-
Recent Posts
- Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence
- PowerShell Basic Introduction (Security Version)
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- IoCs
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- PowerShell
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Author Archives: HatsOffSecurity
Ringzer0team – Forensics Challenge 35 – Poor internet connection
This writeup is to explain how to get the answer (flag) to the Forensic Challenge named “Poor Internet Connection” I will not be posting the flag here as I am giving you all of the instructions to get it yourself! … Continue reading
Posted in Competitions, Cyber, Network Analytics, Network Forensics, PCAP Analysis
Tagged file carving, hats off security, hex, Network Forensics, PCAP, pcap carving, Wireshark
1 Comment
TTLs and where to find them
Recently I have been conducted a lot of interviews for SOC Analysts; one of the questions I ask is as follows: You are reviewing your DNS logs and find an answer to a DNS query which shows rabbitcoldhotel.evil.com on <AnyExternalIP> … Continue reading
Posted in Network Analytics, Network Forensics
Tagged basics, hats off security, Interview Questions, Network Forensics, SOC Analyst
2 Comments
Windows Spotlight Image Location
Bit of a change from my typical security related posts. I was hunting around on my machine for a new blog post when I stumbled across a folder full of oddly named files. The files were named as their SHA1 … Continue reading
Posted in Content Delivery Manager, Windows Spotlight
Tagged artefact locations, basics, file locations, hats off security, spotlight, Windows 10
1 Comment
OpenDoor Scanner vs SimpleHTTPServer (PCAP)
Often when analysing attacks, scans or just general traffic it is difficult to identify the specific tool or technique in use. This is simply because there isn’t a reference database for every tool. So I thought I would upload a … Continue reading
Posted in Network Forensics, PCAP Analysis, Research, Wireshark
Tagged analysis, hats off security, linux, Network Forensics, PCAP, research
1 Comment
Cyber Security Challenge Masterclass 2016
This year’s Cyber Security Challenge Masterclass saw over 40 contestants battling to become crowned the winner. I was fortunate enough to be invited as an assessor for the whole event. What follows are my views and interpretation of the event. … Continue reading
Flash Cookies – aka Locally Shared Objects
Flash Cookie Location [Throughout this article I will use the term ‘flash cookie’ over ‘LSO’ as these posts are currently about finding and removing cookies] %AppData%\Macromedia\Flash Player\#SharedObjects\<random text>\ Under this folder you will a list of the sites which have … Continue reading
Posted in Browser Forensics, Cookies, Firefox
Tagged artefact locations, browser forensics, cookies, firefox, hats off security
Leave a comment
HTTP Cookies – Part 4 – Safari Cookies
Safari Location Pretty sure this location has been the same for a number of years now, if not let me know in the comments: ~/libraries/cookies Removing Safari Cookies I am not a MAC expert, so I am going to bow … Continue reading
Posted in Browser Forensics, Cookies, Safari
Tagged artefact locations, basics, browser forensics, cookies, hats off security, Safari
Leave a comment
HTTP Cookies – Part 3 – Chrome Cookies
Chrome Location Windows 7 onwards: %LocalAppData%\Google\Chrome\User Data\Default Unlike Internet Explorer (and like Firefox) Chrome does not use individual text files, but instead uses a SQLite database. In order to view this you will need a SQLite browser (easy to get … Continue reading
Posted in Browser Forensics, Chrome, Cookies
Tagged artefact locations, basics, browser forensics, chrome, hats off security, Windows 10, windows 7, windows 8.1, Windows8
Leave a comment
HTTP Cookies – Part 2 – Firefox
Firefox Location Windows 7 and onwards %AppData%\Mozilla\Firefox\Profiles\<profile.name>\cookies.sqlite Unlike Internet Explorer (and like Chrome) Firefox does not use individual text files for storing cookies, instead it uses a SQLite database. In order to view this you will need a SQLite browser … Continue reading
Posted in Browser Forensics, Cookies, Firefox
Tagged artefact locations, browser forensics, cookies, firefox, hats off security, Windows 10, windows 7, windows 8.1, Windows8
Leave a comment
HTTP Cookies – Part 1 – Internet Explorer and Microsoft Edge
Finding Internet Explorer/Edge Cookies (Windows 7-10… possibly Vista, but who uses Vista?!) Microsoft introduced a cool new way of finding your cookies. From the Run prompt or any Explorer window type “shell:cookies” and you will be taken to the Cookies … Continue reading