#LearningDFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

You can use the command line tool ewfverify to calculate the hash value and verify a forensic image on Linux in the EWF
format (Expert Witness Compression Format):

sudo apt install ewf-tools
ewfverify <<image_name>>

It works on single files as well as multiple part files.

#LearningDFIR #DFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

Transferring my existing Windows forensics for IR course to Podia to finally make it online available.

#LearningDFIR #DFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

Attackers often establish persistence or move laterally by creating services.

🧠 Check for Event ID 7045 in the System log

<<A service was installed in the system>>

#DFIR #LearningDFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

C'mon those #LearningDFIR or interested!

#PopQuiz

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

The Master File Table (MFT) is a crucial component of the NTFS file system used by Windows operating systems. It functions as a central database that records information about every file and directory on an NTFS volume.

#DFIR #LearningDFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

Windows loads applications at startup via specific registry keys.

Registry paths:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Review for suspicious entries or executables in unusual locations.
#LearningDFIR #DFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

Without gatekeepers, there is a single barrier to entry when it comes to #dfir and that's hardware. You NEED a beast in most instances to do the work effectively.

I am not sure if there is a way around it? Cloud isn't the answer cause that's also $$$.

Thoughts??

#LearningDFIR #HomeLabs

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

8 months ago

WMI can be abused for stealthy persistence.

🔍 Check registry:
HKLM\SOFTWARE\Microsoft\Wbem\CIMOM

Investigate:

__EventFilter

__EventConsumer

__FilterToConsumerBinding

#DFIR #LearningDFIR #ThreatHunting

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

9 months ago

NTUSER.DAT is a system file found in every user profile on a Windows system. It stores the user's Registry hive under HKEY_CURRENT_USER (HKCU).

🧠 Inside?

* Program settings
* Recent files
* User preferences
* Evidence of activity

#DFIR #LearningDFIR #WindowsForensics

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

9 months ago

What Are Shellbags?

Shellbags are Windows artefacts that track folders a user has accessed via the File Explorer. They store view settings and folder paths, even for folders that have since been deleted.

#LearningDFIR #DFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

9 months ago

I realised that some of the knowledge I have stored away and tips are useful, should I keep doing the small #dfir tips each day to help people #learningdfir ?

Inspired after teaching my class at 0xCC the last few days

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

9 months ago

🔍 Want to see what USB devices were plugged into a system?

Check the Registry key:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Each subkey represents a device, storing its serial number, make, and model.

#LearningDFIR #DFIR

🐉 Fancy4n6 🦄

@shannadaly.bsky.social

9 months ago

Identify user logins using Windows Security Event Logs. These are stored in: C:\Windows\System32\winevt\Logs\Security.evtx

Watch for Event IDs that show login activity and privilege use. #LearningDFIR #DFIR