Brad Bits: December 18, 2024
Hello reader,
I hope this blog post finds you well. I am dusting off the old blog. If you are in my network, you likely know that I am currently in career transition and now that I have some much-needed creative space, I thought I would start blogging again. While I will share this out on social via LinkedIn and X, the siloed social media scene in cyber these days has led me to keep my blog posts on my own platform. What would you like to see from me? I have a unique background and skill set across not only cyber, but also aviation, academia, and law enforcement. For today's blog, I thought I would focus on a cyber headline that hit my inbox this morning via WSJ: "Apple declined to help Harris campaign over suspected hack".
Yesterday, Forbes published the story and it highlights (yet) another example of privacy and security front and center. Apple.com/privacy is clear..."Privacy is a fundamental human right." In late October, the Harris campaign had reached out to Apple for assistance in extracting a "raw image" from two senior staff members' iPhones after iVerify's product had detected spyware on these iPhones.
From my perspective, Apple and other tech giants will continue to grapple with privacy and security. Apple has been consistent with their privacy stance and I am glad to see Forbes call out the 2016 Apple vs FBI case, which set a precedent with so many other privacy issues. So why does this all matter? Your smartphone is an extension of your identity. The smartphone is heavily used in the enterprise for multi-factor authentication solutions and part of a robust zero trust strategy. Since the beginning of time, law enforcement has used novel tactics to catch adversaries. As tech companies continue to evolve privacy and security into their solutions, how do tech companies responsibly work with governments to respond to these inquiries? That's the million-dollar privacy question. What say you? Let's see where recent innovations with quantum computing and generative AI take us as a civilization and tackle espionage, which has been around for centuries.
So what else am I doing in my creative time? I am currently looking for the next career adventure and working on an FAA rating for my pilot’s certificate. I have also done some pro bono consulting and reconnecting with folks. How do you start your day? For me, it's the gym, journaling, and reading with my favorite cup of coffee/ tea. I have followed this routine since the early days of the pandemic, and it has really helped me elevate my days and how I show up for my family, the teams I have led, and key relationships with customers and clients I have served. In January, I will be attending the SANS CTI Summit. For my CTI nerds, it would be great to connect in person in D.C. next month. If you are hosting an event or looking for a speaker to support your event hit me up.
2016 Blog Update: Reviving my DFIR Corner
Happy New Year.
I wanted to take a minute to update my blog. It has been a while since I've blogged and a lot of exciting going on in my DFIR corner. Reviving my blog and will post more often.
First, I am happy to report that beginning next week I will be teaching a Basic Cyber Crime and Computer Forensics evening course at a local university this semester. I am excited to begin teaching this undergraduate course to business, technology, and law enforcement majors. Perfect blend of student majors and backgrounds, which should create a good learning environment. During my law enforcement career, I taught recruits at the academy and it's one thing I miss. Nowadays, in my forensic consultancy and caseload, I do not have much free time for instructional development, as it'll be nice to get back into the classroom one evening per week. Speaking of caseload, the last 3 weeks of 2015 and into 2016 has kept me busy. Casework is great, but it leaves little much needed lab time and testing. If you understand the saying, "feast or famine" then you must be a forensic consultant. Friend and fellow forensicator, Hal Pomeranz wrote an excellent series several years ago about getting into the forensic consulting world. If you are looking into forensic consulting, make sure you checkout Hal's series.
Second, on a recent IR engagement I was conducting triage level analysis on a Windows 7 machine. If you new to DFIR you may not be familiar to ShimCache. While I will not go into a high-level of detail of this known artifact in this particular blog post, I wanted to highlight its importance in your intrusion and malware investigations. Corey Harrell has an excellent write-up on this artifact that you must read. According to Microsoft, Windows Application Compatibility Infrastructure, or ShimCache Infrastructure uses a form of API hooking for application compatibility from version to version of Windows. On a Windows 7 machine, C:\Windows\AppCompat\Programs\ directory.
C:\Windows\AppCompat\Programs
RecentFileCache.BCF stores full UNC paths of executables recently executed on the system. You can read the RecentFileCache.BCF file with a hex editor.
RecentFileCache.BCF
Harlan released rfc.exe and other tools with his WFA4e book release. Using HC's tool and XWF, I quickly identified malware in VSCs.
Usage:
C:\forensics\rfc.exe %Path%\RecentFilecache.bcf
Links:
- RFC.exe by HC
- LRC: Brian Moran's Live Response Collection
References:
- ForensicsWiki: http://www.forensicswiki.org/wiki/Windows_Application_Compatibility
- Journey Into Incident Response: http://journeyintoir.blogspot.com/
- Windows Incident Response: http://windowsir.blogspot.com/
Well, that's all the time for now folks...
Faith. Family. Football. Forensics
CyberFetch Interview
Recently, I was interviewed by CyberFetch as part of the Spotlight series. The Spotlight series highlights interesting people in the cyber forensics community.
The interview, which was driven by reader submitted questions is now available at https://www.cyberfetch.org/spotlight
CyberFETCH is a program of the Department of Homeland Security (DHS) Science & Technology (S&T) Directorate.