I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
I published the following diary on isc.sans.org: “Converting PCAP Web Traffic to Apache Log“: PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol
I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (“Background Intelligent Transfer Service”) is a tool present in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between
A security conference does not need to be “big” to be interesting. Size doesn’t matter with security conferences ;-). I’m in Lille, France where I attended the conference called “CoRIIN“. This event is held in French and means “Conférence sur la réponse aux incidents et l’investigation numérique” or “Incident Response
I published the following diary on isc.sans.org: “Comment your Packet Captures!“: When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best” way to take notes, some people use electronic solutions while others are using good
I published the following diary on isc.sans.org: “Hunting for Malicious Excel Sheets“. Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file.
Honestly, I never really played with Docker but… For a few weeks, I succumbed to the temptation of playing with Docker thanks to a friend who’s putting everything in docker containers. If you still don’t know Docker, here is a very brief introduction: Docker lets you run applications in a “container“. In this
Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Let’s imagine a first scenario: Alice sends a mail to Bob. Bob reads Alice’s email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging solutions.
This topic is not brand new, there exists plenty of solutions to forward Windows event logs to Logstash (OSSEC, Snare or NXlog amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
When my friend Didier Stevens contacted me last year to help him with a BruCON 5×5 project, I simply could not decline! Didier developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (“Network Appliance Forensic Toolkit”). It is written in Python and provides a