Badly behaving scripts
As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying …
Extracting Activity History from PowerShell Process Dumps
Lee Holmes has posted about how to extract activity history from PowerShell process dumps. Such dumps may be gold mines, esp…
Triage Image Creation
This episode of “Introduction to Windows Forensics” covers triage image creation. Richard Davis uses FTK Imager …
Malcom: Malware Communication Analyzer
Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traff…
Cobalt Strike Remote Threads Detection
Olaf Hartong has writted a blog post in which he shows how to use âCreate Remote Threadâ events to detect process injection …
PasteHunter
PasteHunter is a Python3 application that is designed to query a collection of sites that host publicliy pasted data. For al…
Extract forensic timeline from memory dumps with AutoTimeliner
Andrea Fortuna created the AutoTimeliner, a tool that “automagically extract forensic timeline from volatile memory du…
A Planned Methodology for Forensically Sound IR in Office 365
A planned methodology for developing and implementing a forensically sound incident response plan in Microsoftâs Office 365 …
The Little Handbook of Windows Forensics
Andrea Fortunan has released his “The Little Handbook of Windows Forensics”. Here is the description from the au…
Robust Use of PsExec That Doesnât Reveal Password Hashes
Brian Carrier and Chris Ray have found a way how to run PsExec and not reveal admin password hash. Check this blog post to l…
