Category: Windows Incident Response

There’s been a lot of chatter over the use of AI in various fields, and because it’s my professional focus, I’m most interested in how it’s used in cybersecurity. Now, that doesn’t mean that I’m not aware of how it’s…

Read more →

There’s been a lot of chatter over the use of AI in various fields, and because it’s my professional focus, I’m most interested in how it’s used in cybersecurity. Now, that doesn’t mean that I’m not aware of how it’s…

Read more →

One of the fascinating aspects of Windows systems, from a DF/IR perspective, for me has been the clipboard. Notice I said, “one of”, rather than “the”…that’s because there are a lot of fascinating aspects of Windows systems when it comes…

Read more →

Sometimes I’ll get questions via different routes…webinars or podcasts, via social media, DM, or even email. Getting questions is good, because it keeps me aware that I’m in somewhat of a bubble, given the work I do and the environment…

Read more →

This started out as a bit of an end-of-the-year grab bag of posts, but I don’t like simply linking to things, dropping links with no explanation as to why; instead, I’d rather share the why behind what I found interesting about the…

Read more →

I ran across a LinkedIn post the other day that  mentioned using Windows Defender Support Logs (actually, I think the post referred to them as “diagnostic” logs). These logs are found in the following folder: C:\ProgramData\Microsoft\Windows Defender\Support\  …and follow the…

Read more →

I received a question recently, one I receive every now and again, asking if there are any updates to an open source tool I created a while back, called “RegRipper”. This time, the question came in this way: Is there any…

Read more →

I’m not a fan of many podcasts. I do like a conversational style, and there are some podcasts that I listen to, albeit not on a regular basis, and not for technical content. They’re mostly about either “easter eggs” in Marvel…

Read more →

Every now and then, I get contacted by someone who tells me that they used the open source tools I’ve released in either a college course they took, or in a course provided by one of the many training vendors in…

Read more →

I was reading a pretty interesting write-up from Seqrite regarding, in part, the use of pseudo-polyglot documents. In this case, delivery occurred via ZIP archive that contains an LNK file and a PNG file. The PNG file is pseudo-polyglot file…

Read more →

Maurice posted on LinkedIn recently about one of the FeatureUsage Registry key subkeys; specifically, the AppSwitched subkey. Being somewhat, maybe even only slightly aware of the Windows Registry, I read the post with casual, even mild interest.  Someone posted recently that cybersecurity…

Read more →

Warning – before you get started reading this blog post, it’s only fair that I warn you…in this post, I make the recommendation that you document your analysis process. If you find this traumatic, you might want to just move…

Read more →

I saw it again, just today. Another post on social media stating that IT teams/defenders “face unprecedented complexity”.  This one stood out amongst all of the posts proclaiming the need for agentic AI on the defender’s side, due to how these…

Read more →

In writing Investigating Windows Systems, published in 2018, I made use of publicly available images found on the Internet. Some were images posted as examples of techniques, others were posted by professors running courses, and some were from CTFs. If…

Read more →

I’m a huge fan of MS file formats, mostly because they provide for the possibility of an immense (and often untapped, unexploited) amount of metadata. Anyone who’s followed me for any length of time, or has read my blog, knows…

Read more →

Over the passed couple of days, I’ve had images pop up in my feed showing people’s workstations, most often with multiple screens. I’ve seen various configurations, some with three or more screens, but the other thing I’ve noted is that…

Read more →

In 2005, Cory Altheide and I published the first peer-reviewed paper to address tracking USB devices on Windows systems. Over the years, it’s been pretty amazing to see not only the artifacts expand and evolve, but to also see folks…

Read more →

First off, what is “analysis”? I submit that “analysis” is what happens when an examiner has investigative goals and context, and applies this, along with their knowledge and experience, to a data set. This can be anything, from a physical…

Read more →

Not long ago, I ran across this LinkedIn post on analyzing a ransomware executable, which led to this HexaStrike post. The HexaStrike post covers analyzing an AI-generated ransomware variant, which (to be honest) is not something I’m normally interested in;…

Read more →

I recently read through this FalconFeeds article on Qilin ransomware; being in DFIR consulting for as long as I have, and given how may ransomware incidents I’ve responded to or dug into, articles with titles like this attract my attention.…

Read more →