Keven Murphy

Our story so far... The list of IOCs is growing as the group conducts the triage. As they find new files related to the actor, the IR team goes back and searches the previous tools output to ensure everything has been picked up. With new files, mf.bat, ga86.exe, and rar.exe, from the ShimCache...

Our story so far... Hermes starts reviewing malware review of wde.exe, ght.exe, and vc.exe procured through FRAC. Meanwhile Frank, starts on the Shimcache review now that the AT jobs review has been completed. Frank asks another team member Chris, to start on conducting forensics on some of the...

Our story so far...Frank, working with Hermes, another security analyst, goes to work to review the tens of thousands of files retrieved by FRAC. They start off by reviewing the returned AT jobs. AT Job Used by Actors AT jobs are scheduled tasks created using the at.exe command. At jobs take the...

Our story so far...Frank, security analyst, reviews the files uploaded by Tony. During the review, Frank notes that AT jobs were used to run malicious tools on Bob's machine. Some of the AT jobs show some unknown batch files being ran during the same time frame as the malicious tools. It is...

Our story so far... Frank, a security analyst, is reviewing network traffic and notes that the VP of Merger and Acquisitions' machine has transmitted a 2 gig encrypted RAR file to http://doggydaycareforvps.com. Frank notifies management and managments gets Bob, the VP, to contact Frank regarding...

Introduction Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris....