Author Archives: [email protected]

About [email protected]

[Between Teams of Red and Blue, I'm with the Purple Team]

Forensic Acquisitions over Netcat

In the past I used to write here what I did so I do not forget, so I’ll try to get back to that habit again :) These days whenever I find time, I’m playing with TSURUGI, which is a … Continue reading

Posted in DFIR, GNU/Linux | Tagged , , , , , , , , , | Comments Off on Forensic Acquisitions over Netcat

Windows InstallTime vs InstallDate Registry Values

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key: SOFTWARE\Microsoft\Windows NT\CurrentVersion The confusion happens when my students ask which one is correct?

Posted in Forensics, Windows | Tagged , , , , , , | Comments Off on Windows InstallTime vs InstallDate Registry Values

Update: Hidden Prefetch Files Detection using New PECmd

Before diving into this post, I wanted to say, that I have been teaching digital forensics for a long time by now, and in my Operating System Forensics class, I use Eric Zimmerman‘s tools a lot, and when I say … Continue reading

Posted in AntiX, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Update: Hidden Prefetch Files Detection using New PECmd

Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to create a forensic image and … Continue reading

Posted in AntiX, Forensics, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is the following: 1. Turned off Windows … Continue reading

Posted in AntiX, Forensics, Malware, Metasploit, Windows | Tagged , , , , , , | Comments Off on Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS