Let's just say that you're doing an investigation of a subject and that the investigation centers around proving that they visited a certain website. Of course, you've check the usual places: history files, typed URLs in the registry, etc - but … [Continue reading]
Quick Tip: PowerShell Grep Equivalent
I've used searching in my previous PowerShell posts, but I thought that it deserves a dedicated "Quick Tip" posting. I know that folks coming from a *nix background will be very familiar with using grep to search for pretty much anything and … [Continue reading]
Searching the Registry using PowerShell
On a cold and rainy Thursday morning, I thought that it would be a good time to write a post on searching the Windows registry using PowerShell. In an Incident Response scenario you may want or need to do some live analysis on a compromised system, … [Continue reading]
Turning off automount in Windows
Along with disabling autoplay/autorun, you may want to consider turning off the automount functionality of Windows systems requiring high security and is a decent secondary protection on a forensics workstation (you are using a hardware write blocker … [Continue reading]
Finding an Active Directory User's SID using PowerShell
I sometimes need a quick and easy way of determining a user's Active Directory SID (for example, when performing forensics on the Recycle Bin). Yes, there are ways to find out a SID in ADUC (check out how here) - but I think that utilizing … [Continue reading]
Your company is a target – targeted phishing attacks
Whether you choose to believe it or not, your company (given it is of a reasonable size or deals with sensitive data) is, or will be, the target of a specific technology oriented attack of some kind. And I’m not talking a basic port scan here, I’m … [Continue reading]
Determining the hostname of a Windows machine
A coworker just asked me this question, and I thought that it would be useful enough to create a quick post. If you'd like to find out the hostname of a Windows workstation/server and only have a drive image available (and don't want to boot it), … [Continue reading]
The relevance of the Access time in timeline analysis
So - you're working on creating a timeline for a new disk image and you're finding that the subject accessed a large number of unrelated files in quick succession. Perhaps they were up to no good, but before utilizing this evidence to support any … [Continue reading]
Recycle Bin Forensics in Windows 7 and Vista
Microsoft has significantly changed how files and their corresponding details are represented within the Recycle Bin in Windows 7 and Vista. In Windows XP, when files were placed into the Recycle Bin they were placed within a hidden directory named … [Continue reading]
PsExec Passes Credentials in Clear Text
PsExec can be a very useful tool during incident response and live forensics work. For those that don't know, PsExec is a tool that can be used to execute commands on a remote Windows computer andwas initially developed by Sysinternals, which is now … [Continue reading]