Windows 10 Services - batcmd.com
FOR508
1768 K
According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt. This tool decodes and dumps the configuration of Cobalt Strike beacons. You can find a sample beacon here. 1768_v0_0_3.…
GitHub - jschicht/SetMace: Manipulate timestamps on NTFS
Manipulate timestamps on NTFS. Contribute to jschicht/SetMace development by creating an account on GitHub.
My Take on Preparing for GIAC Certification Exams - AboutDFIR - The Definitive Compendium Project
Introduction SANS GIAC Certifications are highly sought after because of the technical expertise required for completing them successfully. They are not to be taken lightly and are held in high regard due to them not being a “gimme” for the test taker. If you do not prepare, your score will reflect that and you risk […]
SANS Index How To Guide with Pictures
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the S...
GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modules
A repository of sysmon configuration modules. Contribute to olafhartong/sysmon-modular development by creating an account on GitHub.
Use KAPE to collect data remotely and globally
If you have been following along with the amazing utility that KAPE is then you are aware that it is a game changer to the forensics c...
FS_FindEvil · ufrisk/MemProcFS Wiki
The Memory Process File System. Contribute to ufrisk/MemProcFS development by creating an account on GitHub.
How to Detect and Prevent impacket's Wmiexec | CrowdStrike
This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.
Windows 10 and Windows Server 2016 security auditing and monitoring reference
This reference details most advanced security audit events for Windows 10 and Windows Server 2016.
Per-user services in Windows 10 and Windows Server - Windows Application Management
Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
Windows Forensics Analysis Training - GCFE Certification | SANS FOR500
FOR500 builds in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems by analyzing and authenticating forensic data as well as track detailed user activity and organize findings.
FOR608: Enterprise-Class Incident Response & Threat Hunting | SANS
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on developing the skills and techniques necessary to respond to large-scale intrusions across diverse enterprise networks.
Memory forensics: a fun hands-on introduction
A walkthrough for a practical workshop whose aim is to introduce enthausiasts to the world of memory forensics.
Finding Weaknesses Before the Attackers Do | Mandiant
Challenges & CTFs - AboutDFIR - The Definitive Compendium Project
A very special thank you to Abhiram Kumar for curating this list! Be sure to check out his educational CTF on GitHub, MemLabs. Walkthroughs
Better GIAC Testing with Pancakes
It’s no secret that I’m a fan of SANS and their associated GIAC infosec certifications. Certifications aren’t worth a ton of credibility in the information security arena, but the…
This Week In 4n6
Your weekly roundup of Digital Forensics and Incident Response news
Bergen_collaborative-timeline-analysis-in-large-incidents-sans-timeline-analysis-in-large.pdf
Change log
Eric Zimmerman Tools Changelog
File System Forensic Analysis
The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques Most digital evidence is stored within the computer's file system, but understanding how file systems work is one … - Selection from File System Forensic Analysis [Book]
File Signatures
Free file signature page since 2002!
Using Alternate Data Streams to Persist on a Compromised Machine
Back in the days before Windows Vista, Alternate Data Streams used to be an acceptable way for malware authors to hide their malicious code. An Alternate Data Stream can be used to hide the presenc…
GitHub - jschicht/SetMace: Manipulate timestamps on NTFS
Manipulate timestamps on NTFS. Contribute to jschicht/SetMace development by creating an account on GitHub.
Timeline Explorer - AboutDFIR - The Definitive Compendium Project
Table of Contents Page 1 – Introduction, Screenshots Page 2 – Why Use Timeline Explorer? Page 3 – Conclusion, Timeline Explorer-Related Blog Posts/Videos, Change Log Introduction Timeline Explorer is a free, feature-rich Excel replacement that’s catered specifically for digital forensic examinations. There are a handful of quality of life features over Excel that are worth […]
Timesketch
GitHub - daveherrald/SA_plaso-app-for-splunk
Contribute to daveherrald/SA_plaso-app-for-splunk development by creating an account on GitHub.
Using Splunk for Computer Forensics
GitHub - google/timesketch: Collaborative forensic timeline analysis
Collaborative forensic timeline analysis. Contribute to google/timesketch development by creating an account on GitHub.
l2t-tools/yara_match.py at master · kiddinn/l2t-tools
Automatically exported from code.google.com/p/l2t-tools - l2t-tools/yara_match.py at master · kiddinn/l2t-tools