Weaponized documents (I really hate this name!) are just another method used by bad guys to deliver malicious payload. Recently this technique was used by criminal groups delivering banking trojans (e.g. Dridex), but as you might expect it was also used by APT actors (e.g. Rocket Kitten in Operation Woolen Goldfish). Regardless of the threat type (APT, commodity, etc.) analysis of the malicious documents should be an essential skill of every analyst.
DFIR.IT on tour continues! This time we’ve decided to visit one of the longest-lasting and the best conferences in Poland. Expectations were high as it was our first event with all DFIR.IT members ready to roll, geek out and have fun. Unfortunately I am coming back a bit disappointed.
Memory acquisition is usually the first step in digital forensics analysis. Before any analysis can be done, we need to acquire the memory in
the first place. There are a number of commercial solutions to acquire memory, but there is also a few free and even open source equivalents.
In this article I am going to review four memory acquisition utilities designed to deploy on a USB stick for quick incident response operations.
First official tour of DFIR.IT team started on DFRWS in Dublin - we headed there to attend DFRWS EU 2015 conference. Amazing time in Dublin was accompanied by sunny(!) weather, a proper pint of Guinness and some time to geek out - a perfect combination!
There are plenty of blacklists available online. Building blacklists based detection often leads to high false positives rates which affects quality, increase workload and make alerts investigation more difficult. Primary reason is the lack of context. Context allows analysts to focus on what’s important and pivot from collected data in order to find more indicators and create better detection rules. Let’s explore how to hunt with Open Source Intelligence and command line fu to find evil and enhance detection with pattern matching rules.