-
Recent Posts
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
- HTTP Methods
- Wireshark – More Basics
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Tag Archives: hats off security
Identifying Sites in Encrypted Traffic
There is some mis-information around; that encrypted traffic is useless, and you should go back to netflow and statistical analysis only. I disagree. I will be doing a few posts showing clear-text information leakage we can use to our advantage. … Continue reading
Posted in Encrypted Traffic, Network Analytics, Network Forensics
Tagged artefact locations, basics, cyber security, hats off security, Network Forensics, PCAP, SSL, TLS
Leave a comment
SMB2 Protocol Negotiation
This is one of the few times when looking at SMBv2 you will need to use SMBv1 commands. The initial negotiation request will always be sent out as SMBv1. It makes sense when you think about it, SMB does not … Continue reading
Posted in Network Analytics, SMB
Tagged hats off security, Network Forensics, SMB, Wireshark
Leave a comment
SMB2 – File/Directory Metadata
Using SMB it is possible to retrieve data that is typically only expected when carrying out host based forensics. The MACB (Modification, Access, Change and Birth) data is sent across regardless of if a file is accessed or not. With … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged hats off security, Network Forensics, SMB
1 Comment
SMB Tree Connect/Response Details
If you want to play along at home, the sample PCAP I will be using for SMB2+ is here, the SMB v1 PCAP is not something I can give away sadly. Tree Connect Request/Response When the SMB protocol connects to … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged artefact locations, hats off security, SMB, smbv1 vs smbv2
Leave a comment
SMBv2+ SYNC Header Explained
SMB2 Header The SMB2 Header will either be ASYNC or SYNC, you need to look this up from the flags. SYNC is the most common header as this can be in the form of a request or a response, where … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged artefact locations, basics, hats off security, Network Forensics, SMB
Leave a comment
SMB Quick Introduction
SMB There are currently 3 major versions of SMB version 3 is quite new (2012) and has been implemented on the latest versions of Windows (8, 2012), Samba 4.1+ and macOS 10.10 Yosemite. I say ‘quite new’ as it takes … Continue reading
Posted in Network Analytics, Network Forensics, SMB
Tagged basics, hats off security, Network Forensics, SMB
Leave a comment
Ringzer0team – Forensics Challenge 35 – Poor internet connection
This writeup is to explain how to get the answer (flag) to the Forensic Challenge named “Poor Internet Connection” I will not be posting the flag here as I am giving you all of the instructions to get it yourself! … Continue reading
Posted in Competitions, Cyber, Network Analytics, Network Forensics, PCAP Analysis
Tagged file carving, hats off security, hex, Network Forensics, PCAP, pcap carving, Wireshark
1 Comment
TTLs and where to find them
Recently I have been conducted a lot of interviews for SOC Analysts; one of the questions I ask is as follows: You are reviewing your DNS logs and find an answer to a DNS query which shows rabbitcoldhotel.evil.com on <AnyExternalIP> … Continue reading
Posted in Network Analytics, Network Forensics
Tagged basics, hats off security, Interview Questions, Network Forensics, SOC Analyst
2 Comments
Windows Spotlight Image Location
Bit of a change from my typical security related posts. I was hunting around on my machine for a new blog post when I stumbled across a folder full of oddly named files. The files were named as their SHA1 … Continue reading
Posted in Content Delivery Manager, Windows Spotlight
Tagged artefact locations, basics, file locations, hats off security, spotlight, Windows 10
1 Comment
OpenDoor Scanner vs SimpleHTTPServer (PCAP)
Often when analysing attacks, scans or just general traffic it is difficult to identify the specific tool or technique in use. This is simply because there isn’t a reference database for every tool. So I thought I would upload a … Continue reading
Posted in Network Forensics, PCAP Analysis, Research, Wireshark
Tagged analysis, hats off security, linux, Network Forensics, PCAP, research
1 Comment