Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to create a forensic image and share it with the community as I mentioned here, I found some unusual findings!

When creating a forensic image, I also create a list of files and directories within that image, as seen in Figure 1, just for further checking and verification purposes. So, as usual, was doing the image to share and I noticed the following:

Figure 1: List of files found in a Forensic Image

Continue reading

Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is the following:
1. Turned off Windows Defender on my Windows System (used for testing)
2. Created a malicious reverse shell (reverse meterpreter) and copied it over to my Windows system. It was named rev.exe.

Contents of the directory I copied the rev.exe to:

3. Created a reverse shell listener (multi-handler) on my attacking system (Kali) and was waiting for the victim machine to connect back to it.

4. Used the commands we know to hide the reverse shell named “rev.exe” in LPT1.txt and then checked the contents of the temp directory (location of files) using FTK Imager
Continue reading

Offensive Software Exploitation Course

During this semester, which technically ends on Sunday 11:59 pm (5/5/2019), I taught this course at the college for a nice group of students. The course has nothing secret and no zero days were found LOL. But, still I think it was fun, but a fire hose of information to go over in a 5-weeks class! I might release the labs and I might not do that, not until the end of 2019. But anyway, just wanted to have it referred to here. Continue reading

Installing HDFS for Forensics Research

It sure has been a long time since I last wrote anything here, so I remembered there was a blog that is either dead or is about to die :)

Anyway, just wanted to say “hi” to everyone out there and let them know the blog is not dead, I will be sharing some of the work I have been doing, as soon as I can. For now, just wanted to share a couple of documents for those interested in working on HDFS. Continue reading

Anti-Forensics: Leveraging OS and File System Artifacts


I know it seems that the zone has been abandoned for a year, and that is why I didn’t want the year to end without posting anything. Anyway, this presentation has been covered in Feb-2016, and thought why not share it with the DFIR community, maybe it will be useful to someone out there.

Presentation title: Anti-Forensics: Leveraging OS and File System Artifacts.

It doesn’t cover all the anti stuff, but it is a good start.