Hats Off Security
-
Recent Posts
- SMB2 Protocol Negotiation
- SMB2 – File/Directory Metadata
- SMB Tree Connect/Response Details
- SMBv2+ SYNC Header Explained
- SMB Quick Introduction
- Unique Usernames!
- Ringzer0team – Forensics Challenge 35 – Poor internet connection
- TTLs and where to find them
- Windows Spotlight Image Location
- OpenDoor Scanner vs SimpleHTTPServer (PCAP)
Categories
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cyber
- Cyber Security Challenge
- Decoding Time
- Firefox
- Forensic Readiness Plan
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Introduction
- Jump Lists
- Link FIles
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
- My Tweets
Category Archives: Windows Forensics
SANS Christmas Hacking Challenge
I thought I would write about my experiences with the Christmas Hacking Challenge by SANS, I am writing this before Christmas, but I wont publish it until after the closing date for obvious reasons 🙂 The challenge has an amazing … Continue reading
Posted in Competition, Cyber, Heartbleed, Pen Testing, Research, SANS, Shellshock, USB Forensics, Windows Forensics
Tagged ../../../../, directory traversal, hats off security, heartbleed, linux, research, sans competiton, shellshock
5 Comments
Mounted Devices Key
Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading
USB Forensics Update
Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading
Research: Decoding LanmanServer\Shares
For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading
Google Analytic Cookies
Google Analytic Cookies are very powerful at tracking what we do and where we do it, by knowing how they work you can use this to your advantage. Assumptions Quite rare I add in assumptions, but this topic could potentially … Continue reading
Link Files
Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading
Posted in Link FIles, Windows Forensics
Tagged artefact locations, basics, hats off security, link files, windows 7, Windows8
Leave a comment
Jump Lists
What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading
Chrome – Basics
Google Chrome, or just Chrome, is (at the time of writing) the most popular web browser by a fair amount. Twice as popular as Mozilla’s Firefox. Chrome stores its artefacts in SQLite, JSON (JavaScript Object Notation) and SNSS (Session Saver) … Continue reading
Internet Explorer – Basics
As IE comes bundled with Windows as standard it is often the browser (of choice?) used by a lot of organisations. Larger organisations are also often slower to update IE, in my experience, as they have integrated business critical applications … Continue reading
Mozilla Firefox – Basics
Mozilla Firefox was the most popular back in 2011, and although its popularity has been surpassed by Google Chrome (which I will cover later), it still holds around a quarter of the internet’s browser base. With Windows 7 there were … Continue reading
Posted in Browser Forensics, Firefox
Tagged browser forensics, firefox, hats off security, sqlite, Windows8
Leave a comment