Category Archives: Windows Forensics

Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence

Posted on September 6, 2023 by HatsOffSecurity

Discussing the newly published RFC 9424 and how IoCs can be used to build better defences, without relying on looking backwards. Continue reading →

Posted in Attack, Cyber, General, Hardening, Incident Response, Introduction, IoCs, Windows Forensics | Tagged basics, defence in depth, folder location, hats off security, How to apply IOCs, ioc lifecycle, IoCs, IoCs Explained, pyramid of pain, rfc 9424, RFC9424, scheduled task name, sha256, understanding RFC9424 | Leave a comment

PowerShell Basic Introduction (Security Version)

Posted on September 25, 2022 by HatsOffSecurity

PowerShell has grown since its introduction in 2003 and implementation in Windows XP in 2006. What started as a closed source, proprietary upgrade to the Command Prompt has now grown into an open-source, resource rich Command Line Interface (CLI) and … Continue reading →

Posted in Incident Response, PowerShell, Preparation, Windows Forensics | Tagged hats off security, PowerShell, PowerShell Basics, PowerShell Course, PowerShell Introduction, PowerShell Security, PowerShell Training, Windows Forensics | 1 Comment

AnyDesk Forensic Analysis and Artefacts

Posted on February 28, 2022 by HatsOffSecurity

Click here to view this research on my YouTube channel What is AnyDesk? AnyDesk is a legitimate, non-malicious piece of software that is used by companies world wide to manage their IT systems, and can be used for free to … Continue reading →

Posted in anydesk, Windows Forensics | Tagged anydesk, anydesk artefacts, anydesk forensics, artefact locations, DFIR, hats off security, learning cyber security, Windows Forensics | 4 Comments

NoScript Plugin Forensic Investigation – Firefox/ToR Browser

Posted on May 1, 2020 by HatsOffSecurity

In this blog post I plan to show that using the NoScript plugin it is possible to glean information about what sites, or files, a user accessed while in a private browsing session and also whilst using the TOR browser. … Continue reading →

Posted in Browser Forensics, Firefox, TOR, Windows Forensics | Tagged browser forensics, hats off security, NoScript, TOR | 1 Comment

Keybase.io Forensics Investigation

Posted on February 23, 2020 by HatsOffSecurity

What is Keybase.io? I was first introduced to Keybase a few years ago. It was explained to me as a place to validate your identity with regards to sharing public keys for email encryption. Showing that a Twitter account is … Continue reading →

Posted in Keybase, Linux Forensics, Windows Forensics | Tagged artefact locations, criminal investigation, hats off security, host based forensics, Keybase, keybase.io, secure chat forensics | Leave a comment

When is Index.dat not Evidence of Browsing

Posted on August 10, 2019 by HatsOffSecurity

It is easy to fall into familiar habits as a human being, we see patterns in what we do and expect those patterns to persist. However when these patterns can be the difference between a person keeping or losing their … Continue reading →

Posted in Browser Forensics, Internet Explorer | Tagged artefact locations, browser forensics, hats off security, index.dat, who's to blame, windows 7 | 1 Comment

Cyber Security Challenge Masterclass 2016

Posted on November 6, 2016 by HatsOffSecurity

This year’s Cyber Security Challenge Masterclass saw over 40 contestants battling to become crowned the winner. I was fortunate enough to be invited as an assessor for the whole event. What follows are my views and interpretation of the event. … Continue reading →

Posted in Competition, Cyber, Cyber Security Challenge, Memory Forensics, Network Forensics, Pen Testing, Windows Forensics, Wireshark | Tagged 2016, Competition, Cyber Security Challenge, hats off security, Incident Reponse, linux, live disk image, masterclass, Preparation, who's to blame | 1 Comment

Flash Cookies – aka Locally Shared Objects

Posted on May 4, 2016 by HatsOffSecurity

Flash Cookie Location [Throughout this article I will use the term ‘flash cookie’ over ‘LSO’ as these posts are currently about finding and removing cookies] %AppData%\Macromedia\Flash Player\#SharedObjects\<random text>\ Under this folder you will a list of the sites which have … Continue reading →

Posted in Browser Forensics, Cookies, Firefox | Tagged artefact locations, browser forensics, cookies, firefox, hats off security | Leave a comment

HTTP Cookies – Part 4 – Safari Cookies

Posted on April 27, 2016 by HatsOffSecurity

Safari Location Pretty sure this location has been the same for a number of years now, if not let me know in the comments: ~/libraries/cookies Removing Safari Cookies I am not a MAC expert, so I am going to bow … Continue reading →

Posted in Browser Forensics, Cookies, Safari | Tagged artefact locations, basics, browser forensics, cookies, hats off security, Safari | Leave a comment

HTTP Cookies – Part 3 – Chrome Cookies

Posted on April 27, 2016 by HatsOffSecurity

Chrome Location Windows 7 onwards: %LocalAppData%\Google\Chrome\User Data\Default Unlike Internet Explorer (and like Firefox) Chrome does not use individual text files, but instead uses a SQLite database. In order to view this you will need a SQLite browser (easy to get … Continue reading →

Posted in Browser Forensics, Chrome, Cookies | Tagged artefact locations, basics, browser forensics, chrome, hats off security, Windows 10, windows 7, windows 8.1, Windows8 | Leave a comment

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

	Bianca the Baker on NoScript Plugin Forensic Inves…
	Week 40 – 2022… on PowerShell Basic Introduction…
	ALEX on AnyDesk Forensic Analysis and…
	Week 13 – 2022… on Improving Technical Interviews
	HatsOffSecurity on AnyDesk Forensic Analysis and…