As a SOC engineer, we are spending time on events and alerts on our daily working life. Sometimes, we wish to have more features on the frontend to assist us when doing hunting or investigating in a incident. It could also be useful to make a proof of concept showing the usefulness of the features requested to the development team.
An incident has been created manually to investigate on a USB key infection. A system has been detected having a Raspberry Robin infection. The goal of this case is to find the USB key that was the source of the infection.
Whenever Symantec Endpoint Protection quarantines a file, a .vbn file is created on the local machine under the path “C:\ProgramData\Symantec\Symantec Endpoint Protecton\[VERSION_NUMBER]\Data\Quarantine”. Can we recover the quarantine from those .vbn files ?
As a cybersecurity analyst, I'm facing numerous of alerts from detections rules. System detections are the one where you can really dig into it and change them into challenges.
DGSE (Direction Générale de la Sécurité Extérieure) and the engineer school ESIEE organized a cybersecurity challenge in October 2020. It was called Brigitte Friang challenge. In this part of the challenge, participants were asked to embody a secret agent to resolve several forensic exercises (log analysis, disk forensic, memory forensic).
13cubed is a YouTube channel, and a website producing a lot of Digital Forensics and Incident Response contents. It is a project developed by Richard Davis, SANS instructor teaching digital forensics. He offers us an opportunity to do some memory investigations using Volatility.
In our daily time in the 21st century, we often receive many emails. Some are legitimate emails but others are not, how can we find them ? In this article, I'm going to show you a way to investigate on a suspicious email, by checking the email header.