Unfortunately I wasn’t able to attend BSides London this year - otherwise there would probably be a DFIR.IT on Tour entry somewhere on the blog. Recently I haven’t got a lot of time to play with any DFIR challenges but when one of the guys at work mentioned about BSides Toxic PDF I decided to give it a try.
Weaponized documents (I really hate this name!) are just another method used by bad guys to deliver malicious payload. Recently this technique was used by criminal groups delivering banking trojans (e.g. Dridex), but as you might expect it was also used by APT actors (e.g. Rocket Kitten in Operation Woolen Goldfish). Regardless of the threat type (APT, commodity, etc.) analysis of the malicious documents should be an essential skill of every analyst.
DFIR.IT on tour continues! This time we’ve decided to visit one of the longest-lasting and the best conferences in Poland. Expectations were high as it was our first event with all DFIR.IT members ready to roll, geek out and have fun. Unfortunately I am coming back a bit disappointed.
Memory acquisition is usually the first step in digital forensics analysis. Before any analysis can be done, we need to acquire the memory in
the first place. There are a number of commercial solutions to acquire memory, but there is also a few free and even open source equivalents.
In this article I am going to review four memory acquisition utilities designed to deploy on a USB stick for quick incident response operations.
First official tour of DFIR.IT team started on DFRWS in Dublin - we headed there to attend DFRWS EU 2015 conference. Amazing time in Dublin was accompanied by sunny(!) weather, a proper pint of Guinness and some time to geek out - a perfect combination!