notes on DFIR practice and practice
A question came in via mail this week: “I see that there is Windows-based security distribution flare-vm. I am wondering the difference between REMnux and flare-vm.
2020 Professional Development and Education rollup
dc404: 17 Oct 2020 presentation notes and link dump
In which yours truly takes REMnux 7 and Ghidra for a spin with some newly famous malware
HNFC Again, Again
Your InfoSec Career, as presented at BSides ATL 2019 @ KSU
Here is a collection of links from class discussions.
Debugging for Attack and Defence: Learning to Attack, a brownbag in the 2018 series.
A few notes about SEC506 and what I learned from it, plus the the start of my exam prep list for GCUX
Reading and Writing the Web: Learning to Attack, a brownbag from the 2018 series
2018 Kickoff: Learning to Attack
Some good FAQs from mailbox
GIFAR’s Magic Mimes Filed in 8 by 3: File types, identification techniques, and their weaknesses to attack
SANS GIAC Exam Study Tips
Herein are a few notes on my journey towards GSE as traditionally made and posted before the exam. For more info on GSE see the official site: https://giac.org/gse
Some words about hunting including some perspectives from different sources
This morning with much coffee I’m working between email to practice netcat between hosts for GSE, PWK, and generally building good character.
Some fairly detailed notes on the classes I taught, took, conferences I attended, fees, and other professional development and education expenses in 2016, for discussion
After looking at the tables with the MAC address for awhile I looked up the OUI online and substituted them in, hoping to catch something I’d missed. Indeed there was a third MAC from a third manufacturer in the discussion. All three OEMs make network gear as well as endpoint systems.
Notes on email-based file submission to analysis platforms
@adricnet presented this at DC404, Sept 2016 PDF of slides here: http://dfirfiles.net/myslides/breakin_dc404_2016.pdf
Hunting investigations should be SMART, and more over must have a scope and a terminating condition. Measurement can be simple success/fail (did we find it?) or the number of incidents and/or SIEM/IPS rules generated or updated.
some bookmarks
A study group around Practical Malware Analysis, Part I
draft post, no images, end notes, links yet
draft post, needs more links and images
Emily sent me so many copies of this executable in the last couple days that I decided to take a look:
As I’ve mentioned before one of the things I’m self-studying these days is file analysis. The chosen text is the most excellent Practical Malware Analysis (red with the alien autopsy cover). The authors include lab exercises to demonstrate the analysis techniques from each chapter and they are freely available, so buy a couple copies of the book, such as from the publisher’s site.
How to Learn About $SYSTEM Security General techniques for developing better understanding about security functions and asserting confidence in them
Do you want to know more?
A few examples from the major Windows command line tools
outline and notes for 2012 file types brownbag
Since I don’t really want someone else’s pictures and didn’t order anything from FedEx this week so I could safely ignore the odd emails coming in with subjects like “Re:” and “Your package is available for pickup” and zip file attachments. But I’m a curious sort …
A fairly high level component to Unix and networking magicks. Not for the novice, much.
##Linux
Kiddies, don’t try this at $home, a fake contest I wrote up in the fall of 2001