This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there […]

This week is longer than I thought, so time to catch up… 🙂 This one is a mess, but sometimes a bit of a mess is not a bad thing. […]

Writing your own sandbox has many advantages – the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into […]

This series got a bit delayed, because I got sick last week. — This is a bit counter-intuitive – why would you want to collect strings related to games? First, […]

Knowing what service name is what is quite useful. The attached list lists many, primarily native OS, and security product-related services that I have aggregated by looking at native services […]

You are either technical, or you are not. What does it mean? Many tried to answer that borderline philosophical question, but as far as I know no one is really […]

There was a time when knowing GUIDs of adware/spyware you could instantly attribute a sample to a known rogue company or group. Of course, these days are long gone, but […]

Reversing is not only hours spent analyzing code. It’s also about collecting interesting data so that it can be used to quickly determine other programs’ functionality in the future. Recognizing […]

Imagine you stop processing your phishing reports today. Just stop. What could be the worst thing that could happen? Hmm ? Of course, some people will still get phished, some […]

Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths […]

The previous parts of this series were done ‘manually’. I would come across some new type of DLL and would jot down its properties so I would have a point […]

What are Windows file extensions of interest ? Is there a single superset of all possible file extensions that are of interest from a security perspective? I tried to answer […]

Ug_0Security asked, and I am answering 🙂 Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]

With file handlers being yet again a topic du jour it was only natural to try answering a question — how many file protocols are really out there? I tried […]

In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]

Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]

Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]

Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]

I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]