Shafik Punja
@qubytelogic.bsky.social
DFIR worker bee/research monkey.
Views are my own.🐧 And do not necessarily represent strategies, views or opinions of any employers: past, present or future.
Views are my own.🐧 And do not necessarily represent strategies, views or opinions of any employers: past, present or future.
Reposted by Shafik Punja
New Autopsy release is out! 🎉
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
Autopsy - Autopsy 4.22.0: BitLocker Support, Cyber Triage Sidecar, Library Updates
Autopsy 4.22.0 includes BitLocker support, ability to run alongside Cyber Triage, and updates to lower-level libraries.
www.autopsy.com
March 11, 2025 at 8:36 PM
New Autopsy release is out! 🎉
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
Reposted by Shafik Punja
Elon Musk’s claim the X DDoS is from “IP addresses originating in the Ukraine area” is missing a key fact - it was actually IPs from worldwide, not just Ukraine.
It’s a Mirai variant botnet, made of compromised cameras. They specifically targeted a Twitter ASN which had origin servers not behind CF
It’s a Mirai variant botnet, made of compromised cameras. They specifically targeted a Twitter ASN which had origin servers not behind CF
March 10, 2025 at 10:30 PM
Elon Musk’s claim the X DDoS is from “IP addresses originating in the Ukraine area” is missing a key fact - it was actually IPs from worldwide, not just Ukraine.
It’s a Mirai variant botnet, made of compromised cameras. They specifically targeted a Twitter ASN which had origin servers not behind CF
It’s a Mirai variant botnet, made of compromised cameras. They specifically targeted a Twitter ASN which had origin servers not behind CF
Reposted by Shafik Punja
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
February 15, 2025 at 5:39 PM
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
Reposted by Shafik Punja
This is an important story.
The shitty part? I am Canadian, a court expert, I have offered my help to numerous Canadian orgs, lawyers and the Innocence Project.
Yet? I am only on dockets in Kansas, Oklahoma, and California through their indigent defense systems or NPOs.
Why? Wanna guess?
The shitty part? I am Canadian, a court expert, I have offered my help to numerous Canadian orgs, lawyers and the Innocence Project.
Yet? I am only on dockets in Kansas, Oklahoma, and California through their indigent defense systems or NPOs.
Why? Wanna guess?
🚨THIS IS A VERY BIG DEAL AND YOU SHOULD CARE🚨
"There are hundreds of people jailed in Quebec every year for minor infractions. Why? Access to a fair trial is quietly becoming luxury most cannot afford."
Vital story from @titocurtis.bsky.social and Hal Newman for @therovermedia.bsky.social:
"There are hundreds of people jailed in Quebec every year for minor infractions. Why? Access to a fair trial is quietly becoming luxury most cannot afford."
Vital story from @titocurtis.bsky.social and Hal Newman for @therovermedia.bsky.social:
Quebec's Injustice System – The Rover
There are hundreds of people jailed in Quebec every year for minor infractions. Why? Access to a fair trial is quietly becoming luxury most cannot afford.
therover.ca
February 28, 2025 at 11:51 AM
This is an important story.
The shitty part? I am Canadian, a court expert, I have offered my help to numerous Canadian orgs, lawyers and the Innocence Project.
Yet? I am only on dockets in Kansas, Oklahoma, and California through their indigent defense systems or NPOs.
Why? Wanna guess?
The shitty part? I am Canadian, a court expert, I have offered my help to numerous Canadian orgs, lawyers and the Innocence Project.
Yet? I am only on dockets in Kansas, Oklahoma, and California through their indigent defense systems or NPOs.
Why? Wanna guess?
Reposted by Shafik Punja
SCOOP: Kash Patel took $25,000 from a production company with ties to Russia propaganda activity to appear in an anti-FBI docuseries. He did not respond to questions about this.
www.motherjones.com/politics/202...
www.motherjones.com/politics/202...
Kash Patel Took $25,000 From Russia-Linked Firm to Appear on an Anti-FBI TV Series
The documentary was produced by a filmmaker tied to Russian propaganda efforts.
www.motherjones.com
February 7, 2025 at 9:36 PM
SCOOP: Kash Patel took $25,000 from a production company with ties to Russia propaganda activity to appear in an anti-FBI docuseries. He did not respond to questions about this.
www.motherjones.com/politics/202...
www.motherjones.com/politics/202...
Reposted by Shafik Punja
From last month if you missed it - a gooder from @kennedycatherine.bsky.social
To understand what makes a "good" public apology, you must first understand how curious-minded folks will tear it apart—bit by bit. Join Kennedy for a lesson in deconstructing corporate crisis communications using investigatory practices.
www.bullshithunting.com/p/anatomy-of...
www.bullshithunting.com/p/anatomy-of...
Anatomy of an Apology
Didn't your momma teach ya to say you're sorry?
www.bullshithunting.com
February 3, 2025 at 8:21 PM
From last month if you missed it - a gooder from @kennedycatherine.bsky.social
'Tools don’t do forensics – you do. A tool should amplify your skill, not replace it.' - Brett Shavers brettshavers.com/brett-s-blog...
The Human Element of DF/IR (YOU!)
The clock is racing. A global breach is unraveling on one side of the room; millions siphoned in real-time, systems crashing, and reputations crumbling by the second. On the other, the unthinkable: a ...
brettshavers.com
January 31, 2025 at 9:54 PM
'Tools don’t do forensics – you do. A tool should amplify your skill, not replace it.' - Brett Shavers brettshavers.com/brett-s-blog...
'Technology will evolve. But your ability to think critically, prioritize, and follow evidence where it leads will always set you apart.' - Brett Shavers brettshavers.com/brett-s-blog...
The Human Element of DF/IR (YOU!)
The clock is racing. A global breach is unraveling on one side of the room; millions siphoned in real-time, systems crashing, and reputations crumbling by the second. On the other, the unthinkable: a ...
brettshavers.com
January 31, 2025 at 9:48 PM
'Technology will evolve. But your ability to think critically, prioritize, and follow evidence where it leads will always set you apart.' - Brett Shavers brettshavers.com/brett-s-blog...
Reposted by Shafik Punja
Reposted by Shafik Punja
Reposted by Shafik Punja
#DFIR 💭 of the day: Our knowledge base is built on sharing - community contribution is critical.
With ever-evolving tech, no examiner knows all - we constantly learn new things. Shared knowledge is required- blog, script, peer review, etc - Please share! You have something to contribute!
With ever-evolving tech, no examiner knows all - we constantly learn new things. Shared knowledge is required- blog, script, peer review, etc - Please share! You have something to contribute!
December 13, 2024 at 8:31 PM
#DFIR 💭 of the day: Our knowledge base is built on sharing - community contribution is critical.
With ever-evolving tech, no examiner knows all - we constantly learn new things. Shared knowledge is required- blog, script, peer review, etc - Please share! You have something to contribute!
With ever-evolving tech, no examiner knows all - we constantly learn new things. Shared knowledge is required- blog, script, peer review, etc - Please share! You have something to contribute!
Reposted by Shafik Punja
I wrote a blog post reflecting on what I read from Brett Shavers' book, Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset.
A Reflection on Continual Growth in DFIR: An Investigative Mindset
Derek reflects on continuous improvement of the investigative mindset.
mreerie.com
December 2, 2024 at 12:38 PM
I wrote a blog post reflecting on what I read from Brett Shavers' book, Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset.
Reposted by Shafik Punja
🎄ArcPoint Forensics DFIRmas Podcast Season 2 Episode 1 is out!
❄️Topic: Validation
🎅Guest: Me!
☃️Subscribe to the channel for more interviews.
🌟Check it out at the link below:
https://buff.ly/4g4U6sk
#DFIR #DigitalForensics #MobileForensics
❄️Topic: Validation
🎅Guest: Me!
☃️Subscribe to the channel for more interviews.
🌟Check it out at the link below:
https://buff.ly/4g4U6sk
#DFIR #DigitalForensics #MobileForensics
S2: DFIRmas Podcast: Alexis Brignoni
Instagram: @4n6_abrignoniYouTube: Alexis BrignoniBlueSky: @abrignoni.comPodcast: Digital Forensics Now (DFN)Resources: https://dfir.pubpub.orgThe Importance...
buff.ly
December 9, 2024 at 6:16 PM
🎄ArcPoint Forensics DFIRmas Podcast Season 2 Episode 1 is out!
❄️Topic: Validation
🎅Guest: Me!
☃️Subscribe to the channel for more interviews.
🌟Check it out at the link below:
https://buff.ly/4g4U6sk
#DFIR #DigitalForensics #MobileForensics
❄️Topic: Validation
🎅Guest: Me!
☃️Subscribe to the channel for more interviews.
🌟Check it out at the link below:
https://buff.ly/4g4U6sk
#DFIR #DigitalForensics #MobileForensics
Reposted by Shafik Punja
SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.
December 10, 2024 at 11:51 PM
SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.
Reposted by Shafik Punja
#DFIR 💭 of the day: Training should educate examiners on going beyond tool results.
Here’s why:
1) Validate tool findings - particularly “smoking gun”.
2) Determine data meaning of results: how/why
3) Explain analysis results
4) Find unsupported artifacts
5) Adapt to change of supported artifacts
Here’s why:
1) Validate tool findings - particularly “smoking gun”.
2) Determine data meaning of results: how/why
3) Explain analysis results
4) Find unsupported artifacts
5) Adapt to change of supported artifacts
December 10, 2024 at 11:46 AM
#DFIR 💭 of the day: Training should educate examiners on going beyond tool results.
Here’s why:
1) Validate tool findings - particularly “smoking gun”.
2) Determine data meaning of results: how/why
3) Explain analysis results
4) Find unsupported artifacts
5) Adapt to change of supported artifacts
Here’s why:
1) Validate tool findings - particularly “smoking gun”.
2) Determine data meaning of results: how/why
3) Explain analysis results
4) Find unsupported artifacts
5) Adapt to change of supported artifacts
Reposted by Shafik Punja
🚨 New file structure might contain email related data in BFU extractions!!! Also spotlight related data.
🚨 An iLEAPP artifact is available.
🙏 Thanks to John Hyla for the research & parser.
🔗 Check the post here: https://buff.ly/41Cv3Zp
#MobileForensics
🚨 An iLEAPP artifact is available.
🙏 Thanks to John Hyla for the research & parser.
🔗 Check the post here: https://buff.ly/41Cv3Zp
#MobileForensics
December 4, 2024 at 11:37 PM
🚨 New file structure might contain email related data in BFU extractions!!! Also spotlight related data.
🚨 An iLEAPP artifact is available.
🙏 Thanks to John Hyla for the research & parser.
🔗 Check the post here: https://buff.ly/41Cv3Zp
#MobileForensics
🚨 An iLEAPP artifact is available.
🙏 Thanks to John Hyla for the research & parser.
🔗 Check the post here: https://buff.ly/41Cv3Zp
#MobileForensics
Reposted by Shafik Punja
From moi
This week, Justin presents The Annoyed Investigator's Manifesto. Explore how limiting beliefs, fear, and a lack of proper diligence can ripple through our interactions and affect those around us.
www.bullshithunting.com/p/the-annoye...
www.bullshithunting.com/p/the-annoye...
The Annoyed Investigator's Manifesto
On neurodivergence, tunnel vision and the exhaustion of diligence.
www.bullshithunting.com
December 4, 2024 at 5:28 PM
From moi
Reposted by Shafik Punja
Detecting AiTM Phishing and other ATO Attacks
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #Kusto #KQL #MicrosoftSentinel
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #Kusto #KQL #MicrosoftSentinel
Detecting AiTM Phishing and other ATO Attacks
Detecting AiTM Phishing and other Account Takeover Attacks
academy.bluraven.io
November 23, 2024 at 5:38 PM
Detecting AiTM Phishing and other ATO Attacks
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #Kusto #KQL #MicrosoftSentinel
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #Kusto #KQL #MicrosoftSentinel
Reposted by Shafik Punja
You are threat hunting? You use KQL? Then read this post and follow @attackthesoc.com
The problem with using bin in your detection rules: attackthesoc.com/posts/practi...
Really more useful for gathering general statistics vs finding meaningful connections and meeting your set event thresholds.
Really more useful for gathering general statistics vs finding meaningful connections and meeting your set event thresholds.
Practical Temporal Proximity in KQL
Practical approach to temporal proximity via KQL to identify patterns and potential security incidents.
attackthesoc.com
November 20, 2024 at 10:08 PM
You are threat hunting? You use KQL? Then read this post and follow @attackthesoc.com
Reposted by Shafik Punja
WebScout
Online tool to collect domain/IP information:
- list of emails of domain (a very long list is given out upon free request)
- general domain info
- subdomains
- certificates
- similar domains
Partly free.
Online tool to collect domain/IP information:
- list of emails of domain (a very long list is given out upon free request)
- general domain info
- subdomains
- certificates
- similar domains
Partly free.
November 16, 2024 at 7:30 AM
WebScout
Online tool to collect domain/IP information:
- list of emails of domain (a very long list is given out upon free request)
- general domain info
- subdomains
- certificates
- similar domains
Partly free.
Online tool to collect domain/IP information:
- list of emails of domain (a very long list is given out upon free request)
- general domain info
- subdomains
- certificates
- similar domains
Partly free.
Reposted by Shafik Punja
Hey hey #OSINT family! It will have been 5 years since we all gathered in Alexandria, Virginia - we get to do it again!
www.sans.org/cyber-securi...
www.sans.org/cyber-securi...
November 16, 2024 at 1:00 PM
Hey hey #OSINT family! It will have been 5 years since we all gathered in Alexandria, Virginia - we get to do it again!
www.sans.org/cyber-securi...
www.sans.org/cyber-securi...