Digital Forensic Survival Podcast Digital Forensic Survival Podcast

Threat actors often exploit PowerShell in cyber attacks due to its capabilities and integration with Windows operating systems. Microsoft has cited powershell as one of the most commonly used tools in the attack chain. It also comes up in phishing campaigns and other attacks that include infecting URL links. The challenge lies in the fact that it is a commonly used administration tool. As an analyst, you can expect to have lots of powershell scripts and commands come up during your investigations. Your job is to be able to differentiate between the good and bad. Fortunately, this episode is going to give you some tips and tricks on how to do exactly that...

The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as for applications running on the platform. In order to make use of any of this information, you must understand the registry from a DFIR point of view, and that's exactly what I'm doing in this episode...

On a Linux or Mac system, there can be user accounts that have the ability of privilege escalation. Knowing how to triage, for this has a twofold benefit: (1) you obviously want to know which account may elevate to route privileges. If you're doing account triage, these are the ones you should prioritize. The other benefit (2) is to identify any account that can escalate. This fact alone ...

TCP control bits are part of the TCP header and are used to manage the connection between two devices. These control bits are single-bit flags that indicate various aspects of the TCP connection and are important for understanding and analyzing network traffic...

The time it takes from an initial escalation to the initial discovery of compromise is a key metric. Teams strive to do this as quickly as possible, but there are a number of challenges. You do not know what you're going to be handed, but you're pretty much guaranteed It's going to be a unique set of circumstances that require some type of customized or mostly customized response. So how do you accomplish this? Most analyst rely on a set of tried and true various techniques that can be used at scale. This week I'm going to cover a few of them, each being a critical technique you should be familiar with for forensic investigations...

Windows Scheduled Tasks are often used by attackers to establish persistence. As an analyst, you want to be aware of the different windows event codes that record these details. These artifacts come up in just about every windows compromise assessment, consider them core triage skills. There are several events, all of which I will go over in this episode. I will break them down from a DFIR point of view and give you the triage methodology...