Halil Ozturkci

737 Flips | 3 Magazines | 12 Likes | 9 Following | 222 Followers | @halilozturkci | Adli Bilişim Uzmanı, Beyaz Şapkalı Hacker

ATT&CK 101

Cyber Threat Intelligence: Post by Blake Strom<p>Why ATT&CK was Created<p>ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE …

Local Storage - Firefox Focus Privacy Browser Artifacts in Android

<b>Short version:</b><p>Data placed by websites in the Local Storage folder LevelDB database for the Firefox Focus Privacy Browser (FF-Focus) app will remain …

Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry

Some interesting scripts, probably outdated but still useful. In 2012 Jacky Fox, on her MSc dissertation focused on extraction and correlation of …

Creating a digital forensic laboratory: Tips and Tricks | Digital Forensics | Computer Forensics

Creating a digital forensic laboratory is a responsible step. The effectiveness of the laboratory depends on what software, hardware and equipment …

Cloud Forensics: Analyzing MEGASync

Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Drive, Google Drive are some of the most popular services. …

Windows 10 Time Rules

Timestamps play a very important role in many digital forensic examinations, so it’s very important for any forensic examiner or analyst to clearly …

Open-Source DFIR Made Easy: The Setup - SANS Digital Forensics & Incident Response Summit 2017

Forensics

warninglist

misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.<p>The warning lists are …

Forensics

Sysmon v6.10 VS WMI Persistence

Introduction<p><b>Sysmon v6.10</b> has been released on the 11th of September and introduces new features such as WMI events reporting. At the first sight, …

Forensic Timeline Creation: my own workflow

Every analyst, during day by day experiences refines its own workflow for timeline creation. Today i propose mine. Required tools Sleutkit Sleuth Kit …

APT Groups and Operations

Recovering Removed Email Attachments — Outlook Email Forensics

I came across a question by user flytnx about removed email attachments on Forensic Focus. The question was about how one would go about proving that …

Whatsapp Parser Toolset

Updated: May 2018<p>WhatsApp Messenger Version 2.18.142<p>Whapa is a toolset to analyze whatsapp app for android. All tools are written in Python 2.X. …

Databases

How Attackers Lay the Groundwork for Lateral Movement

Lateral Movement is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill …

Extending The Sleuth Kit and its Underlying Model for Pooled Storage File System Forensic Analysis

Jan-Niclas Hilgert<p>Martin Lambertz<p>Daniel Plohmann<p>Abstract<p>Carrier's book File System Forensic Analysis is one of the most comprehensive sources when it …

Documenting a week of DFIR cookups

A few weeks ago Dave Cowen did four nights in a row of Windows 10 testing and I finally got to watching through it all.<p>Some of it was Dave throwing …

The ThreatHunter-Playbook

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging <b>Sysmon</b> and <b>Windows Events</b> logs. This …

Hunting with ELK

Earlier this year I talked a lot about behavior chains and how someone would go about implementing theses in Splunk. In my last post I also talked …

Comparative Analysis of the Accuracy of Forensic Results obtained from Window and Android Platforms

Network Pivoting Techniques

Basic Pivoting Types<p>Type<p>Use Case<p>Listen - Listen<p>Exposed asset, may not want to connect out.<p>Listen - Connect<p>Normal redirect.<p>Connect - Connect<p>Can’t …

Linux

A Few of My Favorite Things - Continued

In my last post I talked a lot about how I think about finding bad guys. From creating mind maps of the things I should be looking for to the need …

Mac MRU Parser v1.5 - Added Volume Analysis Support and Other Stuff!

Parsing

A Few Of My Favorite Things

Today I want to talk about a couple of my favorite things. Finding bad guys and thinking about finding bad guys. When I talk about “thinking" I don’t …

Hunting for Chains

In my last blog post I touched on something that I want to talk more about. I think far too often, when hunting, we can focus on single indications …

Deploying Sysmon through Group Policy (GPO) *Updated scroll down*

Here’s a way to deploy Sysmon to all of your domain endpoints using Group Policy.<p><b>Step1:</b> Create sysmon install batch file<p>First create a batch file …

Information Security

Monitoring for Windows Event Logs and the Untold Story of proper ELK Integration

Summary<p>I have been searching online for some time now for any information about the proper method for monitoring Windows Event Log records via …

Databases

LogonTracer

Investigate malicious logon by visualizing and analyzing Windows active directory event logs.<p>Concept<p>LogonTracer associates a host name (or an IP …

Information Security

Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2)

In June 2017, JPCERT/CC released a report “Detecting Lateral Movement through Tracking Event Logs” on tools and commands that are likely used by …

Information Security

Thinking in Graphs: Exploring with Timesketch

As an incident response engineer at Google, nearly every incident I’ve investigated leads to one common truth: relationships between events are more …

Databases