The Application Experience and Compatibility feature is considered one of the pillars in the in Microsoft Windows operating systems. Microsoft states in reference to the Microsoft Application Compatibility Infrastructure (Shim Infrastructure) "as the Windows operating system evolves from version to version changes to the implementation of some functions may affect applications that depend on them."
Since PDF files are so common these days there's no shortage of tools to rip them apart and...
There have been some exciting developments recently on the Windows digital forensic analysis...
Corey Harell has uploaded an excellent writeup on the working of Windows Application Experience and Compatibility features. Here he explains how process entries/traces show up in locations such as the ShimCache and RecentFileCache.bcf. For forensic/malware analysts, this is a great place to search for recent processes that were run.
This is pretty straight forward, but it depends on what we want to do with the files. I assumed that the larger files should be deleted since they are redundant. This will leave us with only the smallest file in the directory. Let's start off by listing all the files in the current directory and sort them by size.
The Canadian government recently put forward a new set of cyber laws designed to prevent online bullying. The proposed legislation immediately drew howls of outrage from all corners, accusing the government of simply reviving its previous failed attempt at introducing draconian state snooping in a new disguise. So, what's really going on with Bill C-13?
I bought Didier Steven's PDF workshop and just started them today. As he was showing PDFiD I was thinking about ways of using PDFiD to instantly focus my efforts for analysis when faced with multiple PDF documents. Of course my mind turned to Python, but I thought of an even easier shell script which could potentially do the job, depending on the number of files you have!
The Hacker Academy recently released its new Windows Registry Master Class. Prior to its release, Hacker Academy senior instructor Andrew Case contacted me and asked if I'd like to review the course. I, of course, said yes and got signed up when the course was ready.
Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyber attacks — and launches cyber weapons like Stuxnet and Flame — it's reasonable to assume that it's asked antivirus companies to ignore its malware.
One good information security practice is known as the “two-man rule.” It comes from military history, where a nuclear missile couldn’t be launched unless two people agreed and turned their launch keys simultaneously. This requirement was introduced in order to prevent one individual from accidentally (or intentionally) starting World War III.
Previous years were not good for PDF users, as several vulnerabilities were published, such as buffer overflow vulnerability in versions prior to version 9. A lot of the attacks were observed trying to abuse the bug by using social engineering or by hosting malicious PDF files on the Internet. Just the simple act of opening the PDF file could exploit a vulnerability to automatically download malicious code from the internet.
Why does Web security matter? Website watering hole attacks are becoming increasingly popular with attackers — if they can plant an invisible iframe that redirects a user from a legitimate website, they can push a user to a compromised website hosting a cocktail of exploits to attack the client computer connecting to it.
As we now know, widespread surveillance and monitoring of what we do online means that third parties — from intelligence organizations and the private sector all the way to cybercrime gangs — are sniffing and keeping giant stashes of our internet traffic, just in case. And although that traffic may be illegible now, thanks to HTTPS encryption, what about tomorrow, or next year, or even next decade?
Another year is drawing to a close, and Congress — locked in partisan gridlock and unable to fulfill its most basic responsibilities — again has failed to update any of the nation’s cybersecurity laws. Fortunately, you don’t have to depend on Congress to secure your systems.
I conducted some analysis recently where I used timeline analysis, Volatility, and the Sniper Forensics concepts shared by Chris Pogue to develop a thorough set of findings in relatively short order. I was analyzing an image acquired from a system thought to have been infected with Poison Ivy. All I had to go on were IPS alerts of network traffic originating from this system on certain dates.
As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. And thanks to an emerging class of mobile malware, the security landscape is about to get a lot more complicated.
Due to changes with my employer last Spring my new responsibilities include all things involving incident response. I won’t go into details about what I’m doing for my employer but I wanted to share some linkz I came across. Similar to my responsibilities, these linkz include all things involving incident response.
Tracking USB device insertion times has never been an easy task given that there is no direct timestamp saved by windows for this activity, ie, until Windows 8 arrived! This was a real pain in Windows Vista and 7 as dates and times were obtained from many different Registry keys’ Last Modified timestamps. And while this was reasonably reliable, timestamps thus retrieved always had to be taken with a pinch of salt!