-
Recent Posts
- Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence
- PowerShell Basic Introduction (Security Version)
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- IoCs
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- PowerShell
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Author Archives: HatsOffSecurity
Mounted Devices Key
Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading
USB Forensics Update
Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading
Research: Decoding LanmanServer\Shares
For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading
Google Analytic Cookies
Google Analytic Cookies are very powerful at tracking what we do and where we do it, by knowing how they work you can use this to your advantage. Assumptions Quite rare I add in assumptions, but this topic could potentially … Continue reading
Link Files
Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading
Posted in Link FIles, Windows Forensics
Tagged artefact locations, basics, hats off security, link files, windows 7, Windows8
Leave a comment
Jump Lists
What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading
Incident Response Process Phase 3 – Containment
First Steps When moving into the containment phase an incident has already been declared. It is now time to categorise the incident and relay this to the customer/management. The categorisation or characterisation of the incident can be broken down into … Continue reading
Posted in Containment, Incident Response
Tagged basics, containment, hats off security, Incident Reponse
Leave a comment
Photos and who to blame
In light of the recent apple/icloud incident I thought I would bring up a little bug bear of mine. Blaming the victim, if you are mocking the celebrities and commenting on how “it’s their own fault” please stop. Why do … Continue reading
Posted in Cyber, My Two Cents
Tagged celebrity photos, hats off security, no more shaming, photo hack, who's to blame
Leave a comment
Tip of the Hat to Phase 2a – Assessment & Engagement
This step is not included in the 6 step model which I set out at the start of this series, however during my research I was directed to this post by Steve Armstrong. In it he mentions: “Assessment and Engagement … Continue reading
Posted in Uncategorized
Leave a comment
Incident Response Process Phase 2 – Identification
Identification I was going to do another section on Preparation, but I realised I could continue with that until the end of days. So lets move on to Identification How does the Identification phase start? There are a multitude of … Continue reading
Posted in Cyber, Identification, Incident Response
Tagged hats off security, identification, Incident Reponse, Preparation
Leave a comment