When you need to quickly investigate a suspicious computer located thousands of kilometers away or during a pandemic like we are facing these days, it could be critical to gain remote access to the computer. Just to perform basic investigations. Also, if the attacker did a clever job, he could
[SANS ISC] Investigating Microsoft BITS Activity
I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (â€œBackground Intelligent Transfer Serviceâ€) is a tool present in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between
CoRIIN 2018 Wrap-Up
A security conference does not need to be “big” to be interesting. Size doesn’t matter with security conferences ;-). I’m in Lille, France where I attended the conference called “CoRIIN“. This event is held in French and means “ConfÃ©rence sur la rÃ©ponse aux incidents et lâ€™investigation numÃ©rique” or “Incident Response
[SANS ISC] Comment your Packet Captures!
I published the following diary on isc.sans.org: “Comment your Packet Captures!“: When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no â€œbestâ€ way to take notes, some people use electronic solutions while others are using good
Email Tracking for Dummies
Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Letâ€™s imagineÂ a first scenario: Alice sends a mail to Bob. Bob reads Aliceâ€™s email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging solutions.
Sending Windows Event Logs to Logstash
This topic is not brand new, there exists plenty of solutions to forwardÂ Windows event logs to Logstash (OSSEC,Â Snare or NXlogÂ amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
Online Router Forensics Lab
When my friend Didier Stevens contacted me last year to help him with a BruCON 5×5 project, I simply could not decline! Didier developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (â€œNetwork Appliance Forensic Toolkitâ€). It is written in Python and provides a
Are You Playing “Cold Case” with Your Logs?
Two days ago, I attended an event about “big data” (yeah, another buzz word) and how to use it for security purposes. One of the presented talks was very interesting and almost changed my mind about our best friends (or nightmare)… logs! When I’m talking about log management with customers,
Belgium will have its Own Cybercrime Competence Center?
As I wrote in a previous blog post, I went to the FIC2010 conference last week. One of the talks I attended was about the “2centre” initiative. 2centre (“2c” for “cc”) means “Cybercrime Centers of Excellence Network for Training, research and Education“. Those centers of excellence focus on law enforcement.
What’s Behind Microsoft COFEE?
It was announced a few days ago: Microsoft COFEE has been leaked on the wild Internet! Microsoft COFEE stands for “Computer Online Forensic Evidence Extractor“. This “forensic swiss army knife” is available for free to police forces around the world to conduct official forensics investigations. Note: It’s reportedly illegal for