Filelight is a handy disk forensics tool though it wasn't designed to be, that I know of...in a CTF question I am looking in an appdata folder called Comms for evidence and I wanted to see if the folders were all the same size ..read more

Highly recommend this video. Jeff is a fantastic instructor ..read more

Untitled Byte 0 - Bits 0-3 - IP version Byte 0 - Bits 4-7 - IP header Length Byte 1 - Differentiated Services or TOS Byte 2 & 3 - Total IP datagram length Byte 4 & 5 - IP Identification Field Byte 6 - Bit 0 - Reserved Bit Byte 6 - Bit 1 - Don't Fragment bit Byte 6 - Bit 2 - More Fragments bit Byte 6 - Bit 3 - First bit of Fragment Offset Field Byte 7 - Fragment Offset Field (with one bit from byte 6) Byte 8 - Time To Live Field Byte 9 - Embedded Protocol (TCP, UDP, ICMP, etc.) Byte 10 & 11 - IP Header CheckSum Bytes Bytes 12-15 - Source IP Address Bytes Bytes 16-19 - Destinat ..read more

  Threat Hunting in a nutshell. No Big Red Easy button. Not something that can be automated. Need analysts, trained analysts. Not an automated process, not something ML can do, regardless of what vendor xyz tells you. Has some similarities to law enforcement. Sometimes discoveries come on a hunch... Something just doesn't look "right" though it doesn't trigger any alerts, uses institutional knowledge, experience, and lots of familiarity with normal activity and malicious activity. IMO, it's the most exciting silo of network/information security because success will be based on training ..read more

  Wireshark is a nice tool for keeping your packet dissecting knowledge fresh and finding things you didn't know were there...you can play with the colorization settings and click through the fields in the packet dump and see which fields in the header and payloads they correspond to. Below I have the start of the IP header selected, which shows us the first nibble is the IP version field, and the other half of the first byte is the header length. Whatever is in the IHL, multiply it by five to get the bytes. So a 4 means the header is 20 bytes, the minimum length of an IP header, whic ..read more

 Nmap 101 Tutorial Two common types of scans, syn scan and full connect scan -sS - Syn scan send a syn packet, if it receives a sysn-ack marks the packet as open and sends a reset and tears down the session.  Must be root to run a Syn scan, as it manipulates the network stack to send the reset out of sequence. (edited)  -sT - Connect scan. Completes the full TCP/IP hand shake. Any user can run a connect scan as the network stack is not manipulated. (edited)  -v verbose mode. Can be repeated for increased verbosity, will update the status more often. If -v is not used, using ..read more

 Introduction What are Berkeley Packet Filters? BPF’s are a raw (protocol independent) socket interface to the data link layer that allows filtering of packets in a very granular fashion1. BPFs were first introduced in 1990 by Steven McCanne of Lawrence Berkeley Laboratory, according to the FreeBSD man page on bpf2.   Working with BPF If you use tcpdump for very long, you encounter what are called “primitives”, filter expressions to tune your results to only see certain traffic. Examples of primitives are “net”, “port” “addr” and qualifiers to those such as “src” or “dst”. With these ..read more

Wild West Hackin' Fest - Deadwood:  I so love this conference. It's so much like DerbyCon. There aren't any "I hacked a car/plane/drone/coffee maker" talks. There aren't 10,000 people there and it won't make the national news like BlackHat or Defcon, but what it will do is give you the information you can use in your day-to-day job. Things to actually make your network safer. Flash and glitter are great and lots of fun. Huge parties and massages courtesy of IoActive at the Oasis are cool too if that's what you like. Less interesting but much more relevant is information you can apply to y ..read more

 In computer science, speed is all. Everything we do, we want to do as fast as possible. Right? No. Consider slow hashing algorithms. Some hashes are intentionally computationally expensive. Why? Because attackers have multi-GPU dedicated password cracking machines that can try millions of variations per second. A hash that requires more computation power is much slower to crack because of the time it takes to try each variation. Sure, your user may have to wait for half a second longer for the authentication form to go away and his page to load, but his/her credentials are many times mor ..read more

 Ten to fifteen years ago, a company having FPC (full packet capture) was an indicator of the seriousness of the company's information security efforts. Having trained analysts that could use those packets to analyze alerts from NSM devices was an even better indicator.  Today, the network landscape has changed to the point of having little similarity to a decade ago. The workforce was already starting to go mobile before COVID, and the pandemic forced a large swath of workers home. Mobile devices used for work became common and the services in the cloud, prevalent.  We started ..read more