Author Archives: HatsOffSecurity

Incident Response Process Phase 1 – Preparation

Posted on August 7, 2014 by HatsOffSecurity

This phase is open-ended, you will always be tweaking and fiddling policies and technologies to make the environment as secure as you can. Just as you think it’s fixed, a zero day comes along and ruins your picnic. So what … Continue reading →

Posted in Incident Response, Preparation | Tagged hats off security, Incident Reponse, mitigation, Preparation | Leave a comment

Incident Response Process

Posted on August 7, 2014 by HatsOffSecurity

Today I am going to discuss the basics of an Incident Response process. I did not create this, I would love to give credit to those who did! There are other variations out there, however they all follow the basic … Continue reading →

Posted in Incident Response, Introduction | Tagged basics, hats off security, Incident Reponse | Leave a comment

Chrome – Basics

Posted on June 25, 2014 by HatsOffSecurity

Google Chrome, or just Chrome, is (at the time of writing) the most popular web browser by a fair amount. Twice as popular as Mozilla’s Firefox. Chrome stores its artefacts in SQLite, JSON (JavaScript Object Notation) and SNSS (Session Saver) … Continue reading →

Posted in Browser Forensics, Chrome, Google Chrome, Windows Forensics | Tagged artefact locations, basics, browser forensics, chrome, dcode time, google chrome, hats off security, sqlite, windows 7, Windows8 | Leave a comment

Internet Explorer – Basics

Posted on June 22, 2014 by HatsOffSecurity

As IE comes bundled with Windows as standard it is often the browser (of choice?) used by a lot of organisations. Larger organisations are also often slower to update IE, in my experience, as they have integrated business critical applications … Continue reading →

Posted in Browser Forensics, Internet Explorer, Windows Forensics | Tagged artefact locations, basics, browser forensics, hats off security, internet explorer, windows 7, windows 8.1, Windows8 | Leave a comment

Mozilla Firefox – Basics

Posted on June 20, 2014 by HatsOffSecurity

Mozilla Firefox was the most popular back in 2011, and although its popularity has been surpassed by Google Chrome (which I will cover later), it still holds around a quarter of the internet’s browser base. With Windows 7 there were … Continue reading →

Posted in Browser Forensics, Firefox | Tagged browser forensics, firefox, hats off security, sqlite, Windows8 | Leave a comment

USB Forensics Final Part! (aka Pt. 7) Device first/last plugged in

Posted on June 18, 2014 by HatsOffSecurity

The USB forensics thread can continue until the end of time, or at least the end of my free space on here, with this in mind I am only showing you the basics of USB forensics. I may cover more … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged hats off security, registry hives, USB, Windows Registry Forensics, Windows8 | 1 Comment

USB Forensics Pt. 6 Which user account used the USB device

Posted on June 17, 2014 by HatsOffSecurity

Having all this information is all well and good, but right now all we can say for sure is that a USB device was used on this machine. Just because someone logged on to that machine doesn’t make them the … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged hats off security, registry hives, USB, Windows Registry Forensics, Windows8 | Leave a comment

USB Forensics Pt.5 Determine the Drive Letter

Posted on June 15, 2014 by HatsOffSecurity

Finding the last Drive letter used by the USB device is actually quite simple…. or at least it should be! Go to the following Key: SYSTEM\MountedDevices Each drive letter is listed, however in my example on the VM the E: … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged hats off security, registry hives, USB, Windows Registry Forensics, Windows8 | 1 Comment

USB Forensics Pt. 4 Volume Serial Number

Posted on June 8, 2014 by HatsOffSecurity

On to Part 4 of our ongoing discoveries about USB forensics. A quick recap So far we have managed to get details of two devices which have been connected to our image. We have looked at how to get: Unique … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged hats off security, registry hives, USB, Windows Registry Forensics, Windows8 | 1 Comment

USB Forensics Pt. 3 Discover the Volume Name

Posted on June 7, 2014 by HatsOffSecurity

Part 3 of our investigation is to discover what the Volume Name of the USB device was. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged hats off security, registry hives, USB, Windows Registry Forensics, Windows8 | 2 Comments

M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

	Bianca the Baker on NoScript Plugin Forensic Inves…
	Week 40 – 2022… on PowerShell Basic Introduction…
	ALEX on AnyDesk Forensic Analysis and…
	Week 13 – 2022… on Improving Technical Interviews
	HatsOffSecurity on AnyDesk Forensic Analysis and…

Author Archives: HatsOffSecurity

Incident Response Process Phase 1 – Preparation

Incident Response Process

Chrome – Basics

Internet Explorer – Basics

Mozilla Firefox – Basics

USB Forensics Final Part! (aka Pt. 7) Device first/last plugged in

USB Forensics Pt. 6 Which user account used the USB device

USB Forensics Pt.5 Determine the Drive Letter

USB Forensics Pt. 4 Volume Serial Number

USB Forensics Pt. 3 Discover the Volume Name

Recent Posts

Categories

CyberLinks

Recent Posts

Recent Comments

Archives

Categories

Meta