Disabled comments

Veröffentlicht am Autor Sebastian Nerz

I disabled comments (for older posts). As I’m too busy to actually write lots of stuff there are unsurprisingly few real comments – and loads of spam. Thus – for the moment at least – I disabled comments on this blog (for posts of a given age). Feel free to drop me a mail if… Weiterlesen Disabled comments

Little standard malware

Veröffentlicht am Autor Sebastian Nerz

Sometimes I like to have a look at malware. E.g. at the one received on my private mail account. Yesterday, a ZIP-archive containing a bill reached my inbox. Nothing unusal, that kind of malware is as common as sand on the beach. Name: Rechnung.zip MD5: cc8a8ce3e6c1b383b12230f99cc20e0f SHA: 1ed3d00ca7e43cfb8c83af978e2b5f26af383d10 Size: 4947 Byte $ unzip Rechnung.zip Archive:… Weiterlesen Little standard malware

Standalone USNJrnl-Parser (X-Ways formatted MFT-Records)

Veröffentlicht am Autor Sebastian Nerz

I originally planned to adopt my USNJrnl-Parser to Plasos new filesystem API and get it back to a usable condition. But – alas – time is running short. As we had some troubles with some of the USNJrnl-Parsers found in the wild, I made some small adoptions to my original Plaso module, so that it… Weiterlesen Standalone USNJrnl-Parser (X-Ways formatted MFT-Records)

The USN Journal and some windows internals – LNK and PF

Veröffentlicht am Autor Sebastian Nerz

Windows link files are a pretty common, well documented and important artifact in computer forensics (for starters see the Forensics Wiki). One of the things I’ve yet to see are analysis of the $UsnJrnl:$J file during *manual* link file creation. I agree that this is not something too common in incident response – but I’ve… Weiterlesen The USN Journal and some windows internals – LNK and PF

Parsing $UsnJrnl:$J in Python

Veröffentlicht am Autor Sebastian Nerz

The USN Change Journal is a pretty often documented forensic artefact. Present since Windows XP, it documents changes to the filesystem in order to ensure filesystem stability and correctness. I won’t document it’s main features or methods of analysis here, that has been done in great length by David Cowen, Correy Harrel and with some… Weiterlesen Parsing $UsnJrnl:$J in Python

Prophecies – or: About this blog

Veröffentlicht am Autor Sebastian Nerz

TL;DR:This is yet another blog about digital forensics and incident response. I will blog (i guess sporadically) about new artefacts I encounter, some more-or-less interesting facts, figures and speculations and maybe things that you will actually be able to use. Or not, we will see. In contrast to popular believes, the past is an unknown… Weiterlesen Prophecies – or: About this blog