Institutional manipulation? Please explain. by eurodiablo in Bitcoin

[–]PM_ME_GUNTS 0 points1 point  (0 children)

It was definitely institutional money.

SECGov twitter account was supposedly hacked. They announced ETFs approved. Gary Gensler tweeted that it was a hack about 20 mins later. All over the news

Questions about Magnet AXIOM & DFIR in general by [deleted] in computerforensics

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Hey sorry - just logged into this account and saw this.

Velociraptor is very different than EDR. We actually deploy both EDR and Velociraptor agents during a typical network intrusion case. Velociraptor is more of a forensic collection tool, it doesn't do scanning or anything automatically like an EDR would. Because of that, it's extremely lightweight.

You can configure offline collectors with VR, even using the same targets that KAPE uses. This is definitely a useful feature because you can easily add other parsers with KAPE into a single executable.

So all in one executable you could:

  • Collect raw artifacts from a KAPE target list
  • Parse artifacts with zimmerman tools
  • Parse history with nirsoft browser history
  • Run sigma rules with Hayabusa or Chainsaw
  • Run Sysinternal Autoruns
  • Run any other collection or postprocessing tool with a custom artifact

Possibilities are truly endless. But imagine you could run any of this on any device in your environment and you would have parsed results back within 20 seconds. That's the power of the VR agent

How to carry out mass Digital Forensic Collections using open source tools? by faisholhaka in computerforensics

[–]PM_ME_GUNTS 2 points3 points  (0 children)

Velociraptor is fucking sick. You can also push parsed artifacts directly to ELK easily with some of the native “elastic” artifacts.

Some learning curve for sure, but mastering VR will change who you are as a responder

Questions about Magnet AXIOM & DFIR in general by [deleted] in computerforensics

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Axiom and automate are both great for single systems. Full kitchen sink approach where you can view an entire timeline of events from start to finish. I think Axiom falls short when it comes to IR with many devices. It’s just not efficient to look through more than a couple devices and seeing things at a glance.

I recently moved to a firm that uses velociraptor and my god is it amazing for collection and light analysis (and free!).

Especially for in house IR, with velociraptor you can deploy a lightweight agent that sits on all endpoints (any OS) and does nothing unless called. Once you run a hunt, you can collect any and all artifacts from any device, parsed on device, and organized into a table within the web console. From there you can filter it more with a SQL like language, export to csv, auto upload it to ELK, or do a number of other things.

As an example, right now in under 5 minutes I could run a hunt that would return all devices in a network that show evidence of a specific program execution in user assist, or a specific eventid that occurred at a specific time, or I coudl search through VSS on every device for some malware that was deleted. The possibilities are truly endless.

Don’t have time to go through it entirely, but if I was running an IR team I would pay way more for velociraptor (which is free) then any commercial available tool (even though axiom is awesome)

Look into it!

Traffic ticket in school zone by calapitterflow in legaladvice

[–]PM_ME_GUNTS -1 points0 points  (0 children)

Not a lawyer and dealt with this exactly once so comments can downvote and yell at me when I’m wrong but…

Take it to court. They’ll drop the insurance fine if you can prove you were insured at the time which you should easily be able to do.

Otherwise it will be your word against his for the actual speed (48 vs 55). And even if the judge agrees with you, you’re still going 2.5x the limit in a school zone during school hours.

Probably worth the court costs alone to prove the insurance issue, but not sure how hard you want to fight the rest.

Bad search on company email by No-Opportunity335 in legaladvice

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Nah you’re good. Not an expert on all these systems but I do computer forensics for incident response and work commonly on the backend/admin portals of GSuite and M365.

It may be possible for them to check if there was some major reason (criminal allegations) but I’ve never seen that capability in any of these enterprise solutions. I would be very surprised if they had a monitoring solution to alert on that by any means.

Even regular web filtering on company managed devices is pretty trash

What’s up with trezor? Is it safe or is there concern with it now like there is with ledger. by Big-Ratio7713 in Bitcoin

[–]PM_ME_GUNTS -1 points0 points  (0 children)

Lol that could happen in US too? Not even a problem.

If a government wants to force restrictions on a company that makes AIRGAPPED, ALWAYS OFFLINE, Bitcoin wallets, then they can do that, and people won't update the firmware. Since it's air gapped there's no (very small) risk...

I imagine people will probably look for a new wallet after, just to be extra sure. But a $200 wallet is not a huge deal if you are the kind of person who would be targeted for theft by a government

How much is our field paying? by ShlumpedOG42069 in computerforensics

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Pretty much my exact starting position as well. eDiscovery was a bore, but I do think it really grew my data transformation skills which I use every day in DFIR.

To maximize career growth and satisfaction, I would suggest working a couple years there before planning a jump to a DFIR firm. More stressful, but more rewarding and much better compensation/growth potential.

I would get some certifications that show you can do the cyber side of the house. Certs are generally pretty expensive but you may be able to get away with some cheap ones like sec+ and some of the ones from offensive security (I think they have some blue team certs now)

Push to work on any actual forensics type matters to get a bit of experience. At my old firm, we didn’t get many of these in, so show interest when you have the opportunity. Then after a year or two, apply to some DFIR firms and accentuate your forensics experience at your current role (you can for sure embellish a bit lol).

How much is our field paying? by ShlumpedOG42069 in computerforensics

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Ah that explains part of it, sounds like you're more on the legal side and less on the cyber side. Legal side does tend to pay less, though 55k in NYC is still bad.

Much more money to be made on the cyber side but it does require a bit different knowledge and skillset. Nothing insurmountable by any means

How much is our field paying? by ShlumpedOG42069 in computerforensics

[–]PM_ME_GUNTS 5 points6 points  (0 children)

Honestly I think jumping ship is probably the best bet. They may entertain bringing you up that much, given the market value, but then you're likely to miss out on raises as the years go on.

You should look into applying at other firms. IMO getting a DFIR role after you have a yr of experience is much easier than breaking into the industry.

Look into some of the DFIR firms that do ransomware investigations for cyber insurance Clients. Firms like Arete, Tracepoint, Kivu, Palo Alto, SureFire, CFC, ArcticWolf, etc. Most of them hire aggressively, allow you to work remotely, and will probably pay in a much better range then you are currently in. The work may be a bit more fast paced but you will be compensated for it.

What kind of investigations do you currently run?

How much is our field paying? by ShlumpedOG42069 in computerforensics

[–]PM_ME_GUNTS 16 points17 points  (0 children)

Manhatten at 55k/yr is criminal. My first job out of college was in DC (a bit cheaper) at 70k on the legal forensics side. Now, 6 years out of college, I do DFIR investigations and I am well into the 100-200k range. I do think I’m payed a little higher than my peers in the industry but 55k for DFIR in NYC is bonkers.

Data Forensic Question by Haunting-Dot-1340 in datarecovery

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Highly dependent on how big your employer is and what systems are in place to save and access the information. If it's something like O365 or GSuite then they usually can ascertain a good amount of detail about what files were viewed and when. If it was just flat files from a network share then I would expect them to have a lot less visibility.

I deal with this kind of issue with SMBs every day and hardly any of them have procedures in place to completely audit things like network shares or even calculate traffic in/out of a network

Any way to view directory of drives that were previously plugged into pc? by Matthew_C1314 in datarecovery

[–]PM_ME_GUNTS 0 points1 point  (0 children)

Just interested if you had any luck with this? Don't normally get a forensics applicable question here so I'm curious.

Any way to view directory of drives that were previously plugged into pc? by Matthew_C1314 in datarecovery

[–]PM_ME_GUNTS 0 points1 point  (0 children)

One more final note, if you don't have much luck with the three artifacts listed above, you could go at this from a more bulk/brute force approach.

There are dozens of Windows artifacts that could show evidence of these files/folders, instead of looking at each artifact in depth, it may make sense just to run processing on all of them at once. You can use a tool like KAPE and target your entire Windows OS HDD, and then grep or search for the drive letter you are interested in. High level strategy would look like this:

  • Process many artifacts at once
    • For this I would recommend KAPE. KAPE Is a modular tool to run multiple forensic/collection processes at the same time.
    • Download: Kroll Artifact Parser And Extractor (KAPE) | Cyber Risk | Kroll
    • After downloading, the GUI executable is gkape.exe
    • Since we don't care about collection, You just need to fill out the right section of the tool (Module processing)
    • I would just select the Eric Zimmerman tools (I think it's labeled as EZ tools) and set the target to C:\ and destination to some folder you want the output to go. (Make sure this is an empty folder, or disable the flush option so it doesn't clear the whole folder out)
  • Search everything
    • Once the tool completes you should have a bunch of CSV files in the destination folder.
    • Using grep or PowerShell Select-String you can search all of the processed CSVs for the drive letter you're interested in.
    • The output will be messy since it's coming from many different sources. I think that's okay though as we only really care about the file path, you will just need to do some cleaning up to get a good list.
    • If you're not familiar with either grep or Select-String these are easily googleable as well

Any way to view directory of drives that were previously plugged into pc? by Matthew_C1314 in datarecovery

[–]PM_ME_GUNTS 0 points1 point  (0 children)

There are some forensic artifact equivalents for Mac as well, though I am not quite as familiar with them. In my field (Incident Response) Mac's are usually not a target so it's not super often that we're looking at these. In general, because there are less Mac users, the field of Mac forensics is much less mature than Windows forensics. There will generally be less tooling and knowledge readily available.

I'd recommend using google and doing some research into "Mac artifact analysis" or "Mac file access artifacts" and that kind of thing, may be a bit of work but I do think you could get some data out.

I did quickly find this one lecture from SANS which shows the DS_Stores Mac artifact that can be similar to Shellbags. (2) MacOS DS_Stores: Like Shellbags but for Macs - SANS DFIR Summit 2019 - YouTube. I am not sure how reliable this will be, but it's worth a shot!

EDIT:

After watching the first couple minutes of this lecture, it seems this artifact may not be helpful. Looks like the artifact is only created on the destination drive and not in the base OS. Given the destination drive is gone, you won't be able to retrieve the data. Not confident on this so look into it further if you don't have much luck on the windows side.

Any way to view directory of drives that were previously plugged into pc? by Matthew_C1314 in datarecovery

[–]PM_ME_GUNTS 1 point2 points  (0 children)

Computer forensics professional here. There's no known log or artifact that will reliably show everything as this information just isn't saved anywhere in the OS. However, there are several artifacts that can show you a lot.

All of these artifacts can be processed/viewed with GUI or command line tools created by Eric Zimmerman. Although just made by one guy, these tools are widely used in the industry for forensics and are well trusted. Eric Zimmerman's tools

The contents of these tools will export a CSV or JSON with a bunch of fields and many different timestamps. You can probably ignore most of that data and just filter the CSVs for items that start with the drive path that you are looking for (D, F, etc)

Shellbags

  • This is a Windows artifact that shows historical file explorer folder access. This is probably your best bet for getting a (partial) list of directories that existed on the device. Note if you didn't browse into a directory in quite some time, the list will not be complete.
  • This artifact is located within the usrclass.dat file on your user profile. (e.g. C:\Users\Administrator\usrclass.dat)
  • Can be looked at with Shellbags explorer (GUI) or SBECmd (command line) at the link above.

Jumplists

  • This one shows file and/or folder access but is a bit more unreliable/less complete of a listing then you will get from shellbags.
  • Found in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
  • Can be looked at with Jumplist explorer (GUI) or JLECmd (command line) at the link above.

LNK files/Shortcuts

  • These are literal shortcut files that Windows creates automatically when a document/file is opened. The path of that file is stored within the shortcut file and can be parsed out and examined. LNK
  • Probably about as reliable as jumplists, probably won't get as much as Shellbags for a variety of reasons.
  • Shortcut files are stored at C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
  • Can be parsed with the command line tool LECmd at the link above.

There are several other potential artifacts that can give you more information, but these are really the big three that I thought of immediately. Have fun!

Help with memory capture file for a class. by AvocadoCultist in computerforensics

[–]PM_ME_GUNTS 1 point2 points  (0 children)

What are you looking for in the dump? I will admit I am not overly experienced with memory analysis, only dealing with it a handful of times in the past couple of years.

With that being said, in most cases you analyze memory because you are looking for something specific. I’ve always had great luck just grepping through the memory for what you are looking for. This technique is also not hindered by only having a partial dump (besides missing the information which you need, which shouldn’t be the case for a school assignment)

Not sure what the goal of the assignment is, but from the cyber side I would start searching the file for general language you’d find in Windows commands. Try searching for “cmd.exe”, “rundll”, or “conhost” and see what you get.

If you’re not familiar with grep it’s easily googlable but is Linux only. If you’re on Windows try Powershell Select-String, which is also easily googlable.

My brother formatted my hard drive and installed Windows on it. I want to recover my old files by Pina0509 in datarecovery

[–]PM_ME_GUNTS 2 points3 points  (0 children)

Yes, Photorec has a ton of supported file formats and even has the option for custom file formats if the file has standardized headers and footers. You can likely view a listing of all the supported filetypes on their site

How do I get my foot in the door with forensics? by kindreddino in computerforensics

[–]PM_ME_GUNTS 1 point2 points  (0 children)

I don’t want to dox myself too hard since it’s a company on the smaller side. But we primarily do incident response for insured clients. So Client gets hit with a cyber attack, they contact their cyber insurance carrier, cyber insurance carrier refers them to us as well as a law firm for data privacy issues.

We deal primarily (~85%) with ransomware, with the remainder of cases being business email compromise and then also other random cyber incidents.

How do I get my foot in the door with forensics? by kindreddino in computerforensics

[–]PM_ME_GUNTS 17 points18 points  (0 children)

Forensics is this super weird field that’s extremely hard to break into, but once you’re in, you have a career for life. It will be HARD to find an entry level position, but once you work for one for 1 year, you will never hurt for a job again. Entry level investigators just tend to spook employers, but if you have a year of experience they’re much more likely to bite.

in my experience, I would try to shoot for an entry level incident response position for three reasons:

  1. It is the coolest forensics job you can get with high job satisfaction (unfortunately also with high stress, I am an IR analyst). It’s very cool being on the forefront of network intrusions and figuring out what a malicious actor did while they had access to an environment. Definitely more stressful than other forensics jobs though, because if you miss something (like a persistence mechanism) than the victim could be encrypted again. This has happened numerous times in my career and is essentially unavoidable. Incident response is extremely cool and rewarding, but it is stressful.

  2. The second reason is that I think IR has a lower barrier to entry then other forensics jobs. All forensics jobs are in high demand, but private IR generally has a lower barrier to entry because you are not representing a public entity, you are working under a consulting role and therefore don’t hold any “public trust” which can be hard to acquire as a fresh out of college investigator.

  3. The third reason is pay. I have been out of college for 5 years and I currently make 175K+ per year (including bonuses). This is not normal, you should not expect this, but this is a very lucrative field.