Kevin's Cyber Journal

When examining ongoing processes for any signs of a breach, is it possible that a malicious process can go under the same name of a legitimate process?  As someone who runs multiple windows of chrome, I expect to see more than one chrome.exe amongst my processes. Malware may run another process under the same name. Additionally I often see malware run processes under a misspelled name at least in some CTFs, is this seen in other breaches?

These were other materials that I learned during my investigation. Pointing these out here for my own benefit, for whenever I need to return to in the future. When reading out netscan results, most were not in the IPv4 format but rather in IPv6. After some researching I learned I was looking at the link-local IPv6 addresses (LAN) because of the “FE80” denotation, the first 10 bits within a IPv6 address. This introduced me to telling the difference of examining a local address and a global address (for the public).

As a DFIR enthusiast, my first post on this blog will be about memory forensics. The following mock case that I have been investigating is provided from DFIR madness by James Smith . The setting of this case involves a popular cartoon character's sauce recipe being leaked and as digital forensic examiners, we must attempt to uncover how this happened. Jumping forward to the analysis phase of the investigation, I will be examining the memory of the domain controller (DC) server. The conclusion of my  findings are at the bottom of this post.