Chad Tilbury

SANS Institute Paller Scholarship applications are open until January 2025. The mission of the program is to identify exceptionally talented international students (non-US citizens) committed to making the world a safer place through cybersecurity. sans.edu/paller-cyberse…

Anastasia recently added a new Linux disk images section, five more mobile extractions, & one more Windows disk image to our “Publicly-Accessible Disk Images & Mobile Extractions Grid for DFIR” available at ArsenalRecon.com/insights/publi…. Check it out! #DFIR

Location, Location, Location by Ian Whiffin. How does iOS Location Services work? How can we test the reliability of the location data it provides? dfir.pubpub.org/pub/4fkeiv34/r… >> Excellent overview of Cell Siting, WiFi Crowd Sourcing, Bluetooth, and GPS information.

Cracking OneDrive's Personal Vault by @bmmaloney97 malwaremaloney.blogspot.com/2024/09/cracki… >> Great explanation and step-by-step instructions!

💡 Join Certified Instructor @xzer0f , September 19, as he guides you through configuring, scaling, and securing your logging setup with Azure’s latest feature. 🗓️ 10:00 am ET / 14:00 UTC ⌛️Register now: buff.ly/4fRprPk #SANSCloudAce #CloudSecurity

ChromeKatz: Dump cookies and credentials directly from Chrome/Edge process memory. Credential manager creds in plain text with no need to access on disk database! Similarly, CookieKatz dumps decrypted cookies (including incognito mode). github.com/Meckazin/Chrom… (via @m3g9tr0n)

Awesome!

Still time to register for the SANS AI SUMMIT - workshops today! Talks and lightning talks tomorrow! sans.org/cyber-security…

🚨 #DFIR Tool Update Alert 🚨 I’ve updated my script that parses USB Connection artifacts from a mounted Windows volume, to include EID 1006 events from the Windows-Partition-Diagnostic log Includes connect/disconnect times, VSNs & filesystem type github.com/khyrenz/parseu…

Great research into OneDrive private vault data. Crazy that it is stored as a vhdx! I'm always happy to see Microsoft reusing existing formats.

Microsoft formally deprecates the 39-year-old Windows Control Panel arstechnica.com/gadgets/2024/0… >> That is some history!

If you're interested in getting into #Linux #logging and evidence collection, this is an excellent write-up from @Kostastsale that compares #EVTX logs on Windows with #Auditd, #SysMon for Linux, and native Linux logging. #DFIR #LinuxForensics #SIEM #CSIRT kostas-ts.medium.com/telemetry-on-l…

The team at @TrendMicro has a nice write up on #cryptojacking threat actors using a recent #Confluence #vulnerability for initial access. ⚠️ If you find a crypto minner running, figure out how the threat actor got in, not just simply remove the minner. 🔗 trendmicro.com/en_us/research…

Finally releasing the tool! The Offline SAM Editor is here for IT pros, researchers, and security enthusiasts who want to access and edit SAM databases from offline OS disks. Source code included. Get your access: payments.gtworek.com/buy/54d82b09-4…

Can Do vs. Should Do Matrix. cutlefish.substack.com/p/tbm-1652-can…

After watching Josh's talk at the @DFIRSummit, he released the excellent blog too! #DFIR

Has anyone looked into how Windows approaches the creation of .URL files in the Recents folders instead of .LNK files? I only recently looked into it and havent really figured out the way they consistently get created #DFIR

OneDrive Evolution has been updated to v24.169.0821.0001. Happy exploring. malwaremaloney.blogspot.com/p/onedrive-evo…