Had some free time last week, so decided to participate in David Cowen’s Sunday Funday challenge. My submission didn’t win, but I decided to post it anyway. 1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view) You can find these settings under: UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\<Node_slot>\ComDlg\{GUID} …

Let’s continue to dissect unusual malicious email attachments used by modern APT. This time I’m going to focus on malicious CHM files used by Silence APT. If you haven’t heard about it for some reason, I would recommend to read this detailed report by Group-IB, as this APT attacks not only Russian banks, but also banks in more than 25 countries. …

Weaponized LNK files are not very popular way of distributing malware, but, of course, sometimes they take place. One of a good examples of such files is the one described by FireEye in November, that is assosiated with APT29 also known as Cozy Bear. It’s is beleived that Cozy Bear is a Russian hacker group. What’s more, it’s even associated …

This article is a general explanation why and how forensic experts and first responders could benefit from a tool that provides Image data retrieval. The product under review is a first-line tool for data retrieval and image mounting, as you cannot retrieve the data without mounting the images first. Also being able to read this data under any OS, regardless …

We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s going to be Google Drive for Windows. We will divide the post into a few parts, focusing on different sources of potential digital evidence: file system, registry, SQLite databases and web-browsing history. File system The most trivial part – the goal is …

So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools! Method of Attack What was the method of attack the threat actor used? So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx: The …

Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source tools for CTF solution, we did it 🙂 Application for Exfil Which application was used to exfiltrate data on the compromised system? Let’s look into itsupport user profile folder: Dropbox and OneDrive both look very suspicious, let’s …

We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc. Timezone Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key: As you can see, the flag is Mountain. VSN …

Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics. Wiping App This is really easy …

As you may know, David Cowen runs Sunday Funday Challenges, and one of the most recent was Zone.Identifier challenge. I haven’t won, but I decided to post my submission as it contains some additional info. So, here we go: Windows XP SP2 introduced Zone.Identifier Alternative Data Stream, that is created alongside with the file downloaded from the Internet or intranet. …