Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

Recently I went looking for some reference content on ZIP files and how timestamps behave in a ZIP along with what I could determine about files within a ZIP. Sadly I came up empty, either due to there being very little available online, or just my impatience. So I thought I'd spend some time writing up some research I did for the next person that is looking for reference content. Essentially, I wanted to know how do timestamps behave when it comes to ZIP files, do any timestamps stay the same and what timestamps are lost when you archive a…

As an Incident Responder it's pretty common to analyse malicious emails, however finding the right tools, to safely pull apart an email, aren't always easy to find. I often find analysts struggle to pull apart an email once you explain the risks of using Microsoft Outlook as an analysis tool. This post will look at using open source tools within the SANS SIFT Workstation virtual machine to safely pull apart a native outlook email message. To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a…

The following process walks through how to mount an Apple Disk Image, or more commonly known as a .dmg file. This process walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis. Step 1 - Checking The File Type To begin with, I usually check what type of .dmg file it is with the "file" command. This is done to understand if it is a compressed or uncompressed .dmg file. $ file application.dmg The output you could typically expect could be: application.dmg: data which…

Following a presentation I did for a SANS community night in Melbourne Australia recently, I had a lot of attendees ask if I could provide the graphical timeline that I presented which showed the events leading up to the discovery of WannaCry in May 2017. Below is that timeline with events unique to the WannaCry variant that got a lot of attention in the mainstream news in May 2017. I've tried not to dive too far down the rabbit hole of the EternalBlue exploit, and its use in other malware - which is most certainly occurring in the wild. I've…

In the aftermath of the WannaCry ransomware outbreak, what are the real lessons we should have all learned? Or even better, what should we be telling those not in the Cyber Security industry, so they don't fall victim to media hype or vendor spin. My hope is this information is also useful in clearing up any misinformation that's spread about WannaCry. This whole attack was not the result of a phishing email. No email type protections would have saved you from getting infected with WannaCry. The malware was spread via other users on the internet directly connecting to your network/…

Ever wondered how much metadata is included within the PDF files you email or share with others. Well, believe it or not, there is a lot that can be determined from a PDF you've created. This post looks at how to clean the metadata from your PDF files before you send them, and how to protect them, so they aren't easily edited or copied by a recipient. These techniques are sometimes referred to anti-forensics with the goal to limit the amount of forensic information you provide within a file that you have produced. If you're after the quick copy and…