Author Archives: [email protected]

About [email protected]

[Between Teams of Red and Blue, I'm with the Purple Team]

من مُذكرات مُهاجر

منذ أكثر من عشرة سنوات وأنا أحاول السفر الى الخارج من خلال الهجرة. والدي ووالدتي يرفضون سفري وغير موافقين على ذلك… كُنت مُلحاً في كل مرة بأن يسمحوا لي بالهجرة، ولكن طلبي كان دائماً يلاقي الرفض… والدي كان أقل تشدداً … Continue reading

Posted in Life | Leave a comment

Linux Forensics Workshop

Hello, I’ve been invited by the Saudi Federation for Cyber Security and Programming (SAFCSP) to do a Linux Forensics workshop during their series of Cybersecurity Nights. My session will be next Thursday, May 14th, 2020 at 10:00 PM (KSA time) … Continue reading

Posted in Forensics, Investigations, Workshops | Tagged , , , , | Comments Off on Linux Forensics Workshop

Investigating USB Drives using Mount Points Not Drive Letters

Yes, another excellent question came up by one of my students: If a user mounts the volume to a mount point, what artifacts could we find for the USB? Starting I think from Windows 8.1 or 10, a user could … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Comments Off on Investigating USB Drives using Mount Points Not Drive Letters

No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked: If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry? Short answer is, YES it will still … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Comments Off on No Drive Letter, No USB Evidence? Think Again!

Howto Setup and use the CuckooVM v2

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already … Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Comments Off on Howto Setup and use the CuckooVM v2