Monday, April 23, 2018

National CCDC 2018 Redteam Debrief

Hello Reader,
       Another year of CCDC is over and another winner has been crowned.

For those of you just here for the presentation, here are this years debrief slides:

For those of you looking for more:

This year at Nationals we had a lot of success as a red team From 0 knowledge (Except ips in scope) to plain text credentials in 3 minutes ensured that our initial load of persistence was successful. However like in all great pursuits it was not perfect. This year we attempted different delivery and propagation techniques that need to validate our malware was successfully implanted to make sure all systems are talking to us.

Speaking of talking to us this year teams got better at their egress filtering and locking down incoming services. This means we have to get better at backdooring existing services and work on techniques that don't require call backs that egress filtering will stop.

Lots to plan, lots to do for next year. 

Monday, February 12, 2018

2018 Updates and Teaching SANS Windows Forensics FOR500 in Singapore

Hello Reader,
        I know the blog has been quiet, but if you didn't know the Youtube channel has been active you can find it here, For those who listen to the podcast I'm sorry I haven't gotten it up to date with the videos of the Forensic Lunch, I'll see about getting that done this month.

Speaking of this month we will have two Forensic Lunches this month:

2/16/18 - Ashley Hernandez and Joe Sylve from Blackbag talking APFS and a whole bunch of other new stuff
2/23/18  - Guests being Confirmed

Broadcasts go live on the Youtube channel,, and subscribing gets you notifications when we go live.

My goal is still two Forensic Lunches a month with a mix of blog posts and night time live Forensic Test Kitchens through the month to keep me engaged and pushing me to share. Myself and the team at G-C Partners are working on some really cool stuff to share this year so please stay tuned.

Speaking of things that keep pushing me to answer new questions and share I'm having a big of a global journey this year in my teaching schedule at SANS.  With my first public class starting March 19, 2018 in Singapore.

Also for those in the Singapore area I will be giving a public SANS At Night talk about Anti Anti Forensics showing our file system journaling forensic research for the first time in Asia.

I don't know if I'll ever have the time to do as much travel as I'm doing this year again so if you are in the Asia Pacific Rim I'll be in Singapore in March and Australia in June

If you really want to go in depth with Windows forensics I would encourage you to sign up and spend a week with me deep diving into interactions, limitations and workarounds for all the artifacts you know and love. In addition I love it when students ask me questions I've never considered before and we find new artifacts or meanings together in class! Also this is the only venue where I walk through how to use our Triforce tools.

For those in Europe or class by I'll be in London and Amsterdam this year:
Amsterdam in May

London in September

Otherwise thanks for reading and lets look forward to all the new research we can complete in 2018.