In the beginning...

The first computer incident I was involved in was the ILOVEYOU virus in May 2000 and that directly lead me into forensics, with my first investigation being in 2004. 

I started out with a script from a book called “Windows Forensics and Incident Recovery” written by Harlan Carvey (@keydet89) https://windowsir.blogspot.com/  

Thank you Harlan for all the books since and creating RegRipper https://github.com/keydet89/RegRipper3.0

While I started out with a humble script, the modern forensicator/Incident Responder has a huge variety of FOSS tools to choose from. The need for Windows deadbox forensics still exists, but the focus has shifted to incident response (IR), with the need for speedy accurate triage, to stop Ransomware. Given the rise in ransomware, data breaches and malware attacks, the need for IR is only increasing. The good news is the basics for Forensics and IR fields (DFIR) are basically the same – paraphrasing the experts:

1) critical thinking – there is no “find evil” button; know what you are looking for BEFORE starting

2) use a documented, defensible, explainable process (expecting the case to go to court)

3) understand your environment (Windows, MAC, Android)

4) understand the threat actors and their TTP’s

5) understand your tools, their usage and limitations

6) test, document and sharing back to the community

7) master related topics like Linux, bash shell scripting, Python, TCP/IP

Comments

Post a Comment

Popular posts from this blog

 Update for 2022 Merry Christmas and a Happy New Year to everyone. Special shout out to those safeguarding civilization in all the many forms this takes. Being on call is not for everyone, is it ?  My last update was a while back and I am clearly overdue for an update we go into 2023. So lets cover some of my observations and personal highlights of 2022: The continued success and growth of EnergiCERT ( https://energicert.dk/ ) is certainly strengthening and benefiting the cyber security of  Danish critical infrastructure. Wonderful team of people, well managed and motivated. Yeah, I am biased ;) Engarde Security continues to grow and be noticed; now has expanded and with an ics range ( https://www.engardesecurity.com/icsrange )  Highly skilled people and the ics range is very well done. Enjoyed an excellent ICS Security conference in Copenhagen in November:  (https://insightevents.dk/isc-cph/ ) But I still miss CS3 (https://cs3sthlm.se/ ) for many non technical...
Read more

Alls well that ends well...

 After the shock of loosing my job in June, I was fortunate to discover I had a very supportive network of friends, former colleagues and people I met over the years who provided much needed moral support who helped me move on. Eventually to a rather unique and special job at sektorcert helping protect Danish critical infrastructure.  Thanks to all of you who reached out with offers, coffee meetings and advice while I was on garden leave. Your comments significantly helped during this challenging time. I feel truly fortunate and grateful to be working where I am now, with a most excellent group of  colleagues. The combination of our mission and the fact we are a non profit organization that directly supports our members is a welcome change from the usual commercial aspects of every other company I have worked for over the past 30 + years, with the exception of Unicef. So I wish the readers a very Merry Christmas and a reasonably decent 2024; which is optimistic as hell; b...
Read more