CTI Summit 2018

“Kick off the new year with the industry’s top CTI experts at the SANS Cyber Threat Intelligence Summit”

|
This January, cyber threat intelligence (CTI) practitioners from around the world will gather in Arlington, Va., for the SANS DFIR Cyber Threat Intelligence Summit & Training. One of only a handful of events devoted to cyber threat intelligence and analysis, the SANS CTI Summit brings together leading experts and analysts ... Read More
From Seizure to Actionable Intelligence in 90 Minutes or Less

“Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS”

|
Digital forensics is a high-stress, high-stakes job. There are so many devices, repositories, and massive data sets, yet in most cases you have only one chance to find and properly extract the evidence that can make or break your case. The new SANS new courseFOR498: Battlefield Forensics & Data Acquisitionis ... Read More
"iOS Location Mapping with APOLLO Part 2: Cellular and Wi-Fi Data (locationd)"

“iOS Location Mapping with APOLLO Part 2: Cellular and Wi-Fi Data (locationd)”

|
Myprevious articleshowed a new capability ofAPOLLOwith KMZ location file support. It worked great''for routined data, but there was something missing. What about the cellular and Wi-Fi locations that are stored in databases? Well, turns out I need to test better. I fixed the locationd modules to have the activity as ... Read More
"iOS Location Mapping with APOLLO Part 1: I Know Where You Were Today, Yesterday, Last Month, and Years Ago!"

“iOS Location Mapping with APOLLO Part 1: I Know Where You Were Today, Yesterday, Last Month, and Years Ago!”

|
I added preliminary KMZ (zipped KML) support toAPOLLO. If anyAPOLLOmodule's SQL query has "Location" in its Activity field, it will extract the location coordinates in the column "Coordinates" as long as they are in Latitude, Longitude format (ie: 38, -77). These are more a less an upgrade/replacement from my previous ... Read More
"Countdown to DFIRCON 2019!"

“Countdown to DFIRCON 2019!”

|
At this year's annual DFIRCON 2019, one of the industry's most unique Digital Forensics and Incident Response (DFIR) training events, you'll train, network and battle with the best. Join us in Coral Gables, Fla., Nov. 4 - Nov. 9, to level up your DFIR skills, get in on the latest ... Read More
Triage Collection and Timeline Analysis with KAPE

“Triage Collection and Timeline Generation with KAPE”

|
As a follow up to my SANSwebcast, which you can view here, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push button forensics", once you get KAPE up ... Read More
"A few Ghidra tips for IDA users, part 4 - function call graphs"

“A few Ghidra tips for IDA users, part 4 – function call graphs”

|
One of the features of IDA that we use in FOR610 that can be helpful for detecting malicious patterns of API calls is the feature for creating a graph of all function calls called from the current function and any functions that it calls. The graph itself isn't all that ... Read More
"A few Ghidra tips for IDA users, part 2 - strings and parameters"

“A few Ghidra tips for IDA users, part 2 – strings and parameters”

|
Continuing with my preliminary exploration of Ghidra. If we continue with the call to RegOpenKeyExA from last time (yes, I know this code is unreachable as we discussed last time, but let's keep going anyway). Continue reading A few Ghidra tips for IDA users, part 2 - strings and parameters ... Read More
"A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code"

“A few Ghidra tips for IDA users, part 1 – the decompiler/unreachable code”

|
As I continue to explore NSA's new reversing tool, Ghidra, one of the features that I heard about and was excited to see in action was the decompiler. So, in this entry in the series, I'll start to delve into that some. In particular, I'll look at one particular option ... Read More
"A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters"

“A few Ghidra tips for IDA users, part 0 – automatic comments for API call parameters”

|
If you haven't been living under a rock, you probably heard that the NSA released its reverse-engineering tool, Ghidra, at RSA last month. I've been an IDA user for years (it's the primary disassembler we use when I teach FOR610), but I've been trying out Ghidra over the last few ... Read More
Loading...