forensics

AppWizard
July 15, 2025
Google's AI security agent, Big Sleep, has identified a vulnerability in SQLite, designated as CVE-2025-6965, which was being exploited by hackers. Enhancements have been made to Google's open-source forensics tool, now operating on the upgraded Sec-Gemini platform for improved log analysis and threat detection. Google is set to unveil FACADE, an insider threat detection system that has monitored billions of daily events since 2018 using contrastive learning. At DEF CON 33, Google will co-host a Capture the Flag event with Airbus, involving AI assistants in security challenges. Google is contributing data from its Secure AI Framework to the Coalition for Secure AI to enhance research in cybersecurity. The AI Cyber Challenge, a DARPA-led competition supported by Google, is nearing its conclusion, with winners showcasing AI tools for identifying and rectifying vulnerabilities in open-source software.
Tech Optimizer
June 23, 2025
A diverse array of endpoint security tools has been integral to cyber defense strategies for desktops, laptops, and other end-user devices for the past three decades. The latest evolution is represented by endpoint protection platforms (EPPs), which combine various security capabilities including antivirus software, visibility and monitoring, and endpoint detection and response (EDR). EPPs continuously log, monitor, and analyze events on endpoints to identify suspicious activities, generate alerts, and neutralize threats. They serve as a frontline defense for devices such as desktops, laptops, smartphones, tablets, IoT devices, and other user-facing technologies. Leading EPP solutions include the SentinelOne Singularity Platform and CrowdStrike Falcon. Both platforms offer automation capabilities that generate alerts upon detecting events and can act in real-time to thwart attacks. They provide centralized dashboards and reporting features for analysts and incorporate generative AI threat detection interfaces. The EPPs are compatible with various operating systems, including Windows, Linux, macOS, ChromeOS, Android, and iOS. Pricing for SentinelOne includes: - Singularity Complete: .99 per device annually. - Singularity Commercial: .99 per device per year. - Singularity Enterprise: Pricing available upon request. CrowdStrike pricing options include: - Falcon Go: [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A diverse array of endpoint security tools has been integral to cyber defense strategies for desktops, laptops, and other end-user devices for the past three decades. The latest evolution in this realm is represented by endpoint protection platforms (EPPs), which amalgamate various security capabilities including antivirus software, visibility and monitoring, as well as endpoint detection and response (EDR). These platforms continuously log, monitor, and analyze events on endpoints to identify suspicious activities, generate alerts, and, when necessary, neutralize threats. EPPs serve as a frontline defense for a range of devices such as desktops, laptops, smartphones, tablets, IoT devices, and other user-facing technologies. Among the leading EPP solutions available today are the SentinelOne Singularity Platform and CrowdStrike Falcon. A closer examination reveals a comparison of their key features, pricing structures, and performance metrics, along with guidance for organizations seeking an EPP that aligns with their security needs. Key features comparison Both Singularity and Falcon offer a robust suite of capabilities: Automation capabilities. Both platforms automatically generate alerts upon detecting events that warrant further investigation. They can act in real-time to thwart attacks, with options for automated responses such as remediation and rollback when malicious activities are identified. Additionally, human analysts have the flexibility to manually initiate these responses through the platforms. Analyst interface. Each EPP provides centralized dashboards and reporting features that analysts utilize to review correlated event data. Furthermore, both platforms incorporate generative AI (GenAI) threat detection interfaces—Purple AI for SentinelOne and Charlotte AI for CrowdStrike—allowing administrators to query the GenAI agent for deeper insights into the analyzed event data. Supported OSes. The EPPs are compatible with various operating systems, including Windows, Linux, macOS, ChromeOS, Android, and iOS. Cybersecurity platform. These platforms feature centralized storage, dashboards, and analytical capabilities for the data generated by their offerings, alongside other cybersecurity and asset information. Pricing comparison As the tools diverge in their offerings, pricing becomes a distinguishing factor, with each platform presenting unique features and add-ons. SentinelOne Singularity pricing options Singularity Complete is priced at 9.99 per device annually, providing endpoint and cloud workload protection. Singularity Commercial costs 9.99 per device per year, encompassing XDR, EPP, EDR capabilities, identity threat detection and response (ITDR), and managed threat hunting (WatchTower). Singularity Enterprise includes comprehensive features such as XDR, EPP, EDR, data retention, ITDR, threat hunting, network discovery (Singularity Network Discovery), forensic data collection (Singularity RemoteOps Forensics), and support services. Pricing is available upon request from SentinelOne. CrowdStrike Falcon pricing options Falcon Go, available at .99 per device per year for up to 100 devices, includes antivirus software (Falcon Prevent), USB device control (Falcon Device Control), mobile device protection (Falcon for Mobile), and support services. Falcon Pro is priced at .99 per device per year, offering Falcon Prevent, Falcon Device Control, host firewall control (Falcon Firewall Management), and support services. Falcon Enterprise costs 4.99 per device annually, featuring Falcon Prevent, Falcon Device Control, Falcon Firewall Management, threat hunting and intelligence (Falcon OverWatch), extended detection and response (Falcon Insight XDR), and support services. Falcon Complete MDR represents CrowdStrike's managed detection and response service, which includes Falcon Prevent, Falcon OverWatch, Falcon Insight XDR, and IT hygiene (Falcon Discover), with options to add firewall and identity protection. Pricing for Complete MDR is available upon inquiry. Additionally, Falcon for Mobile protection for smartphones and tablets can be acquired as a separate add-on for Pro, Enterprise, and Complete MDR plans. Performance and evaluation comparison Feedback from users regarding SentinelOne and CrowdStrike offerings tends to align positively. Verified reviews on Gartner Peer Insights indicate that both EPPs boast an average performance rating of 4.7 out of 5, with 99% of ratings being three stars or higher. In the past year, CrowdStrike's Falcon garnered 724 ratings, while SentinelOne's Singularity received 227. SentinelOne holds a slight edge over CrowdStrike in terms of pricing flexibility, rated at 4.4 compared to 4.2, whereas CrowdStrike excels in the availability of third-party resources, rated at 4.7 against SentinelOne's 4.4. Notably, both platforms were included in the 2023 Mitre ATT&CK Evaluations, which simulated a nation-state attack scenario. In this evaluation, CrowdStrike demonstrated superior attack technique detection, while both platforms exhibited comparable protection capabilities. In the 2024 evaluations, CrowdStrike opted out, allowing SentinelOne to successfully detect all tested attack techniques. Common criticisms of CrowdStrike on Gartner Peer Insights highlight complexities in licensing and insufficient support for hybrid environments. Conversely, SentinelOne users expressed frustration with the Android OS capabilities, which tend to generate a higher number of false positives. Questions to ask when selecting an EPP tool Organizations of all sizes should implement endpoint security tools to safeguard their user devices. Larger enterprises often manage and monitor these tools internally, while smaller organizations may opt for managed services that provide similar endpoint security solutions along with management and monitoring support. Some services even offer incident response capabilities in conjunction with the organization's existing resources. When evaluating endpoint security tools and services, organizations should consider the following questions: How well integrated is the platform? Is there a single agent deployed to each endpoint, or is it a combination of agents? Does the product represent a truly unified platform or merely a collection of services presented under a unified interface? What is the quality of the platform's data gathering, logging, analysis, alerting, and alert prioritization in terms of accuracy, speed, and comprehensiveness? High quality should be the cornerstone of any EPP. How effectively does the platform leverage cyber threat intelligence? What sources does it utilize, and how frequently are they updated? What techniques does the platform employ to analyze events and detect attacks? How adept is it at identifying sophisticated and novel threats? How automated are its capabilities? This encompasses protection, detection, and incident response features. Effective automation that makes sound decisions in real-time can be pivotal in preventing ransomware from affecting multiple endpoints. Karen Scarfone is the principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"].99 per device per year for up to 100 devices. - Falcon Pro: .99 per device per year. - Falcon Enterprise: .99 per device annually. - Falcon Complete MDR: Pricing available upon inquiry. User feedback indicates both EPPs have an average performance rating of 4.7 out of 5, with 99% of ratings being three stars or higher. CrowdStrike's Falcon received 724 ratings, while SentinelOne's Singularity received 227. SentinelOne has a slight edge in pricing flexibility (rated 4.4) compared to CrowdStrike (rated 4.2), while CrowdStrike excels in third-party resource availability (rated 4.7) compared to SentinelOne (rated 4.4). Both platforms were included in the 2023 Mitre ATT&CK Evaluations, with CrowdStrike demonstrating superior attack technique detection. Common criticisms of CrowdStrike include complexities in licensing and insufficient support for hybrid environments, while SentinelOne users expressed frustration with Android OS capabilities leading to higher false positives. Organizations should consider integration quality, data gathering and analysis capabilities, cyber threat intelligence utilization, attack detection techniques, and automation levels when selecting an EPP tool.
Winsage
May 31, 2025
A new strain of malware has been operating undetected on Windows systems for several weeks, utilizing advanced evasion techniques that corrupt its Portable Executable (PE) headers to avoid detection. Security researchers discovered this malware embedded in the memory of a compromised system during an investigation, using a 33GB memory dump that revealed its presence in a dllhost.exe process with process ID 8200. The malware, classified as a Remote Access Trojan (RAT) by Fortinet, employs batch scripts and PowerShell commands for its attack and has capabilities for screenshot capture, remote server functionality, and system service manipulation. Its command and control infrastructure uses encrypted communications, complicating detection efforts. The malware's distinctive feature is the deliberate corruption of DOS and PE headers, which hinders reverse engineering and complicates the reconstruction of the executable from memory dumps. Researchers had to manually locate the malware’s entry point and resolve complex import tables for it to function in a controlled environment.
Tech Optimizer
March 20, 2025
Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.
AppWizard
December 15, 2024
Batman: Arkham Knight has received a graphics overhaul that enhances its visual quality to compete with next-generation consoles like the PS6. Originally released in 2015, the game is part of Rocksteady Studios' Arkham trilogy and features gameplay elements such as FreeFlow Combat, stealth, and the Batmobile. The studio's recent project, Suicide Squad: Kill the Justice League, has struggled commercially since its early 2024 launch, prompting speculation about a possible remake of Batman: Arkham Asylum. A vibrant modding community has improved the game's visuals, showcasing ray-tracing effects with NVIDIA RTX 4090 at 4K resolution and 60 frames per second. Batman: Arkham Knight is available on PC, PlayStation, Xbox, and Nintendo Switch.
Tech Optimizer
November 15, 2024
EventLogs are essential for Windows operating system forensics but have limitations in identifying suspicious activities, necessitating additional audit logs or tools like Sysmon. Event Tracing for Windows (ETW) is a significant feature that enhances Windows forensics by collecting and managing EventLogs. ETW consists of four components: Providers (which generate events), Consumers (which process events), Sessions (which relay events), and Controllers (which manage sessions). ETW logs a wide range of operating system behaviors, making it valuable for forensic investigators. Notable ETW providers for incident investigation include Microsoft-Windows-Threat-Intelligence, Microsoft-Windows-DNS-Client, Microsoft-Antimalware-AMFilter, Microsoft-Windows-Shell-Core, Microsoft-Windows-Kernel-Process, and Microsoft-Windows-Kernel-File. Some ETW events are saved as files, while others are accessed in real-time from buffers, allowing for the recovery of information even if ETL files are deleted. JPCert has developed an ETW Scanner plugin for Volatility to extract ETW events from memory images, aiding incident response. The LwtNetLog ETW session collects network-related data, helping investigators identify malware communication and other activities. ETW's detailed logging capabilities and tools like the ETW Scanner enhance the ability to detect threats that traditional logging methods may miss.
Search