-
Recent Posts
- Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence
- PowerShell Basic Introduction (Security Version)
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- IoCs
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- PowerShell
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Tag Archives: artefact locations
AnyDesk Forensic Analysis and Artefacts
Click here to view this research on my YouTube channel What is AnyDesk? AnyDesk is a legitimate, non-malicious piece of software that is used by companies world wide to manage their IT systems, and can be used for free to … Continue reading
Keybase.io Forensics Investigation
What is Keybase.io? I was first introduced to Keybase a few years ago. It was explained to me as a place to validate your identity with regards to sharing public keys for email encryption. Showing that a Twitter account is … Continue reading
When is Index.dat not Evidence of Browsing
It is easy to fall into familiar habits as a human being, we see patterns in what we do and expect those patterns to persist. However when these patterns can be the difference between a person keeping or losing their … Continue reading
Decrypting Traffic in Wireshark
If you have a HTTPS session captured and are looking at unlocking the secrets that lie within, you are probably looking at Wireshark with eternal optimism hoping that somehow the magical blue fin will answer all of problems…. Sadly that’s … Continue reading
Identifying Sites in Encrypted Traffic
There is some mis-information around; that encrypted traffic is useless, and you should go back to netflow and statistical analysis only. I disagree. I will be doing a few posts showing clear-text information leakage we can use to our advantage. … Continue reading
Posted in Encrypted Traffic, Network Analytics, Network Forensics
Tagged artefact locations, basics, cyber security, hats off security, Network Forensics, PCAP, SSL, TLS
Leave a comment
SMB Tree Connect/Response Details
If you want to play along at home, the sample PCAP I will be using for SMB2+ is here, the SMB v1 PCAP is not something I can give away sadly. Tree Connect Request/Response When the SMB protocol connects to … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged artefact locations, hats off security, SMB, smbv1 vs smbv2
Leave a comment
SMBv2+ SYNC Header Explained
SMB2 Header The SMB2 Header will either be ASYNC or SYNC, you need to look this up from the flags. SYNC is the most common header as this can be in the form of a request or a response, where … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged artefact locations, basics, hats off security, Network Forensics, SMB
Leave a comment
Windows Spotlight Image Location
Bit of a change from my typical security related posts. I was hunting around on my machine for a new blog post when I stumbled across a folder full of oddly named files. The files were named as their SHA1 … Continue reading
Posted in Content Delivery Manager, Windows Spotlight
Tagged artefact locations, basics, file locations, hats off security, spotlight, Windows 10
1 Comment
Flash Cookies – aka Locally Shared Objects
Flash Cookie Location [Throughout this article I will use the term ‘flash cookie’ over ‘LSO’ as these posts are currently about finding and removing cookies] %AppData%\Macromedia\Flash Player\#SharedObjects\<random text>\ Under this folder you will a list of the sites which have … Continue reading
Posted in Browser Forensics, Cookies, Firefox
Tagged artefact locations, browser forensics, cookies, firefox, hats off security
Leave a comment
HTTP Cookies – Part 4 – Safari Cookies
Safari Location Pretty sure this location has been the same for a number of years now, if not let me know in the comments: ~/libraries/cookies Removing Safari Cookies I am not a MAC expert, so I am going to bow … Continue reading
Posted in Browser Forensics, Cookies, Safari
Tagged artefact locations, basics, browser forensics, cookies, hats off security, Safari
Leave a comment
Hats Off Security 