Weaponized LNK files are not very popular way of distributing malware, but, of course, sometimes they take place. One of a good examples of such files is the one described by FireEye in November, that is assosiated with APT29 also known as Cozy Bear. It’s is beleived that Cozy Bear is a Russian hacker group. What’s more, it’s even associated …

This article is a general explanation why and how forensic experts and first responders could benefit from a tool that provides Image data retrieval. The product under review is a first-line tool for data retrieval and image mounting, as you cannot retrieve the data without mounting the images first. Also being able to read this data under any OS, regardless …

We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s going to be Google Drive for Windows. We will divide the post into a few parts, focusing on different sources of potential digital evidence: file system, registry, SQLite databases and web-browsing history. File system The most trivial part – the goal is …

So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools! Method of Attack What was the method of attack the threat actor used? So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx: The …

Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source tools for CTF solution, we did it 🙂 Application for Exfil Which application was used to exfiltrate data on the compromised system? Let’s look into itsupport user profile folder: Dropbox and OneDrive both look very suspicious, let’s …

We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc. Timezone Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key: As you can see, the flag is Mountain. VSN …

Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics. Wiping App This is really easy …

As you may know, David Cowen runs Sunday Funday Challenges, and one of the most recent was Zone.Identifier challenge. I haven’t won, but I decided to post my submission as it contains some additional info. So, here we go: Windows XP SP2 introduced Zone.Identifier Alternative Data Stream, that is created alongside with the file downloaded from the Internet or intranet. …

Everything started from an encrypted container on a flash drive, which couldn’t be opened for some reason. The examination confirmed, that the container didn’t accept the password provided. The first thought was the customer forgot the right one. But we decided to try to find a solution to open it. We started from checking NTFS file system. Analysis revealed the …

Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to …