Search Results

Let’s be honest — dealing with network traffic at scale isn’t exactly a walk in the park. Sure, command-line tools are powerful, flexible, and scriptable. But if you’ve ever tried to string together a bunch of scripts to process large volumes of PCAPs, you know how quickly things can turn into a tangled mess. Debugging scripts, managing tools, filtering data, reviewing results — it’s like solving a puzzle... blindfolded. Naturally, when we need to dig into network packets, most of us reach for Wireshark . It’s a trusted friend — great for deep packet inspection, clean interface, amazing protocol support. But the second you throw gigabytes (or terabytes) of traffic at it? Boom. It chokes. 🫣 So what’s the alternative if we want to scale up without shelling out thousands of dollars for commercial network forensics solutions? Say hello to Arkime . -------------------------------------------------------------------------------------------------------- 🌐 Meet Arkime: Open Source, Scalable, and Surprisingly Powerful Arkime (previously known as Moloch , and yes, you’ll still see that name floating around in some commands and docs) is an open-source tool designed specifically to capture, index, and analyze network traffic — at scale. What makes it stand out? Three things: It captures full packet data. It indexes traffic for lightning-fast search. It gives you a clean web interface to explore, filter, and export PCAPs. Think of Arkime as the bridge between bare-bones command-line tools and overpriced commercial network forensics platforms. It was originally created by folks at AOL (yes, that AOL) who needed something robust but flexible. Fast forward to today, and it’s used by defenders and analysts worldwide who want powerful PCAP analysis without blowing their budget. -------------------------------------------------------------------------------------------------------- 🧩 How Arkime Works — Without the Boring Diagrams Arkime isn’t just one single app — it’s a modular system: Capture Node : Think of this as the sensor. It grabs packets off the wire and stores them. Elasticsearch : This is where Arkime keeps track of all the session metadata — aka, Session Profile Information (SPI) . This lets you search super fast, even across billions of packets. Viewer : The web interface where you search, filter, view session details, and extract PCAPs. Now here’s where it gets cool: Arkime scales horizontally . That means you can run everything on one box if you’re working with small-to-mid traffic volumes (like in a lab). But in a real-world environment? You can deploy multiple capture nodes  across your network — each feeding metadata back to a centralized Elasticsearch cluster. So yeah, it’s built for scale. -------------------------------------------------------------------------------------------------------- 🧪 Real Talk: Where Arkime Shines and Where It Stumbles Arkime is not perfect, and it's not trying to be everything for everyone. But here’s a breakdown: ✅ What’s Awesome : Free and open source . (Did I mention that already? Worth repeating.) Scalable  across small labs or large, enterprise-wide deployments. Fast search  across massive PCAP data. Simple, browser-based UI  for analysis. Integration-friendly  — you can plug Arkime into other tools or SIEMs easily. Active community  — if you’re stuck, there’s a free Slack group where the devs actually reply! ❌ Where It Falls Short : Protocol coverage  isn’t as wide as Wireshark. Some obscure or proprietary protocols just won’t parse unless you write your own parser (which isn’t trivial). Live traffic at high speeds?  Yeah, that’s where you’ll need to invest time in tuning. Poor architecture = dropped packets. No official support . This is community-powered. If your boss wants an SLA, you’re out of luck unless you hire third-party consultants. Deployment complexity  increases with scale. You need to understand Elasticsearch well and know how to tune it for performance and stability. -------------------------------------------------------------------------------------------------------- 🧠 Why You Should Care (Even If You’re Just a One-Person DFIR Team) Let’s face it — not everyone works at a fancy SOC with million-dollar tools. Whether you're running a home lab, working incident response at a midsize company, or just learning packet forensics, Arkime fills that sweet spot  between Wireshark and expensive enterprise tools like RSA NetWitness or Fidelis. Need to: Hunt down command and control traffic? Pull sessions involving a suspicious domain? Track data exfiltration over DNS or HTTP? Arkime makes all of that way easier, without you spending hours combing through raw PCAPs manually. -------------------------------------------------------------------------------------------------------- Please note: For demonstration purposes, I installed Arkime using WSL. However, this setup is not recommended for production use. For optimal performance and full functionality, it is strongly advised to install Arkime on a native Ubuntu environment or a dedicated Linux server. Installing Package Configuring Arkime You can have maxmind account and can say yes but I said no Run the service Next Add user Enable the service Once done Visit http://localhost:8005/ Output While it's possible to run Arkime on WSL for testing purposes, please note that resource consumption—particularly CPU and memory usage—can increase rapidly during operation. If you're using WSL, I recommend disabling services like arkime-capture, arkime-viewer, and elasticsearch after completing your tests to avoid unnecessary system strain. --------------------------------------------------------------------------------------------------------- 🚀 Final Thoughts Arkime isn’t trying to replace Wireshark — it’s trying to extend your power as a network analyst . It’s not flashy. It won’t hold your hand. But if you give it a chance, it’ll become one of the most powerful tools in your forensics arsenal. ---------------------------------------------------Dean------------------------------------------------- Do not miss upcoming article!!!! Querying Like a Pro in Arkime: Getting the Most Out of Arkime Viewer: Beyond the Basics

In the final part of this Petra Security overview, let’s dive into one of my favorite tabs: Reporting  — and then explore how you can conduct effective threat hunting  using Petra’s Activity and Users views. Let’s go. 📊 Reporting: The Power of Organized Insights The Reporting  tab in Petra is divided into focused views — so you can break down incidents, trends, and anomalies without hunting through messy dashboards. At the top left, you have the option to generate downloadable PDF reports , which are super helpful for SOC leads, management, and even clients during monthly security reviews. 🚫 Failed Attacks: Know What Was Blocked The first tab shows you Failed Attacks . This is exactly what it sounds like — reporting on all login attempts and activity Petra stopped  before they could do any damage. And that’s important. You not only get to investigate what happened , but also what could’ve happened  — and how Petra stopped it . This allows security teams to: Identify patterns Prepare for future attacks Patch weak spots in identity hygiene As I always say — don’t take security lightly. It’s not just about reacting; it’s about getting ahead of attackers. 🧠 Uncommon Activity: ML-Powered, Analyst-Friendly (Show false positives it closed which seems compromise but not) Now, let’s talk about the real MVP of the Reporting tab — Uncommon Activity . This is where Petra’s machine learning truly shines.  From a SOC perspective, this is a huge deal. For example: Impossible travel detections New device sign-ins Sudden location changes Proxy/VPN logins Petra filters out the noise and only flags what actually matters . You see, I’ve worked with many SOC L1/L2 teams. I know firsthand how many false positive impossible travel alerts  they close daily. Petra solves that — it’s automated, reliable, and doesn’t require babysitting. And that brings massive cost-efficiency  to a company. False Positive example: 🚨 Microsoft P1/P2 Risk Tab— But Without the Noise (Show All false positives it closed) We all know Microsoft’s P1 and P2 license features — especially risky user and risky login alerts. But let’s be honest: they generate a lot of false positives. Petra provides the same — and better , but with machine learning that actually works . No whitelist needed. No tuning rules for VPNs. It just understands behavior  and adapts. ------------------------------------------------------------------------------------------------------------- 🔍 Threat Hunting with Petra: Two Ways to Investigate Let’s say you want to investigate a specific user — maybe you’re wondering: Did they download any sensitive files? When did that happen? What IP did they use? You have two ways to do this in Petra: 1. Activity View (Which I have shown in my second article) This is the full organizational timeline — filter by the user’s email ID, add action filters (e.g. “File Downloaded”), and start hunting. 2. Users Tab ( Which I have shown in my second article as well) In simple language this activity is user specific: Click on a user and get: Identity summary (job title, auth methods, etc.) Activity timeline (login, file access, email events, etc.) This per-user deep dive  is smooth and intuitive — a dream for any SOC analyst doing incident recon. ------------------------------------------------------------------------------------------------------------- Before wrapping up this overview, I want to share a few important investigation tips  that Petra itself recommends  — and after working through several incidents, I can confidently say these tips are spot on but there alot more which you hav to focus on but lets keep this simple for now . Whether you're responding to a live compromise or reviewing past activity, keeping these points in mind will make your investigation faster, sharper, and more effective . ✅ Focus on Sent  and Created  Events in Exchange These are often your first clue  that something malicious happened — especially: Emails created or sent to external recipients Attempts to phish trusted third parties Potential data exfiltration  events Sent emails = intent. If an attacker created or sent a message, it usually means they’re trying to expand access  or extract data . 🗑️ Watch for Soft Deleted  and Hard Deleted  Events Attackers try to cover their tracks — and Petra captures that. They might: Delete their phishing emails Remove inbox rules they created Delete replies to hide communication threads Petra preserves these events even if they’re deleted  — a huge win for forensic integrity. 🔐 Investigate Permission Changes  in SharePoint If you see external sharing enabled or permission levels escalated — especially during or right after a compromise — that’s a red flag . This often points to: Unauthorized access grants Sharing links sent outside the org Attackers prepping data for download Petra highlights this clearly, making SharePoint investigations way easier. ⚠️ Look for Malicious App Installs  and Mail Filter Rules These are some of the most common persistence mechanisms  attackers use post-compromise. Petra will: Auto-highlight  malicious app registrations Show new inbox rules , like forwarding or redirect rules Let you remove both instantly via the Remediation Actions Panel This helps you not just detect the attacker — but kick them out and shut the door behind them . 📬 Answer the Big Questions Most clients and security leads want to know two things: Did the attacker send anything externally? Was any sensitive data accessed? With Petra, you can answer both questions confidently — using audit-backed evidence across Exchange, SharePoint, and Teams. ------------------------------------------------------------------------------------------------------------- Final Thoughts: My Honest Take on Petra Security Let me be clear — this tool isn’t trying to be everything .  It doesn’t cover Defender for Endpoint or vendor telemetry. It focuses on identity. And what it does for Entra ID logs, Exchange, SharePoint, and Teams — it does better than anything else I’ve seen . In fact, I honestly believe it’s a solid replacement for Microsoft Entra P2  — except, unlike Microsoft's built-in tools, Petra actually works . “Petra stopped 10 attacks with 0 false alarms. No whitelists needed — even with VPN usage. If you manage Microsoft environments, you should be using Petra.” – Co-founder of one of the best security companies out there That’s not marketing hype — that’s real-world validation . I know this tool is paid — but what you get in return? Unmatched insight. Reduced analyst workload. Peace of mind. ------------------------------------------------------------------------------------------------------------- 🤝 Want to Learn More or Connect? I’m not here to tell you to buy or not buy this tool. I’m here to say: Petra deserves your attention . If you’re serious about identity security in Microsoft 365 — and want real visibility, real-time ML, and actual investigation power — Petra is worth your time. And hey, if you want to get in touch with Petra security firm and firm which give you security, feel free to reach out to me. I’d be happy to connect you with the right people. ------------------------------------------------------------------------------------------------------------- Upcoming Article: Who’s Using a Proxy or VPN in Your M365 Environment — and Why It Matters https://www.cyberengage.org/post/who-s-using-a-proxy-or-vpn-in-your-m365-environment-and-why-it-matters

While working with SOC teams in Microsoft environments, I’ve observed that during impossible travel investigations, analysts often have to manually verify whether the login IPs belong to VPNs or proxy services — a tedious process that adds unnecessary complexity to their workflow. In today’s threat landscape, knowing where users log in from — and whether they’re behind a VPN, proxy, or data center IP  — is crucial. But not all proxy use is malicious. In fact, a lot of it is completely benign . That’s where most tools fall short: they either over-alert or under-contextualize. Petra doesn’t. ------------------------------------------------------------------------------------------------------------ 🧠 Petra’s Approach: Context First, Always Petra Security was built to detect real account compromises , not generate noise. It doesn’t just flag every VPN or proxy login — instead, it performs deep analysis to distinguish legitimate user behavior  from suspicious patterns. Yes, some attackers use VPNs. But so do: Traveling executives Remote employees Third-party contractors Mobile users switching networks Petra understands that — and separates harmless VPN use from actual threats . But here’s the cool part: even benign usage is logged, preserved, and made instantly accessible  for analysis. 🔍 Two Powerful Ways to Investigate VPN and Proxy Use in Petra Whether you're investigating an incident or just trying to understand user access trends, Petra offers two main methods : 📊 1. Reporting Interface — for Stakeholder-Friendly Insights Want a fast, clean way to see who logged in from a proxy or data center ? Here’s how: Go to your tenant (top left corner) Click the Reporting  tab Open the Uncommon Activity  sub-tab Filter by Type: Proxy and Data Center Use You’ll get a list of users who accessed the environment through proxies, along with: Timestamp of the event User details IP, ISP, and data center provider info Each entry can be clicked to open a dedicated view  showing the context around the event, powered by Petra’s built-in log viewer. Perfect for quick reviews and sharing with stakeholders during audits or reviews. 🧠 2. Logs Viewer — for Deep Dive Investigations For analysts or incident responders, Petra’s Activity Viewer  (aka Logs Viewer) is where the real power lies. To investigate proxy use deeply: Navigate to the tenant’s main dashboard Scroll to the Activity  panel Apply these filters: Proxy: Yes — to isolate proxy traffic Login Status: Successful — to focus on real accesses Now you’re seeing every successful login that came through a proxy. 🔧 Advanced Filtering at Your Fingertips Want to pivot quickly? Petra makes it seamless: Filter by User :Right-click a username → Include — focuses only on that user Filter by ISP or Provider :Right-click an ISP (like Cloudflare or DigitalOcean) → Exclude — remove known-good noise Combine with other fields like Country, Device Type, Operating System , or Login Method  for laser-focused investigations This flexibility is what makes Petra such a powerful forensic tool — whether you're doing routine monitoring or full-scale IR. ------------------------------------------------------------------------------------------------------------ 🛡️ What About Malicious VPN Use? Petra does classify suspicious VPN/proxy activity as an incident  — when it detects behavioral anomalies or infrastructure overlap with known threats. But for everything else — including normal, repeated proxy use — Petra keeps a record, provides deep context, and lets you make the final call  based on full visibility. ------------------------------------------------------------------------------------------------------------ 🔍 Final Thought You can’t detect identity compromise without understanding how users are connecting. Petra’s approach to VPN and proxy detection is smart, contextual, and deeply investigable — without the noise or guesswork. Whether you're hunting for threat actor infrastructure or just learning who your heavy VPN users are, Petra gives you the tools — and clarity — to act confidently. -------------------------------------------------------------------------------------------------------- Next Article: SharePoint and OneDrive Logs in M365: The Goldmine You’re Overlooking (with a Hidden Twist) https://www.cyberengage.org/post/sharepoint-and-onedrive-logs-in-m365-the-goldmine-you-re-overlooking-with-a-hidden-twist --------------------------------------------------------------------------------------------------------

If you’ve been around the M365 security space long enough, you’ve heard the term Business Email Compromise (BEC)  more times than you can count. It’s a term that makes most defenders instinctively focus on mailbox rules , phishing emails , and login anomalies . But here’s the uncomfortable truth: email often isn’t the real target anymore. More and more, attackers are skipping Outlook altogether and heading straight to the real goldmine — SharePoint and OneDrive. ------------------------------------------------------------------------------------------------------------- 🎯 Why Attackers Are Laser-Focused on SharePoint & OneDrive Modern attackers understand one thing very well: organizations store their crown jewels in cloud storage, not just in emails . Here’s why SharePoint and OneDrive are so appealing: ✅ Structured folders and filenames  make data discovery easy(No need to dig through email threads) 📁 Sensitive content  like credentials, contracts, financials, and legal agreements are commonly stored 🔍 Search is fast  and intuitive, especially for attackers with read access 🧪 Files are often linked across departments , giving attackers access to multiple teams ------------------------------------------------------------------------------------------------------------- 💡 Defenders: Expand Your Focus So, here’s the takeaway: If your BEC investigation ends at the mailbox, you might be missing the real breach. Ask yourself: Did the attacker touch SharePoint or OneDrive? What documents were accessed? Downloaded? Was anything uploaded back into the environment? How fast did the attacker move? ------------------------------------------------------------------------------------------------------------- Now comes to one question which you might have witnessed as well! ------------------------------------------------------------------------------------------------------------- 🚨 The SharePoint or Ondedrive Log Puzzle: What’s With the IPs? When parsing SharePoint or Onedrive activity, one field naturally grabs attention: ClientIP. You’d expect this to reflect the end-user’s IP address — and sometimes it does. But here’s the twist: many of these IPs actually belong to Microsoft datacenters.   That’s right — instead of pointing to the user's laptop in USA or Mumbai, you're sometimes staring at an Azure IP block from San Antonio or somewhere across the country . And that can throw off your investigation if you're not ready for it . ------------------------------------------------------------------------------------------------------------- 🧠 Why This Happens (According to Microsoft) After digging through Microsoft’s documentation (and quite a bit of head-scratching), the explanation becomes clear — and honestly, kind of brilliant. According to Microsoft: “For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.” In simple terms: if a user edits a document via the Excel Web App or Word Online , that activity might come from a Microsoft backend service — not  the user's physical machine. What you're seeing is activity being routed: Partly from the end-user's device And partly from the Microsoft web service acting on their behalf It’s like forensic shadow puppetry — the user pulls the strings, but the actions come from a different hand. ------------------------------------------------------------------------------------------------------------- 🎯 The Forensic Takeaway: Attribution Gets Tricky So what does this mean for defenders? It means you need to be extra cautious when attributing SharePoint activity . Specifically: ✅ Some activity truly originates from the user’s machine and IP 🔄 Other activity comes through Microsoft datacenters close to the user (regional) ❗ And occasionally, it comes from datacenters located hundreds or thousands of miles away If you're not aware of this nuance, you might mistake legitimate user activity for lateral movement or threat actor behavior — or worse, ignore suspicious access altogether. ------------------------------------------------------------------------------------------------------------- 🧩 Clues Still Exist The good news? SharePoint or Onedrive logs contain plenty of additional metadata  — like UserAgent, Operation, and timestamps — that help you correlate events and validate whether an action was initiated by a real user or something fishy is going on. ------------------------------------------------------------------------------------------------------------- 👁️‍🗨️ Petra Helps You See This And this is where Petra shines.  Petra’s ML models understand user behavior across SharePoint and OneDrive  and won’t trip on false positives like Microsoft’s native tools . Instead of just watching for login anomalies, it monitors file access behavior and anomalies , so you get real, actionable insights — not alert fatigue. -----------------------------------------------------Dean--------------------------------------------------

------------------------------------------------------------------------------------------------------------- If there’s one tab in Petra Security that I keep going back to, it’s the Incidents  tab. This is where all the action happens. Whether it’s a suspected business email compromise (BEC) or credential abuse, Petra gives you a full incident timeline , with zero fluff  and maximum clarity . ------------------------------------------------------------------------------------------------------------ 🕵️‍♂️ It Doesn’t Just Show the Breach — It Reconstructs It Let me walk you through what I love about it. When you open an incident: You see what the attacker accessed  — including emails read , emails deleted , files touched , and actions taken . It confirms the length of attacker access  — for example: “ Attacker had access for 8 minutes” This level of precision is rare in M365 investigations. And it tells you how long Microsoft’s logging delay  was — “Microsoft logs were delayed by 4 minutes” That context is gold when you’re trying to piece things together quickly. 📧 Real Example: 327 Emails Read In one incident view, Petra showed the attacker read 327 emails . You can literally see: Which emails were opened Whether the attacker sent  emails Whether they modified  or deleted  anything Everything is timestamped. No guesswork. No stitching logs from multiple sources. ------------------------------------------------------------------------------------------------------ 📅 A Timeline That Actually Tells a Story Now this is what really makes Petra stand out — the timeline view . It doesn’t just dump logs. It tells the story  of the incident: Phishing email received Login attempt (failed or successful) File downloaded Inbox rule created User disabled Account locked by Petra Attacker session terminated 1. First screenshot showed Start of the activity from Phishing! 2. Second screenshot is last Page when Petra has locked account and killed the session and disabled the user All of this is visually aligned , so you can follow the breach minute-by-minute — including automated remediation actions Petra took in real-time. It makes investigation fast, visual, and accurate. 🌐 Deep Dive Into Logins: Who, Where, How Let’s say you want to dig deeper into the login behavior of above scenario. Just click the Login  tab inside the incident. You’ll see: Previous login IP Known user location Device and browser used (user agent) And then the attacker’s new IP , location, and device So if someone logs in from USA at 9 AM, and then suddenly another login shows up from Brazil five minutes later using a different ISP and browser — it’s immediately obvious. 📨 Attachment Received & Opened — Email Evidence Tells All Want to confirm whether a user received a phishing email and clicked it? Petra’s Exchange  tab within the incident confirms: Whether the attachment was received (In this case Yes above screenshot) Whether it was opened (In this case Yes Accessed attachments/Read) And what happened immediately afterward (like malicious app installs or SharePoint access ( In this case No ) This is huge when you need to prove chain of attack  or answer the client’s question: “How did this even start?” ------------------------------------------------------------------------------------------------------ ⚙️ Remediation Actions — Right at Your Fingertips But wait — Petra doesn’t just show you the damage. It lets you take real-time action  directly from the incident panel: ✅ Lock the account 🚫 Kill active sessions 🔐 Reset the password This isn’t just monitoring — it’s investigation + response , in one place. No need to jump into Azure, Security Center, or PowerShell. One-click and done . ------------------------------------------------------------------------------------------------------------ Thoughts This incident panel is the reason I keep telling people: Petra is different. Everything you need is in one place — presented clearly, contextually, and without a bunch of unnecessary clicks or tabs. The UI is clean. The data is actionable. And the fact that Petra tracks and highlights exact attacker actions ? That’s a game-changer. Honestly, I just hope no big company comes in and acquires this as well! . We’ve seen how that story goes — the innovation gets buried. But for now, Petra is still crushing it, and I’m here for it. -------------------------------------------------------------------------------------------------------- Upcoming Article: Petra Security: Reporting, Threat Hunting, Investigation tip and Final Thoughts https://www.cyberengage.org/post/petra-security-reporting-threat-hunting-investigation-tip-and-final-thoughts

Let me start with a personal opinion: I really like Petra Security’s user interface.  No offense to Microsoft Sentinel, but Petra’s UI feels modern, intuitive, and built for real-world investigation. With Microsoft, things are powerful — no doubt — but often buried in layers of menus and dashboards. Petra, on the other hand? Everything is just… right there. And that makes a big difference when you're knee-deep in incident response or hunting through user activity. ------------------------------------------------------------------------------------------------------------ 🔍 Not a Full Microsoft 365 Monitor — But the Best for What Matters Most Petra doesn’t aim to replace Microsoft Defender, Sentinel, or all your SIEM tools. It's not trying to be everything . But what it does  focus on — identity and account activity  — it does exceptionally well . Once the Petra app is approved by a Microsoft 365 admin (using OAuth), it starts collecting and analyzing the most critical logs  in your environment: Entra ID (formerly Azure AD) Exchange Online SharePoint Microsoft Teams Yes, logins are tracked — but they’re only about 2%  of the story. The real value lies in everything else. ------------------------------------------------------------------------------------------------------------ 🧑‍💼 User Intelligence: Before Logs Come In, Petra Knows the User Before we even touch logs, Petra collects rich identity information for every user: Full name and email Job title Whether the account is active or disabled Last password change Assigned Employee ID (if any) Phone number (if present) Authentication method : whether the user uses just a password, or also has MFA like Microsoft Authenticator And this part is so underrated. In Microsoft, you have to dig into separate portals or click multiple layers deep to get all this info. In Petra, it's presented in one clean view — which is super helpful during investigations . You can even quickly check which users don’t have MFA  enabled — something every security team should monitor. Because let’s be real: if users don’t have MFA set up, and your security team doesn’t catch it — it’s a problem . ------------------------------------------------------------------------------------------------------------ 🧭 The “Activity” Tab — Petra’s Unified Log View Petra doesn’t just give you logs. It gives you investigative context  in a timeline. And it calls this the Activity  panel. You can see everything here: Successful and failed login attempts File accesses Inbox actions SharePoint interactions Teams activity Everything is filterable. Let’s say you want to find all failed logins  — easy. Just filter for Incorrect password and boom, it’s there. Want to drill down on one user’s failed password attempts? Add that user email as a filter in username column and you're done. This isn’t just helpful — it’s fast. Investigators can zero in on anomalies within seconds . ------------------------------------------------------------------------------------------------------------ 📧 Exchange Logs — The Gold Standard for Email Investigation Here’s where Petra really won me over: the way it handles Exchange activity . You can see: Emails received , read , sent , and deleted Actions performed by the user Subject lines of the emails 😍 (yes, subject lines  — very helpful in investigation) Email rules created by the user Got a suspicion about a phishing email that led to compromise? Go check the subject line and delivery time. Done. Want to see if the attacker set up a malicious inbox rule? Filter for inbox rule creation  — it’s that easy. Petra even captures: Transport rules Mail sync events External sharing Delegate access Everything — in one  pane. Filters: (Few And Many more) No more switching between Microsoft 365 Security Center, Exchange Admin Center, and Sentinel. It’s all here.  That’s what I love about Petra. ------------------------------------------------------------------------------------------------------------ When it comes to Microsoft 365 investigations, we often talk about logins and email activity — but there’s so much more beneath the surface . And honestly, SharePoint and OneDrive logs  are where a lot of the real impact lives. Think about it: attackers don’t just want to log in  — they want to steal data . And where is that data? 👉 SharePoint and OneDrive. That’s why I was genuinely impressed by how Petra Security handles these logs. 🧾 Every File Interaction Captured: SharePoint & OneDrive Petra tracks everything  a user does inside SharePoint and OneDrive: ✅ File Accessed ✏️ File Modified 📥 File Downloaded 🔁 File Synced You might ask, “Why is this so important?” Well, let me walk you through a real-world scenario — especially for those newer to incident response. 🧠 Scenario: The Silent Breach An attacker gains access to an M365 account. There’s no suspicious email activity and no new inbox rules. But in SharePoint: They browse a folder named “Payment Docs” Download Invoices_Q4_2025.xlsx Sync an entire user directory to their machine Access a document called passwords.txt Now without Petra, this might go completely unnoticed — especially if you're only reviewing login logs. But Petra stitches everything together. You can filter for downloads , file syncs , and modifications . You’ll see timestamps, file names, actions taken, and the user’s IP or device. This is why SharePoint and OneDrive logs matter . Petra gives them the attention they deserve. ------------------------------------------------------------------------------------------------------------ 💬 Teams Logs: Chat, Meetings, File Sharing We won’t go too deep here, but yes — Petra also tracks Teams activity . That includes: 🧵 New chats created 📎 Links or files shared 📅 Meetings scheduled 👤 Participant joins/leaves and Many More These logs are crucial for spotting lateral movement, phishing via Teams, or even attackers trying to extract data from group chats. ------------------------------------------------------------------------------------------------------------ 🔐 Authentication Logs: Who Changed What? Petra tracks authentication method changes  across all users. So, you’ll know: When a user removed  MFA When they added  a new method (like Microsoft Authenticator or SMS) If they’re only using a password (⚠️ red flag!) Why is this important? Because often, attackers try to downgrade authentication after getting in. Seeing those changes in plain view — without digging — is a massive win for any SOC analyst. ------------------------------------------------------------------------------------------------------------ 💻 Devices, Permissions, and App Registrations Let’s talk about the remaining three log sources in Petra captured: 1. Devices Log Tracks every device tied to a user — by: Device name User ID Type (mobile/laptop/desktop) Perfect for identifying rogue endpoints or signs of lateral movement. 2. Permissions Log Want to know which users have admin rights  or custom roles ? This log shows: Role name Role description Assigned users Very helpful during privilege reviews and investigations involving privilege escalation. 3. App Registration Log Petra tracks all enterprise and personal apps  added into your M365 environment. You can see: Which apps were installed Who registered them When they were added This is where attackers sometimes try to sneak in persistence — by registering apps with elevated API access. ------------------------------------------------------------------------------------------------------------ 🚨 All of This in One View — With Context Seeing all of this in one interface, filterable by: IP User Country Device App Log type …is honestly what sets Petra apart. It’s centralized, simple, and fast . ------------------------------------------------------------------------------------------------------------ No flipping through five admin portals. No writing KQL queries. Just answers. ------------------------------------------------------------------------------------------------------------ ⚡ Coming Up: Petra's Claim of “Zero False Positives” — Real or Just Hype? Petra claims to deliver 100% zero false positives. That’s a bold statement. Next, we’ll dive into what that really means, how their machine learning model works behind the scenes, and whether it actually delivers on this promise in real-world investigations. Stay tuned. 👀 ------------------------------------------------------------------------------------------------------------ Upcoming Article : (Petra Security’s “Incidents” Tab — A Game-Changerfor M365 Breach Investigations) https://www.cyberengage.org/post/petra-security-s-incidents-tab-a-game-changer-for-m365-breach-investigations ------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------ A few days ago, I left my job. Yup — packed up my virtual desk, dropped a goodbye emoji in Slack, and thought, “I’m finally free! I’ll take a break, maybe two or three weeks off. No writing, no tech, just peace.” Fast forward to today — and what the hell am I doing? Writing. Again. Like some kind of caffeine-powered content gremlin who just can’t stay away from tech blogs. ------------------------------------------------------------------------------------------------------------ Before we dive in... Huge shoutout to J  — you know who you are! I know everyone’s dying to know his full name, but let me check with the man himself before I start blowing up his phone with fame. Just know this: without J, this article wouldn’t exist, and I'd probably still be staring at a blank page. Thanks, legend. ----------------------------------------------------------------------------------------------------------- When I first came across Petra, I honestly wasn’t expecting to be this impressed. Petra is an OAuth-based security app for Microsoft 365 that does one thing — and does it incredibly well : identity threat detection .  Think of it as what Microsoft’s Entra P1/P2 should’ve been  — except smarter, more accurate, and way less expensive. ------------------------------------------------------------------------------------------------------------ 🔍 What is Petra? Petra works by ingesting Microsoft Entra ID (formerly Azure AD)  audit logs in real time. It doesn't need an agent, and it doesn't demand heavy configuration. All you do is send your client an authorization link, and once the Microsoft 365 admin approves the Petra app (with read access to audit data), Petra starts pulling the logs. That’s it. You’re up and running. No endpoint integration, no Defender licensing nightmares, no P2 tax. Just raw, real-time analysis of identity logs. And here’s the best part — it works even with the most basic Microsoft 365 license , unlike Microsoft’s native "risky users/logins" features that require a full P2 license per user . ------------------------------------------------------------------------------------------------------------- 🤯 How It Works (and Why It’s So Accurate) Petra is built by a team of mathematicians — and honestly, it shows. Instead of relying on basic rule matching or threshold-based alerts, Petra runs ML models  that evaluate 20–30 behavioral signals per user . This includes: Login geography and frequency Time-of-day access patterns Operating system and browser fingerprinting ISP profiling Travel history and anomalies And more… Whenever a new audit event is pulled, it’s passed through Petra’s behavioral models. These models are constantly learning and evolving, tailored to each environment, and shockingly precise. I’ve been in cybersecurity for years — and I don't say this lightly — Petra’s accuracy has completely changed the game for me  when it comes to identity monitoring. (From - @J) Now for me I got a chance to speak with someone, and their philosophy is clear: "Every identity has a fingerprint. You just need to look in the right places." That’s exactly what Petra does. ------------------------------------------------------------------------------------------------------------- 🔐 What About Write Access? By default, Petra is read-only. But there’s an optional write access  feature (which I’ve personally enabled) that allows Petra to: Lock user accounts Kill active sessions Cut off live threats in real-time This turns Petra from just a passive observer into a proactive response engine . And again, it's all scoped and approved via OAuth — so no messy script permissions or service accounts floating around. ------------------------------------------------------------------------------------------------------------- 🧠 Petra vs. Entra P2 Let’s be honest: Microsoft’s "Risky Users" and "Risky Logins" often feel like they were built a decade ago. Detection is slow, imprecise, and gated behind expensive licenses. Petra steps in as a modern, ML-powered alternative that: Doesn’t require P2 licensing (If you have that's awesome) Is far more accurate Offers real-time detection and optional automated remediation Works out of the box without complex integrations ------------------------------------------------------------------------------------------------------------- 🚫 Why It’s M365 Only (For Now) I asked whether Petra might expand to other ecosystems like Google Workspace, but realistically, it’s unlikely. The Entra audit logs are rich, detailed, and consistent , making them ideal for behavioral modeling. In contrast, Google’s logs lack the depth and granularity Petra depends on. (From - @J) So for now, Petra is focused on Microsoft 365 — and honestly, that’s more than enough. Because identity  remains the most exploited attack surface in enterprise environments. ------------------------------------------------------------------------------------------------------------- 💬 @J Thoughts No tool in recent memory has immediately  reduced my workload and boosted my confidence like Petra has. It’s the kind of solution I wish I had years ago. Identity-based breaches are notoriously hard to detect. But with Petra, I can honestly say: If something weird happens in your tenant — you’ll know about it. Fast. I’d love to see Petra in 100 client environments today. That’s how confident I am. Tool : - https://www.petrasecurity.com/ ------------------------------------------------------------------------------------------------------------- ✍️ Coming Up Next Article Name: (Petra Security: The UI, the Logs, and Why I Genuinely Prefer It Over Microsoft Sentinel) https://www.cyberengage.org/post/petra-security-the-ui-the-logs-and-why-i-genuinely-prefer-it-over-microsoft-sentinel If you’re running a Microsoft 365 environment and identity is your top concern — you owe it to yourself. Stay tuned. 🔐

Updated on 15 July, 2025 Understand Hayabusa completely check out below article: https://www.cyberengage.org/post/hayabusa-a-powerful-log-analysis-tool-for-forensics-and-threat-hunting Hayabusa Command Arsenal for Deep Analysis: 🖥️ 1. computer-metrics – Which Machines Logged the Most? Before you even start analyzing logs, you might want to know: Which system created the most log entries?  That’s where computer-metrics comes in. s. 🔧 Example Commands: # On a live system hayabusa.exe computer-metrics --live-analysis # On a directory of logs hayabusa.exe computer-metrics -d logs/ # On a single EVTX file hayabusa.exe computer-metrics -f system.evtx ⚠️ Heads-up: Windows sometimes logs inconsistent computer names (like lowercase vs uppercase or even a different name altogether in Win11), so use this as an estimate , not gospel truth. 📊 2. eid-metrics – Know Your Event ID Distribution Want a quick summary of what types of events (Event IDs)  dominate your log files? That’s where eid-metrics helps. It prints out the total count and percentage  of each Event ID across logs, separated by channel. 🔧 Example Commands: # On a live system hayabusa.exe eid-metrics --live-analysis # On a directory of logs hayabusa.exe eid-metrics -d logs/ # On a single file hayabusa.exe eid-metrics -f system.evtx Perfect when you're trying to spot outliers or excessive logging behavior . 📁 3. log-metrics – Get the Big Picture Think of this as your log metadata report . It gives you: Log file names Computer names Number of events First & last timestamps Channels & Providers 🔧 Example: hayabusa.exe log-metrics --live-analysis hayabusa.exe log-metrics -d logs/ This is a great way to sanity-check your input  before diving into detection or timeline work. 🔐 4. logon-summary – Who Logged In (and Failed)? This one’s a favorite in IR cases. It summarizes user logons , showing: Usernames Success counts Failure counts 🔧 Examples: # On live system hayabusa.exe logon-summary --live-analysis # On a directory of EVTX files hayabusa.exe logon-summary -d logs/ Perfect for identifying brute-force attempts , suspicious user activity , or just getting a quick login audit. 🎯 5. pivot-keywords-list – Find What’s Weird This one’s pure gold  for threat hunting. It generates a list of keywords  (like usernames, hostnames, process names, etc.) seen in logs — so you can find outliers or suspicious entities. 💡 Pro tip: Use -m critical to only look at keywords in critical alerts , and build up from there. 🔧 Examples: # View pivot keywords from critical events hayabusa.exe pivot-keywords-list -d logs/ -m critical # Save results to files hayabusa.exe pivot-keywords-list -d logs/ -m critical -o keywords or hayabusa-3.3.0-win-x64.exe pivot-keywords-list --live-analysis -m critical -o keywords --no-wizard It’ll generate files like keywords-Users.txt, keywords-IpAddresses.txt, etc. 🛠 Use case:  Take that keyword list and use it with grep to build a custom timeline: grep -f keywords.txt timeline.csv Customize the search fields by editing the config file: ./rules/config/pivot_keywords.txt 🔎 6. search – Deep-Dive with Keywords or Regex Hayabusa’s search command isn’t limited to detection results — i t lets you search across all  events , even those not flagged by rules. 🔧 Examples: # Search for 'mimikatz' in all logs hayabusa.exe search -d logs/ -k "mimikatz" # Search for multiple keywords hayabusa.exe search -d logs/ -k "mimikatz" -k "kali" # Case-insensitive search hayabusa.exe search -d logs/ -k "mimikatz" -i # Search using regex (e.g., IP addresses) hayabusa.exe search -d logs/ -r "(?:[0-9]{1,3}\.){3}[0-9]{1,3}" # Field-specific search (e.g., WorkstationName) hayabusa.exe search -d logs/ -r ".*" -F WorkstationName:"kali" 🧠 Wrap-Up: Power at Your Fingertips With these commands, Hayabusa becomes more than just a Sigma rule engine  — it turns into a full-blown, flexible DFIR toolkit . Here’s a quick recap: Command Purpose computer-metrics See log volume per system eid-metrics View Event ID distribution log-metrics Show log metadata (timestamps, channels, etc.) logon-summary Summarize login activity pivot-keywords-list Pull out high-value keywords for hunting search Deep keyword & regex searches csv-timeline / json-timeline Build visual timelines of suspicious events ---------------------------------------------------------------------------------------------------------- 👉 Use these tools together for fast, smart, and scalable threat hunting — whether you're working a single laptop or an enterprise breach. -----------------------------------------------------Dean---------------------------------------------

Updated on July 15, 2025 By someone who hates dry cybersecurity guides as much as you do Let’s talk about a seriously underrated threat-hunting combo: Hayabusa  and Sigma rules . If you're into threat detection, blue teaming, or incident response — or even if you're just curious about how to spot evil from Windows logs — this is one rabbit hole you'll actually  enjoy going down. --------------------------------------------------------------------------------------------------------- 🤔 First off, what even is  Sigma? Alright, let’s simplify. Think of Sigma  as the "universal translator"  for security logs . It was created by Thomas Patzke  and has grown into a massive open-source project supported by the community. Unlike tools like Snort (for network stuff) or YARA (for file-based threats), Sigma deals with log data  — like Windows Event Logs, syslogs, cloud logs, etc. Here's the beauty: Sigma gives us a platform-agnostic  way to describe suspicious behavior. That means you can write a detection rule once and use it across different SIEMs or tools. It’s kind of like writing one email and having it auto-translated for everyone in your office, no matter what language they speak. Handy, right? --------------------------------------------------------------------------------------------------------- 💻 Enter Hayabusa: The Samurai of Windows Log Hunting Now, what if I told you there’s a tool that reads Windows event logs and automatically applies Sigma rules to hunt for threats ? Say hello to Hayabusa  — which literally means “falcon”  in Japanese. 🦅 And just like a falcon, this tool is fast, sharp, and built for one thing: spotting evil in your event logs . Created by Yamato Security, Hayabusa  can churn through EVTX files or even JSON-converted logs and flag anomalies based on a growing rule set. 📦 What does Hayabusa support? Runs on Windows, macOS, and Linux Accepts: Local system event logs Saved .evtx files Full directories of logs Outputs: CSV  (for spreadsheet nerds) HTML  (for a pretty summary) JSON  (for API nerds or automation fans) 🔍 Why Should You Care? Because logs don’t lie  — but they do  hide things really well. Windows logs are full of juicy forensic breadcrumbs: logon events, privilege use, command executions, service creations, and more. The problem is, they’re overwhelming. You’ll drown in logs before you spot the one that matters. Hayabusa + Sigma is like having a log-sniffing dog that doesn’t get tired. 🧠 Quick Tip: Keeping Hayabusa Updated Threats evolve fast. So should your detections. With the simple command: C:\Users\Akash's\Downloads\hayabusa-3.3.0-all-platforms> .\hayabusa-3.3.0-win-x64.exe update-rules Hayabusa fetches the latest Sigma rules  from the official repo and merges them into its detection engine . It’s like giving your detection engine a brain upgrade on the fly. ⚡ Real Use Case: CSV-Timeline (Output) Let’s say you want to run Hayabusa on your own machine. You just do: C:\Users\Akash's\Downloads\hayabusa-3.3.0-win-x64-live-response>hayabusa-3.3.0-win-x64.exe csv-timeline -l -o output1.csv Output: ⚡ Real Use Case: HTML Report Let’s say you want to run Hayabusa on your own machine and create HTML Report. You just do: C:\Users\Akash's\Downloads\hayabusa-3.3.0-win-x64-live-response>hayabusa-3.3.0-win-x64.exe csv-timeline -l -o result.csv -H output.html Boom. You get an HTML summary with clickable links showing which Sigma rule matched and why. ⚠️ One caveat though: That HTML report is a summary. For the nitty-gritty details , like which process or user triggered the alert, you’ll want to check the CSV output . That’s where the real breadcrumbs are. 📚 Bonus: What Makes Sigma So Awesome? Over 3000 rules  (and counting!) for all types of threats Can describe behaviors across: Windows Linux macOS Cloud platforms Apps and more Easy to write, easy to read (even for beginners) Growing ecosystem of tools that support it (not just Hayabusa) --------------------------------------------------------------------------------------------------------- 🔧 Pro Tip: Combine with Velociraptor If you're managing multiple endpoints, try plugging Hayabusa into Velociraptor. It’s an open-source digital forensics and incident response (DFIR) framework, and Hayabusa fits in beautifully to give you log-based detection across your fleet. Check out My Velociraptor series Link below: https://www.cyberengage.org/courses-1/mastering-velociraptor%3A-a-comprehensive-guide-to-incident-response-and-digital-forensics --------------------------------------------------------------------------------------------------------- Imagine this: you’ve got 50 GB of event logs , and you’re tasked with figuring out what happened, when it happened, and where it happened . Doing that manually? Forget it. You’ll be buried in logs till next week. That’s where Hayabusa’s timeline mode  steps in. With a simple command, Hayabusa can: Parse  a folder full of EVTX files (yes, even 50+ GB of them) Apply Sigma rules  to detect threats Generate a CSV timeline  showing you what went down and when That CSV file becomes your investigative cheat sheet. --------------------------------------------------------------------------------------------------------- 🧪 Real-World Example: Hunting Across Logs with a Timeline Here's the full command we used on a windows system with a big ol’ folder of logs: hayabusa csv-timeline -d eventlogs/ -T -o hayabusa-threathunting.csv -E --timeline-start "2025-07-01 00:00:00 +00:00" --timeline-end "2025-07-15 00:00:00 +00:00" --no-color or .\hayabusa-3.3.0-win-x64.exe csv-timeline --live-analysis -T -o hayabusa-threathunting.csv -E --timeline-start "2025-07-01 00:00:00 +00:00" --timeline-end "2025-07-15 00:00:00 +00:00" --no-color Let’s break that down: Argument What it does -d eventlogs/ or --live-analysis for live Directory containing EVTX files -T Enables timeline output in the terminal -o hayabusa-threathunting.csv Where to save the CSV file -E Only review specific event IDs (speeds things up) --timeline-start / --timeline-end Analyze logs only within a specific time range --no-color Removes terminal color codes for clean output Pretty neat, right? --------------------------------------------------------------------------------------------------------- 📊 Why CSV Output Is a Game Changer Hayabusa's CSV output  includes super useful fields like: Timestamps Event IDs Threat severity Rule titles MITRE ATT&CK IDs (if available) Computer name (if analyzing multiple systems) That last part is huge  for environments with more than one system. You can correlate threats across endpoints and spot patterns like lateral movement or domain-wide compromise. --------------------------------------------------------------------------------------------------------- 🧰 Organizing the Madness with Timeline Explorer Now you’ve got this CSV — what next? Sure, you can open it in Excel or Google Sheets, but if you really want to pivot, filter, and sort like a DFIR wizard , use Timeline Explorer by Eric Zimmerman . Here’s what you do: Open the CSV in Timeline Explorer Drag-n-drop columns like: Level Rule Title Computer Now you can group alerts by severity , then drill down by rule, then system. Boom. Instant clarity. --------------------------------------------------------------------------------------------------------- 📦 Don’t Stop at CSVs – Integrate & Automate Hayabusa doesn’t lock you into CSVs. You can also: Use json-timeline for structured JSON output Load results into SIEM platforms Push into Elasticsearch  for dashboards Integrate with Neo4j Desktop  for graph-based attack path analysis You can also change Hayabusa’s output format by using custom profiles: hayabusa-3.3.0-win-x64.exe list-profiles This shows you all the output templates. Want to include ATT&CK IDs or remove some columns? Create your own custom YAML profile. --------------------------------------------------------------------------------------------------------- ⚙️ Wait, How Do I Get Logs From All My Machines? Great question. Grab logs from remote systems using a quick PowerShell helper script:📥 Copy-RemoteWindowsLogs.ps1 This lets you collect EVTX files across your domain and organize them by hostname, ready for Hayabusa to chew through. --------------------------------------------------------------------------------------------------------- 🧩 Other Hayabusa Tricks You Should Know Besides csv-timeline, Hayabusa comes packed with other commands: update-rules – grab the latest Sigma + Hayabusa rules from GitHub json-timeline – same timeline, just in JSON search – keyword-based hunting across logs logon-summary – view logon patterns metrics – get event frequency stats --------------------------------------------------------------------------------------------------------- 🔐 New in Hayabusa v2.18.0+: Live Response Packages! Hayabusa now offers special Live Response packages  designed for endpoint use. These packages include the binary, an XOR-encoded Sigma rules file, and a single config file — all bundled together. Why? To avoid triggering antivirus tools like Windows Defender and to minimize file writes  on disk (protecting forensic artifacts like the USN Journal ). Just look for the ZIP files with live-response in the name. --------------------------------------------------------------------------------------------------------- Final Thoughts If you’re working in threat detection, response, or forensics, you don’t want to sleep on Hayabusa . It’s fast. It’s flexible. It supports the Sigma rule ecosystem. And most importantly — it makes sense of the chaotic mess that is Windows Event Logs. So next time you’re looking at a pile of .evtx files wondering where to even start… just remember: Hayabusa + Sigma = Instant Timeline, Actionable Threats. Give it a shot — your future self will thank you. 🙌 -------------------------------------------Dean------------------------------------------------------------- Check Out below article where i have shared few commands to get you started with analysis: https://www.cyberengage.org/post/hayabusa-exe-essential-commands-for-in-depth-log-analysis

Memory acquisition has emerged as a transformative development in the field of digital forensics. While it has been in practice for over 15 years, recent advancements in tools and techniques have made it an essential component of forensic investigations. Yet, despite its significance, misconceptions and outdated practices still hinder its widespread adoption. What is Memory Acquisition? Memory acquisition involves capturing volatile data, which includes information stored in RAM (Random Access Memory) and other ephemeral data such as active network connections, running processes, and system state. Volatile data is crucial because it is lost when a computer is powered off, making it a perishable yet invaluable source of evidence. Breaking Down the Myths Historically, the practice of pulling the plug on a powered-on system dominated forensic approaches. This method, while simple, results in the loss of volatile data, leaving investigators with limited evidence. Critics of memory acquisition often argue that it alters the evidence, making it inadmissible in court. However, this belief is outdated. Modern courts and organizations, including the U.S. Department of Justice, emphasize the importance of documenting and preserving volatile data . ****Failing to collect this information can now be viewed as evidence destruction******, especially when such data could refute claims like the "Trojan defense" or "SODDI" (Some Other Dude Did It). Why Memory Acquisition is Critical 1. Combatting Encryption Challenges The growing prevalence of encryption tools like BitLocker, PGP, and TrueCrypt has heightened the importance of memory acquisition. Pulling the plug on an encrypted system can render evidence inaccessible, as encryption keys and other critical data are often stored in RAM while the system is running. Memory acquisition allows investigators to capture these keys and access encrypted information. 2. Preserving Valuable Evidence Volatile data includes crucial details such as: Current network connections Active processes and running applications Residual data from exited processes Passwords in plaintext These pieces of evidence are instrumental in reconstructing activities on a system, identifying malicious actions, and refuting or supporting claims of remote control or malware involvement. Best Practices for Memory Acquisition 1. Document Everything Investigators must meticulously record their actions, including the tools used, timestamps, and any changes made during the process. Proper documentation ensures the integrity and admissibility of the evidence. 2. Use Trusted Tools Modern memory acquisition tools like WinPMEM , and encryption detection tools like Magnet Forensics Encrypted Disk Detector, and Elcomsoft Disk Decryptor are equipped to handle the complexities of contemporary systems . These tools are designed to operate on both 32-bit and 64-bit systems, including Windows 11, and comply with security requirements like digital driver signing. 3. Prioritize Live Response The standard practice is to capture volatile data before shutting down a system . Conducting on-site triage helps identify critical evidence and ensures that data is preserved in its most useful state. In cases involving encryption, capturing data while the system is operational is paramount. 4. Leverage System Artifacts Operating systems often create artifacts like hibernation files (hiberfil.sys) , crash dumps (memory.dmp) , and page files (pagefile.sys or swapfile.sys) . These files can provide partial or complete snapshots of RAM and serve as valuable sources of memory data for analysis. Memory Analysis and Advanced Techniques Memory analysis tools such as Volatility and MemProcFS offer advanced capabilities to examine captured data. These tools enable investigators to: Analyze process space and network connections Detect advanced malware techniques like code injection and rootkits Recover encryption keys, chat logs, internet history, and more Memory Analysis with Volatility 3, Memproc5, Strings, and Bstrings! 🎉 Using these tools, I’ve created a detailed blog covering all of them. Check out the link below if you’re interested in learning memory analysis. Happy exploring! 🚀 https://www.cyberengage.org/courses-1/mastering-memory-forensics%3A-in-depth-analysis-with-volatility-and-advanced-tools Detection of encryption Forensic experts can also utilize commercial tools like EDD and Elcomsoft Disk Decryptor to determine w hether drives are encrypted before acquiring memory . This step is crucial because if the drives are encrypted, obtaining the encryption key—either by asking the client or through memory acquisition—becomes essential. As for tool Exploring Magnet Encrypted Disk Detector (EDDv310) I have already created article do check it out Link below: https://www.cyberengage.org/post/exploring-magnet-encrypted-disk-detector-eddv310 For tool Elcomsoft Disk Decryptor There’s an article by Oleg Afonin that you can check out here: https://blog.elcomsoft.com/2020/07/live-system-analysis-discovering-encrypted-disk-volumes/ What I particularly like about Elcomsoft Disk Decryptor i s its ability to indicate whether it’s safe to shut down the computer . Based on this information you can further decide what additional information should be collected to support the analysis. The Future of Memory Acquisition As encryption adoption continues to rise, memory acquisition will become a standard practice in forensic investigations. Emerging technologies like Modern Standby in Windows 10 and 11 increase the likelihood of finding hibernation files, further enhancing the ability to capture volatile data . Investigators must adapt to these changes and embrace memory acquisition as a critical step in their workflows. Conclusion Memory acquisition is no longer a complex or optional task—i t is a necessity in modern digital forensics. By prioritizing the collection of volatile data and leveraging the latest tools and techniques, investigators can preserve critical evidence, overcome encryption challenges, and strengthen the integrity of their cases. That’s all for today! See you in the next article. Take care! 😊 (Dean)

Jump Lists have undergone significant changes in Windows 10 and 11 , just like LNK shell items . These changes have expanded the range of recorded data, making Jump Lists even more valuable for forensic analysis . While some changes may seem subtle, they provide deeper insights into user activities. ----------------------------------------------------------------------------------------------------- 1. Quick Access and Its Role in Jump Lists What is Quick Access? Quick Access is a Windows File Explorer feature introduced in Windows 10  that allows users to quickly find recently opened files and folders . It also lets users pin frequently used items for easy access. How is Quick Access stored? Quick Access data is saved in a dedicated Jump List . This is usually one of the largest Jump Lists  on a system because it records multiple file types and locations. It provides a broad view  of recently accessed items. Limitations: Quick Access does not always record every opened file . S ome files may not have LNK (shortcut) information  in this lis t. 💡 Best Practice:   Since Quick Access doesn’t capture everything, a lways cross-reference it with application-specific Jump Lists   (e.g., Jump Lists from Microsoft Word, Adobe Reader, or other software). ----------------------------------------------------------------------------------------------------- 2. Tracking Newly Created Files vs. Opened Files Windows 10 and 11 have changed how files appear in Jump Lists  when they are created or saved to a different location (e.g., using "Save As"). Key Differences: Previously :  Jump Lists mainly recorded files that were opened. Now:   Jump Lists also capture files when they are newly created  in a different location. How to Determine If a File Was Created or Just Opened: When a file is newly created , it appears in both Quick Access  and the dedicated application Jump List  (but not for all file types). You can compare timestamps : If the **** target creation timestamp   matches the DestList last modified timestamp** , the file was likely newly created . If the timestamps do not  match , the file was simply opened   rather than created. ----------------------------------------------------------------------------------------------------- 3. Tracking Folder Copying with Jump Lists One of the most important updates  in Windows 10 & 11 is that Jump Lists now track folder copying . What Does This Mean? When a user copies a folder , Windows creates an entry in the File Explorer Jump List . This applies to both single and multiple folder copies . Mounted drives  and external storage devices  are also tracked. Why Is This Important? If a user copies a folder to a USB drive , Windows records: The copied folder's name The destination location The time the folder was copied  (based on the target creation timestamp ) 💡 Forensic Insight:   Just like file creation tracking, matching the target creation timestamp  with the DestList last modified timestamp  helps determine if the folder was simply opened or copied to another location. ----------------------------------------------------------------------------------------------------- 4. Tracking Taskbar Search Activity in Microsoft Edge Another notable update is that J ump Lists now record searches made from the Windows taskbar —specifically in Microsoft Edge’s Jump List . How Does This Work? When a user performs a search in the taskbar and clicks the "Best Match" result , the search is recorded. These entries reference "Microsoft.Windows.Cortana" , linking them to taskbar search results. The URL parameters  in the entry contain the searched term . The entry’s last modified time  logs the exact time the search was performed. 💡 Forensic Tip:   By analyzing Jump Lists, investigators can see what the user searched for and when —even if browser history has been deleted! ----------------------------------------------------------------------------------------------------- Final Thoughts Jump Lists in Windows 10 and 11 offer more data  than ever before, making them a powerful forensic artifact . These changes allow us to track: ✅ Recently accessed files and folders ✅ Files created or saved to a different location ✅ Copied folders, including external USB drives ✅ User search activity in Windows Taskbar and Microsoft Edge To get the most accurate results , always cross-check Jump Lists with other forensic artifacts like LNK files, event logs, and shell bags . By doing so, you can build a clearer picture  of user activity on a system. Stay tuned for more deep dives into Windows forensic artifacts! 🚀 --------------------------------------------------Dean------------------------------------------

Note to My Readers: I apologize for not being very active on the website or posting new articles over the past few weeks. I've been dealing with some personal matters that have required my attention. I appreciate your patience and understanding during this time. I’ll be back to writing and updating the site as soon as things settle down. Thank you for your continued support. Windows, developed by Microsoft, has been a cornerstone of personal and professional computing since its debut in 1985. As of March 2022, Windows holds a dominant global market share of 75.7% , making it the most widely used operating system worldwide. Among these installations, 74.82% run Windows 10, while 8.45% have transitioned to Windows 11. Microsoft reports that over 1.4 billion devices globally are running either Windows 10 or 11 (Microsoft, 2022a). Microsoft plans to support at least one version of Windows 10 until October 14, 2025 . As the end of Windows 10 support nears, the adoption of Windows 11 is expected to rise significantly . This shift underscores the importance for digital forensic examiners to understand the differences and similarities between these two operating systems, especially in terms of investigative artifacts and security features. There is a great article written by Andrew Rathbun: Covering entire sharing link you can check it out https://www.sans.org/white-papers/windows-10-vs-windows-11-what-has-changed/ Forensic Artifacts This section reviews whether key artifacts from Windows 10 persist in Windows 11 and highlights any forensic differences. Below is a detailed analysis of prominent artifacts. LNK Files and Jump Lists The Shell Link (.LNK) Binary File Format underwent revisions in June 2021, but no significant forensic changes were identified. Similarly, Jump Lists, which are collections of . LNK files associated with applications, remain unchanged between Windows 10 and 11. $Recycle_Bin Metadata Files Metadata files within the Recycle Bin ($I30) show no observable differences between Windows 10 and 11 . Amcache The Amcache artifact is identical in both Windows 10 and 11 . Registry Hives Registry hives in Windows 11 exhibit significant changes, with over 35,000 added or removed Keys and Values compared to Windows 10 . While these changes currently lack forensic significance, ongoing research is essential given the volume of modifications. The Registry hives affected were the following: BCD-Template COMPONENTS DEFAULT DRIVERS ELAM NTUSER.dat SAM SECURITY SOFTWARE SYSTEM UsrClass.dat Windows Timeline The Windows Timeline feature, introduced in Windows 10, was removed in Windows 11 However, its database, ActivitiesCache.db, still exists in Windows 11 . Prefetch No differences were found in the Prefetch (.pf) files between Windows 10 and 11. Event Logs Comparative analysis revealed that Windows 11 introduced new Event Providers and updated or removed others compared to Windows 10 . Shellbags Shellbags, which track folder navigation, operate identically in Windows 10 and 11. Folder creation and navigation yielded identical results in both systems. Windows Search Index (.ESE) Database The Windows Search Index artifact (Windows.edb) retains its structure but exhibits notable differences in Windows 11 . The SystemIndex_PropertyStore table in Windows 11 has an additional column, System_Setting_SettingsEnvironmentID, and a table number change from #17 (Windows 10) to #15 (Windows 11). Additionally, Windows 11’s ESE engine version (9400) differs from Windows 10’s (9180), which affects database repair compatibility. Web Browsers Edge Chromium 101.0.1210.53 produced identical artifacts on both Windows 10 and 11. ShimCache (AppCompatCache) ShimCache functions similarly in Windows 10 and 11 . SQLite Databases Windows 10 and 11 share many SQLite databases, commonly found in browser artifacts and system files. Research indicates these databases remain consistent between the two versions . Directory Listings A GitHub repository, https://github.com/AndrewRathbun/VanillaWindowsReference , offers directory listings for various Windows versions. A comparison between Windows 10 and 11 reveals differences in file and folder structures, useful for forensic research. Security Features in Windows 11 Trusted Platform Module 2.0 is mandatory for Windows 11, ensuring hardware-based security for all devices. Windows 11 supports secure, passwordless access through TPM 2.0, reducing credential theft risks with multifactor authentication. Hypervisor-Protected Code Integrity (HVCI) :- Enabled by default on new installations, this f eature uses virtualization to enhance memory integrity and protect against exploits. Transport Layer Security 1.3 is the default , improving encryption protocols and reducing handshake times. T LS 1.2 is supported as a fallback . DNS Over HTTPS :- This protocol encrypts DNS queries , protecting against attackers who monitor or redirect traffic. SMB Protocol Enhancements :- Updates include AES-256 encryption, SMB over QUIC for untrusted networks, and accelerated signing for improved file service security. Enhanced Wi-Fi security with WPA3 and Opportunistic Wireless Encryption ensures better protection on public networks. Conclusion While Windows 11 shares many similarities with Windows 10 , its security upgrades and new features present opportunities and challenges for DFIR professionals . Ongoing research will be vital as Microsoft delivers yearly updates, introducing potential new artifacts and forensic considerations. Do not forget to check out the article written by Andrew Rathbun. Link mentioned above. Take care for now, See ya in next article --------------------------------------------------Dean----------------------------------------