Incident Response Script for APT Hunting
Sergey Golovanov and Igor Soumenkov have prepared a New Year present for DFIR community: they have presented their script fo…
Pagefile forensics: page_brute
page_brute.py is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page…
CERTitude – The seeker of IOC
CERTitude is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It …
Investigate malicious logon with LogonTracer
LogonTracer helps digital forensics analysts to investigate malicious logon by visualizing and analyzing Windows active dire…
Unofficial Guide to Mimikatz & Command Reference
Mimikatz is a common tool used by APT in modern cyber attacks to harvest admin’s and user’s login credentials. I…
In-Depth Forensic Analysis of Windows Registry Files
The Windows registry is an essential source of evidence when performing a wide range of examinations. In a recent talk (Zero…
Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS
Redundant capacity in filesystem timestamps is recently proposed in the literature as an effective means for information hid…
Chasing Adversaries with Autoruns – Evading Techniques and Countermeasures
Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence po…
Forensic Artefacts Associated with Intentionally Deleted User Accounts
Digital forensics is an evolving discipline that looks for evidence in electronic devices. It is being utilised in investiga…
Windows Credentials Attacks, Mitigations & Defense
Windows credentials are arguably the largest vulnerability affecting the modern enterprise. Credential harvesting is goal nu…
