DF Industry Happenings
It’s Cyber Security Awareness Month! What better way to close out this month than to learn more about how to analyze those phishing email attempts against criminal or unauthorized nefarious actors? Our team has enjoyed the various trainings and resources available online. More specifically, Recorded Future posted an article “How to Assess a Potential Phishing Email”. It featured a step-by-step guide on how to investigate or respond to a suspicious email. #BeCyberSmart
New to the DFIR Field?
Welcome to the community! Individuals that have been in the community for a while get asked the question, “How did you get started in DFIR?” Most of the time the answer is not straight forward. Every journey to our current place in our career happens by either purpose or intent, being at the right place at the right time, a curiosity of what else is out there; or simply by mistake. There is no right path to take when you start out but there are some really great resources to help navigate the endless paths in DFIR. One of ArcPoint’s favorite resources is AboutDFIR.com. This page focuses on strictly DFIR jobs at all levels. No more navigating multiple job posting sites and trying to decipher a true DFIR job from the rest.
Another way to get started in DFIR is through networking. Yes, we all have heard that before; and for some individuals the term “networking” can be overwhelming. Networking doesn’t have to be a daunting task, it can be as simple as seeking out conferences, being a part of the conversation on social media platforms, or finding a mentor to help you build your network. Have a Twitter account? Follow DFIR hashtags to help hone in on others in our community and interesting resources, articles, or relatable memes. Just to name a few: #DFIR #DFIRJobs #Cybersecurity #DigitalForensics.
ArcPoint Company and Product News
Want a Demo? Just ask!
ATRIO™ is an all-in-one digital forensics hardware/software solution that performs full physical imaging and data exploitation. It is designed to be intuitive and easy to use. Output is immediately accessible in universally-compatible, non-proprietary formats and can be viewed on any computer. There are no additional software programs, dongles, or other peripherals required to operate ATRIO™. Interested in getting a demo? Sign up on the ArcPoint website to receive a live demo by our Founder, President & CTO, Jared Ringenberg. During the demo, Jared walks participants through the capabilities and features of ATRIO™. Click here to sign up.
ArcPoint Forensics is hiring! Do you want to be a part of something new and different? Our ideal candidate is flexible, enthusiastic, creative, and highly collaborative, but also able to work independently. Learn more about our exciting opportunities here.
Monthly Tech Tip
The Windows Registry can provide a lot of valuable information when investigating a Windows operating system. The registry holds low level settings for the operating system and other applications. These settings and values include OS version/name, installed applications, user names, startup and shutdown times, recent files for a given user and much much more. When you have located and extracted a registry file it can be a challenge to examine it and parse out this information. Luckily there is a tool that can help called “regripper.”
Kali linux includes regripper so you can install it with apt-get, however there are a few more commands that will help get things set up correctly:
apt-get install regripper
dpkg --add-architecture i386 && apt update && apt -y install wine32
apt-get install cpanminus
cpanm --force install Parse::Win32Registry
ln -s /usr/share/windows-resources/regripper/plugins /etc/perl/plugins
The regripper tool is now installed in “/usr/share/windows-resources/regripper” and can be run from the command line with the “rip.pl” perl script.
To list all the plugins available:
perl rip.pl -l
To run a plugin:
perl rip.pl -r <registry_file> -p <plugin>
For example, to run the “winver” (gets the version of Windows) plugin on the SOFTWARE registry hive:
perl rip.pl -r SOFTWARE -p winver