Category Archives: DFIR

All DFIR related posts

A few thoughts


A few highlights I would like to point out.

  1. “These indicators can change between campaigns, or as is often the case, during a campaign.” à We have to assume that the attackers are adapting to what we do in similar manners that we (security folks) are to them.


  1. “If an installer is run on a system, and deletes itself after infecting the endpoint, then the file (along with the MD5 hash of that file) is gone.  In some cases, this happens so quickly that the installer file itself may not be written to physical disk, so there is literally nothing that can be recovered, or ‘carved’.” à A great example of how small a window AV gets to protect the system. A great argument for developing inline systems then like an IDS/IPDS or sandbox like Fireeye/Wildfire. They can at least test the executable before it gets to the endpoint system.


  1. “If the malware was written to create its own network sockets, the domain name may exist in memory for only a very short time, and persist on the network (this does not include any logs on other endpoints) for an even shorter period of time.  The domain name may be found in the page file, but again, this does not mean that the domain name is recorded on the endpoint indefinitely…even a C2 domain name or URL will only persist in the page file for so long.”  à Network data is just as volatile as RAM.


  1. “For example, some indicators may be present in the Security Event Log, and in most cases (that I’ve dealt with), event records of value have been obviated by the normal operation of the system, simply due to the fact that the Security Event Logs have “rolled over”, as older event records have been overwritten by newer ones.  I’ve received images of systems and the Security Event Log was 22MB in size, and when parsed, contained maybe…maybe…2 days’ worth of events.  The specific event I was interested in occurred weeks (or in some cases, months) prior to when the image as acquired.“ à Good argument for log everything and storage.



And the link from inside the article as well.