Digital First Response

   Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " Digital Forensics Applied to K8S " and the presentations of this can be found here . I plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD forensic analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics* SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes Continuing sharing my research that started last year I am releasing my slide deck for " REM(Containers) - The real Xanthe ".  I just presented on this and plan to continue to release content that addresses forensic analysis of containerization related technology and eventually relating that back to full CI/CD analysis.  The release list as of now looks like this: Docker Forensics* Malicious Container Analysis* K8S Forensics SAAS Containerization Forensics CI/CD Forensics Stay tuned for more content and leave your suggestions below!

  Read Time: 5 Minutes During 2019, I worked on several presentations for my local community.  After much work one of the presentations called " REM(Mach-O) Looking at Bad Apples " we felt might be ready for public consumption after sharing it in my local DEFCON community DC706 .  You can see my communities pre-screening of the content here .  I selected Atlanta B-SIDES 2020  and created a new cut of the content titled " REM(Mach-O)  Turning Jues to Wine ".  Also, updated a Mac OS X Reversing Quick Reference for attendees that were interested in building on the private learning that I was going to share.  Since the content was never presented I wanted to take the time to at least release the material via blogpost so it was generally available. Looking forward to building some new content before 2020 ends and hopefully present something fun in 2021!  Please leave comments if you have questions of course.

Read Time: 5 Minutes In 2012, Hexacorn Ltd  posted a couple blogs on their website about decrypting VBN files:  the  original post and a second post . The team at Hexacorn Ltd identified that "...Symantec’s VBN files can be encrypted not only with 0x5A, but also 0xA5..." in their original research.  In their later posting disclosing that the encrypted is separated by a "...5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers...".  Which are both valuable insights that I can confirm should be observed in the decryption of VBN files.   For 2018, here are a few more insights into the data structures and analysis considerations for decrypting VBN files: The first 388 bytes is reserved for the original directory and filename of the quarantined file The next 2052 bytes contains meta data regarding the detection...