forensics

Tech Optimizer
March 20, 2025
Microsoft Incident Response has identified a new remote access trojan (RAT) called StilachiRAT, which extracts sensitive information from infected computers, including passwords, cryptocurrency wallet details, operating system specifications, and device identifiers. StilachiRAT has a self-reinstatement mechanism that allows it to reinstall itself if removed. It targets digital wallets from platforms like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. The malware can harvest credentials from web browsers, monitor clipboard data, gather system information, detect camera presence, and track active Remote Desktop Protocol (RDP) sessions. It can extract credentials from Google Chrome, monitor clipboard activity, and maintain its presence using the Windows service control manager. StilachiRAT can impersonate users to monitor RDP sessions and employs anti-forensics mechanisms to evade detection. Discovered in November of the previous year, it has not yet achieved widespread distribution. Microsoft advises users to download software from official websites, use robust security software, install reputable antivirus, be vigilant against phishing attacks, avoid clicking on unexpected links, and consider using a VPN and password manager for enhanced security.
AppWizard
December 15, 2024
Batman: Arkham Knight has received a graphics overhaul that enhances its visual quality to compete with next-generation consoles like the PS6. Originally released in 2015, the game is part of Rocksteady Studios' Arkham trilogy and features gameplay elements such as FreeFlow Combat, stealth, and the Batmobile. The studio's recent project, Suicide Squad: Kill the Justice League, has struggled commercially since its early 2024 launch, prompting speculation about a possible remake of Batman: Arkham Asylum. A vibrant modding community has improved the game's visuals, showcasing ray-tracing effects with NVIDIA RTX 4090 at 4K resolution and 60 frames per second. Batman: Arkham Knight is available on PC, PlayStation, Xbox, and Nintendo Switch.
Tech Optimizer
November 15, 2024
EventLogs are essential for Windows operating system forensics but have limitations in identifying suspicious activities, necessitating additional audit logs or tools like Sysmon. Event Tracing for Windows (ETW) is a significant feature that enhances Windows forensics by collecting and managing EventLogs. ETW consists of four components: Providers (which generate events), Consumers (which process events), Sessions (which relay events), and Controllers (which manage sessions). ETW logs a wide range of operating system behaviors, making it valuable for forensic investigators. Notable ETW providers for incident investigation include Microsoft-Windows-Threat-Intelligence, Microsoft-Windows-DNS-Client, Microsoft-Antimalware-AMFilter, Microsoft-Windows-Shell-Core, Microsoft-Windows-Kernel-Process, and Microsoft-Windows-Kernel-File. Some ETW events are saved as files, while others are accessed in real-time from buffers, allowing for the recovery of information even if ETL files are deleted. JPCert has developed an ETW Scanner plugin for Volatility to extract ETW events from memory images, aiding incident response. The LwtNetLog ETW session collects network-related data, helping investigators identify malware communication and other activities. ETW's detailed logging capabilities and tools like the ETW Scanner enhance the ability to detect threats that traditional logging methods may miss.
Search