Cyber Security posts

Endpoint detection and response (EDR) - setting the record straight
 -  When I went to bed on the evening of Friday 19th July, I couldn’t sleep. It was a stuffy summer’s night in London, and the adrenaline was still pumping through my veins after one of the more notable days in recent memory for cyber security. Still, laying awake gave me...
Centralisation, repeatability, and automation in a modular SOC
 -  The dictionary definition of “modular” leaves a little to be desired: “Employing or involving a module or modules as the basis of design or construction.” What is implied, but that I would make explicit, is that parts of the whole can be swapped out easily while maintaining the functionality of...
Cyber security sometimes means learning things backwards
 -  Stick around cyber security Twitter or LinkedIn for long enough and you’ll likely see somebody raise a question about how to get into the industry. You’ll also likely see a reply that describes a kind of rite of passage from sysadmin, to SOC analyst, to just about any other security...
Investigating Explorer's temporary ZIP folders and retrieving files
 -  If I was to describe how often malware is downloaded within ZIP archives, “common” would be a huge understatement. A key artefact in these investigations is the temporary directory Windows creates when a user opens an archive in Explorer, but I recently realised I’d never actually run a proper test...
Parsing login sessions from the Windows event log with PowerShell
 -  Faced with a day at home recovering from my most recent COVID-19 booster vaccine, I realised I hadn’t written anything more than a few lines of PowerShell in a while and decided to spend some time working on something interesting. The idea occurred to me to try to correlate Windows...
Linux .bash_history: Basics, behaviours, and forensics
 -  During any incident investigation on a Linux system, one of the most valuable things for responders and forensicators to establish is which commands were run. This is key to finding out what an attacker or malicious user was attempting to do, and what remediation activities are required. The .bash_history file,...
SANS Holiday Hack Challenge 2021: Slot machine walkthrough
 -  Here’s one more writeup from the SANS Holiday Hack Challenge! The slot machine hack was one of the showpiece challenges this year, so I thought I’d put together a quick blog post to guide you through the process of identifying and exploiting a vulnerability in the game. The challenge Our...
SANS Holiday Hack Challenge 2021: Yara rule analysis walkthrough
 -  Over the Christmas break I took part in an annual tradition - the SANS Holiday Hack Challenge! For 2021 the team had put together a fresh set of challenges for this festive CTF, and now that the deadline for submissions and subsequent embargo has passed, I thought I’d share a...
Installing Splunk Free in a virtual machine for log analysis
 -  Splunk is considered the gold standard for analysis of event logs and other data, but unless you’re lucky enough to work for an organisation that pays for it, it can be difficult to get practical experience in how to run searches, build dashboards, and otherwise dissect data using its query...
File carving: Recovering a deleted file from a Windows disk image
 -  Most computer users assume that when they delete a file and empty the Recycle Bin, it’s gone forever. After all, if Windows doesn’t show us a file, it doesn’t exist anymore, right? Wrong. With the right tools and knowledge, forensics experts can find fragments - or even complete versions -...

Thinking about

Website v2.0
I've given my website its first major update since 2020, keeping the same general aesthetic but placing a greater focus on content. Now to come up with some blog post ideas...

Interests

  • Cyber security
  • Tech
  • Python
  • PowerShell
  • JavaScript
  • F1
  • Reading
  • Writing
  • Psychology
  • Philosophy
  • Exercise
  • Running
  • Gaming
  • Football
  • Music
  • Guitar