Generally, there are 30 to 60 days of data saved in this database. The data is written to the database approximately every hour and around shutdowns. Some the tables within…
Read More

A Conversation about Transitioning to Incident Response

In working on AboutDFIR the last couple months, I’ve come to learn that while digital forensics and incident response share some basic foundational knowledge, they are widely different in practice. I’ve taken SANS FOR500: Windows Forensic Analysis and have been reading the recent articles about vulnerabilities, and have to say it’s been a series of eye-openers, especially coming from a law enforcement digital forensic background, as to how evidence and analysis can differ depending on…
Read More

SOF-ELK and Integration with KAPE

Archer: FX  Amazing how fast time flies when you're juggling so much during the trying times we all have since 2020! At at the time of publishing this article, we are all still facing a lot of uncertainties. I hope time has been gracious to you all...and continues to be!  Why this post?  As we push through some very trying times in the Digital Forensic and Incident Response world, there are two things I've experienced…
Read More

I want to see your Resume!

Do you know of someone just graduating with their college degree in #DFIR or #CyberSecurity or #security looking for their first job? I am interested! Send me a resume -> devon.ackerman@kroll.com with Resume in the subject line. Tag your friends, tag your colleagues.
Read More

281 Arrested Worldwide in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes

Federal authorities announced today a significant coordinated effort to disrupt Business Email Compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals, including many senior citizens.  Operation reWired, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, U.S. Postal Inspection Service, and the U.S. Department of State, was conducted over a four-month period, resulting in 281 arrests…
Read More

InfoSec News Nuggets 08/26/2019

1 Peripheral Maker Fanatec Hacked, Customer Details Stolen If you've ever been in the market for a high-end gaming controller, racing wheel, or pedals, chances are peripheral maker Fanatec was on your radar. Purchasing directly from Fanatec turned out to be a bad idea, though, as your personal details are probably in the hands of hackers. As Kotaku reports, Fanatec CEO Thomas Jackermeier sent out an email yesterday to all customers informing them that, "our online shop of…
Read More

InfoSec News Nuggets 08/22/2019

1 DoorDash takes another step toward automated food delivery TechCrunch speculates that the acquisition is the latest attempt by DoorDash to reduce its reliance on human delivery drivers, by using more automated systems to deliver food. Back in 2017 the company partnered with Starship Technologies to test food deliveries using a small semi-autonomous robot, and earlier this year it started working with GM to use its autonomous vehicles to deliver food in San Francisco.  …
Read More

InfoSec News Nuggets 08/21/2019

1 Cyber Safety for Students As summer break ends, many students will return to school with mobile devices, such as smart phones, tablets, and laptops. Although these devices can help students complete schoolwork and stay in touch with family and friends, there are risks associated with using them. However, there are simple steps that can help students stay safe while using their internet-connected devices. The Cybersecurity and Infrastructure Security Agency (CISA) recommends reviewing the following…
Read More

InfoSec News Nuggets 08/19/2019

1 Apple's warning: Break Safari's web-tracking rules and we'll hit back ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads. The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. The company warns it will…
Read More

InfoSec News Nuggets – 08/16/2019

1 Google employees protest: 'Don't bid for border control cloud contract' Google employees are calling on the company not to bid on a cloud contract with the US Customs and Border Protection (CBP) in protest against the agency's alleged human-rights abuses at the Mexican border. The petition demands that Google does not bid on a recently published CBP request for information (RFI) for a "cloud services provider". However, Google employees also want the company to…
Read More