Incident Response – Compass Security Blog

Docker Forensics

Sometimes one goes deep down the rabbit hole, only to notice later that what we were looking for is just under one’s nose.

This is the story of a digital forensic analysis on a Linux system running docker containers. Our customer was informed by a network provider that one of his system was actively attacking other systems on the Internet. The system responsible for the attacks was identified and shut down.

Our DFIR hotline responded to the call and we were provided with a disk image (VMDK) to perform a digital forensic analysis.

The “Volatility Triage App” for Splunk

November 24, 2020 / Giuseppe Scalzi / 0 Comments

Intro into a Compass Splunk App, which can be used to perform a first triage and high level analysis of Volatility results coming from multiple hosts.

101 for lateral movement detection

September 1, 2020 / Cyrill Brunschwiler / 0 Comments

The article discusses the very basics to keep systems ready for analysis of lateral movement. We present some guidelines in form of a cheat sheet and a tool (Readinizer) that you can run, to ensure that everything is set up as in the guidelines provided.

Reversing a .NET Orcus dropper

April 14, 2020 / Giuseppe Scalzi / 0 Comments

In this blog post we will reverse engineer a sample which acts as downloader for malware (aka a “dropper”). It is not uncommon to find such a downloader during DFIR engagements so we decided to take a look at it. The sample that we are going to analyze has been obtained from abuse.ch and was […]

Invoice Fraud with Everything the Bag of Tricks Has to Offer

February 25, 2020 / Fabio Poloni / 0 Comments

Sometimes, it doesn’t take much for a good scam: a good story, a little persuasion, then disappear again… and sometimes, the scammers come up with tactics that come straight out of the textbook.

Challenging Your Forensic Readiness with an Application-Level Ransomware Attack

November 25, 2019 / Damian Pfammatter / 0 Comments

Ransomware focuses on encrypting data on a filesystem-level, either locally on infected client systems or remotely on accessible file servers. However, what if ransomware would start encrypting data on an application-level too?

Investigating Data Leakage via External Storage Devices

April 26, 2019 / Damian Pfammatter / 0 Comments

Contents Introduction Background Story External Device Access Auditing with Windows Security Event Logs Audit Plug and Play Activity Audit Removable Storage Activity External Device Access Auditing with Default Windows Artifacts Other Ways to Monitor External Device Usage Conclusion References Introduction Have you ever investigated a data leakage case involving a suspect potentially leaking data to […]

Windows Forensics with Plaso

March 25, 2019 / Cyrill Brunschwiler / 2 Comments

Present State of Affairs We have been teaching forensics and network incident analysis for quite a while. We have investigated into a reputable number of cases and we are not the only doing so. Hence, one would expect a certain degree of automation in analysis. However, the high frequency of software release cycles somehow leads […]

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Contains a random generated user ID. Used to distinguish recurring users. Collects statistics on the user's visits to the website, such as the number of visits, average length of stay on the website and which pages were read.
_gat	1 minute	Used to throttle request rate for Google Analytics.
_gid	1 day	Contains a random generated user ID. Used to distinguish recurring users. Collects statistics on the user's visits to the website, such as the number of visits, average length of stay on the website and which pages were read.

Compass Security Blog

Offensive Defense