))
Joining the Dots provides real-world insights from those dedicated to justice, harm reduction, and global security. Hosted by Thomas Drohan, technologist and co-founder of Clue Software, each episode delves into the challenges and triumphs of those on the frontline tackling real issues like child abuse, human trafficking, corruption, organised crime, and fraud. Thomas leverages his experience working with diverse intelligence and investigations teams to explore candid conversations with vict ...
…
continue reading
Listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more.
…
continue reading
At Executive Career Jump we are all about doing everything we can to assist leaders in making job moves. People going through redundancy or job change are six times more likely to suffer from mental health challenges. It can be a tough time. Our hope is that these podcast episodes go some way to helping listeners understand what they want from their career and how to go and get it! Each episode is hosted by one of the UK's leading Career Coaches, Andrew MacAskill and he interviews a range of ...
…
continue reading
1
Nick Sharp – Inside the UK’s war on economic crime
52:20
52:20
Play later
Play later
Lists
Like
Liked
52:20
Join Thomas for a revealing conversation with Nick Sharp, Deputy Director of the National Economic Crime Centre (NECC), as they unravel the hidden web of fraud and financial crime that’s costing the UK billions every year. From romance scams and impersonation fraud to international laundering networks stretching from Southeast Asia to West Africa, …
…
continue reading
1
DFSP # 483 Cooking up Forensics with Chef
14:36
14:36
Play later
Play later
Lists
Like
Liked
14:36
In this week’s episode, I delve into strategies for integrating CHEF into your security investigations, unlocking new avenues for proactive defense and effective incident response.
…
continue reading
1
DFSP # 482 Unlocking Clues from Bash and Hidden Keys
20:41
20:41
Play later
Play later
Lists
Like
Liked
20:41
This week, we’re pulling back the curtain on SSH from a digital forensics perspective.
…
continue reading
1
Martin Dubbey – From drug busts to the Sochi doping scandal
50:59
50:59
Play later
Play later
Lists
Like
Liked
50:59
Join Thomas as he speaks with Martin Dubbey, a former UK drug liaison officer turned international investigator, whose career spans from narcotics investigations in Customs and Excise to exposing one of the most audacious doping scandals in modern sport. Martin shares how his transition into private investigation led him to work alongside whistlebl…
…
continue reading
In this week’s episode, I dive into rapid triage techniques for non-core Windows executables to uncover signs of malicious activity.
…
continue reading
This week, I’m talking about nested groups in Windows Active Directory and the security risks they pose. Active Directory allows administrators to attach one group to another—often called nesting. While nesting can simplify account administration and permission management, it can also create real opportunities for attackers if...…
…
continue reading
1
Sarah Lewis OBE OLY – From Olympic slopes to anti-doping pioneer
44:46
44:46
Play later
Play later
Lists
Like
Liked
44:46
Join Thomas as he dives into a fascinating conversation with Sarah Lewis OBE OLY, Olympic ski racer turned Secretary General of the International Skiing Federation (FIS), where she spent over two decades leading one of sport’s most crucial but complex battles - anti-doping. From the explosive Lahti scandal in 2001 to the shocking revelations at the…
…
continue reading
One of the essential skill sets for a DFIR analyst is the ability to understand the impact of vulnerabilities quickly. In many IR scenarios, you may find a newly discovered vulnerability or receive a scan that flags multiple potential weaknesses. To stay efficient, you must...
…
continue reading
This week, we’re exploring the System Resource Usage Monitor (SRUM) – a powerful source of forensic data within Windows operating systems. First introduced...
…
continue reading
In this episode, our focus is on understanding how attackers achieve lateral movement and persistence through Secure Shell (SSH)—and more importantly, how to spot the forensic traces...
…
continue reading
In this episode, we’ll take a focused look at how to triage one of the most commonly targeted Windows processes: svchost.exe. While the methods in this series generally apply to all Windows core processes, svchost is an especially important case because attackers...
…
continue reading
Ransomware attacks move quickly, making your initial response crucial in minimizing impact. This episode outlines critical first steps, from isolating infected machines to gathering key information and initiating containment. Whether you’re a SOC analyst, incident responder, or the first to notice an attack, this framework is designed to help you r…
…
continue reading
Today’s episode explores Apple Spotlight and its extended metadata—a powerful yet often overlooked forensic tool in the Mac ecosystem. Spotlight plays a critical role in uncovering digital evidence on macOS. Both experienced forensic analysts and newcomers will find its capabilities essential. Let’s dive into the details.…
…
continue reading
BIN directories (short for binary) store command binaries like CD, PWD, LS, Vi, and CAT. Every platform has multiple BIN directories: two in the root directory and two in each user directory. This episode explains the types of files in these directories and the purpose of each BIN directory. I will also clarify which directories are typically used …
…
continue reading
Modern Windows systems use a tightly coordinated sequence of core processes to establish secure system and user environments. DFIR investigators and incident responders must understand the interrelationships between processes such as Idle, SMSS, CSRSS, WININIT, and WINLOGON. Recognizing expected behaviors and anomalies in these steps is crucial for…
…
continue reading
Today we’re talking all about MacOS AutoRun locations and how to spot persistence mechanisms. We’ll explore the ins and outs of property list files, launch daemons, system integrity protections, and the recent changes in macOS that can impact your forensic examinations...
…
continue reading
This week I'm talking about the three task hosts. These are Windows core files, and they share not only similar names, but similar functionality. Because of this, there is the potential for confusion, which may allow an attacker to leverage these similarities and mask they are malware. My goal in this episode is to demystify the three different tas…
…
continue reading
Today’s episode is all about Windows event logs that record blocked network connections. Blocked network events are interesting because they might signal that an attacker’s secondary or tertiary toolset isn’t working as intended. That’s good news from a security standpoint...
…
continue reading
Today I cover an evolving threat in the cybersecurity world: data brokers. From a computer forensics standpoint, this threats pose unique challenges. While breaches capture headlines, data brokers play a major (and sometimes overlooked) role in fueling cybercrime. In this session, we will explore how these threats operate, why they are dangerous, a…
…
continue reading
The Common Vulnerability Scoring System (CVSS) is a powerful tool for assessing the severity and impact of security vulnerabilities. In digital forensics and incident response, CVSS scores can provide critical context to prioritize investigations and focus on the most significant risks. This episode I will explore how leveraging CVSS scoring enhanc…
…
continue reading
Understanding the behavior and characteristics of common file types used in attacks, such as executables, scripts, and document files, is essential for effective analysis. In this episode, we will explore practical approaches to triage malware, focusing on key indicators and techniques for prioritizing investigations.…
…
continue reading
Windows permit events, often overlooked, offer valuable details about allowed network connections that can reveal patterns of malicious activity. In this episode, we will dive into how analyzing these events can enhance network triage, enabling security teams to detect, scope, and respond to threats more effectively.…
…
continue reading
Security risk assessments can be a tool for guiding and prioritizing incident response investigations. By evaluating the potential impact and likelihood of various threats, these assessments provide a structured framework to identify and mitigate risks effectively. This episode will explore how integrating security risk assessments into incident re…
…
continue reading
This week, we’re focusing on the Windows Prefetch artifact—a cornerstone in Windows forensics, especially for user endpoint investigations. In this episode, I’ll break down the Prefetch artifact from an investigative perspective, covering how to effectively leverage its evidence in forensic analysis. I’ll also highlight any recent changes to the ar…
…
continue reading
This week, we’re exploring malware triage techniques. Unlike full binary analysis, malware triage is often seen as an essential skill that every digital forensic and incident response professional should master. In this episode, I’ll walk you through the core elements of malware triage, helping you understand the various skills needed to meet indus…
…
continue reading
This week, we’re diving into how to triage for PSEXEC evidence. PSEXEC leaves traces on both the source and target systems, making it essential to identify artifacts on each to determine whether a system was used as an attacker’s tool or was the target of an attack. While PSEXEC has somewhat fallen out of favor due to increased use of PowerShell fo…
…
continue reading
Understanding how to search for executables is a critical skill in computer forensics. There are major differences in how executables are handled between Windows and Linux systems, so techniques that work on Windows won’t always translate effectively to Linux. In this episode, I’ll break down some triage techniques to help you quickly identify susp…
…
continue reading
Welcome to today’s episode! We’re diving into network triage, focusing specifically on listening ports. While we often look for active connections, identifying suspicious services listening on a port can be equally crucial in your investigation. It’s essential to gather this information for both current, real-time data and historical analysis, prov…
…
continue reading
In this episode, we’ll dive into two essential forensic artifacts in Windows: shellbags and the Program Compatibility Assistant (PCA). Shell bags provide valuable evidence of file and folder access, offering insights into user activity and file navigation. We’ll also explore PCA, which can reveal important information about file execution history. …
…
continue reading
The Linux subsystem for Windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take advantage of the many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes…
…
continue reading
In this episode, we’ll explore the fundamentals of network triage, focusing on the key aspects of network traffic that are central to many investigations. Additionally, we’ll discuss some of the essential tools you can use to analyze and manage network data effectively.
…
continue reading
1
DFSP # 455 Security Control Circumvention
33:29
33:29
Play later
Play later
Lists
Like
Liked
33:29
Today, we’re going to explore how to handle a critical security event: Unauthorized Modification of Information. This type of event occurs when a user alters information in a system—whether it’s an application, database, website, server, or configuration files—without prior authorization. These modifications can range from impersonation and unautho…
…
continue reading
This week I talk about the attack methods being used to bypass MFA. We'll learn about real-world cases where MFA was circumvented, and discover best practices to strengthen defenses against these types of attacks...
…
continue reading
In today’s episode, we’ll focus on startup folders, which are perhaps the easiest to triage among all persistence mechanisms. But before diving in, let’s recap the journey so far to underscore the importance of a comprehensive approach rather than a one-off tactic. Each triage area we've covered plays a crucial role in identifying and stopping atta…
…
continue reading
In 2024, AI has not only revolutionized how we defend against cyber threats but also how those threats are being carried out. We'll explore how AI is enabling faster, more efficient security incident responses, with real-world examples of its application in automated threat detection and response, advanced forensics, and more. But with every techno…
…
continue reading
SQL injection poses significant risks by enabling attackers to access sensitive metadata, execute dynamic SQL commands, and alter system parameters. These actions can lead to unauthorized data access and system disruptions, especially if attackers gain elevated privileges. This week I'm talking about SQL attack patterns from a triage point of view …
…
continue reading
I decided to talk this week about the Importance of Secure Coding Knowledge for Security Incident Response Investigations. Knowing secure coding principles helps identify the root causes of vulnerabilities and recognize attack patterns. It facilitates effective communication and collaboration with developers, ensuring accurate incident reports and …
…
continue reading
This week, we're covering zero-day vulnerability response from a Digital Forensics and Incident Response professional's perspective. In our roles, we often get involved in various tasks that require a security mindset, and one critical task is responding to zero-day vulnerabilities. To provide a real-world context, we'll integrate the recently disc…
…
continue reading
1
Ian Smith: Esports – a game-changer for sports integrity?
1:04:25
1:04:25
Play later
Play later
Lists
Like
Liked
1:04:25
In this episode, Ian Smith, Commissioner of the Esports Integrity Commission (ESIC), explores the fast-growing world of esports and its integrity challenges. Drawing from his experience tackling match-fixing in cricket, Ian explains his move into esports, where competitive gaming has surged in popularity, with players earning significant incomes an…
…
continue reading
Welcome to this week’s session, where we’ll delve into web shell forensics—an ever-critical topic in incident response investigations and threat-hunting strategies. Today, I’ll provide a breakdown that includes the latest developments, detailed triage techniques, and practical examples of what to look for during your investigations:…
…
continue reading
Rootkits are hard to detect because they employ advanced stealth techniques to hide their presence. They can conceal processes, files, and network activities by altering system calls and kernel data structures. The deep system knowledge and specialized tools required for low-level analysis make rootkit detection complex and resource-intensive. Limi…
…
continue reading
1
Neville Blackwood – On the frontlines of global law enforcement
58:48
58:48
Play later
Play later
Lists
Like
Liked
58:48
In this episode, Thomas sits down with Neville Blackwood, a seasoned international law enforcement consultant and former senior police officer, to delve into the complexities of global policing. Neville recounts his journey from joining Thames Valley Police in 1982 to leading undercover operations against organised crime in Europe, which fueled his…
…
continue reading
In previous episodes, we covered techniques for examining the Windows Registry, a critical component in identifying persistence mechanisms. We'll explore the registry but shift our focus to registry modification events as reported by Windows event logs
…
continue reading
Bash history's forensic value lies in its ability to answer diverse investigative questions, making it a cornerstone artifact for Linux systems. It aids in triaging lateral movement, identifying reconnaissance activities, and detecting attempts at establishing persistence. This underscores the importance of structuring triage tasks around specific …
…
continue reading
1
Phil Suddick – From covert law enforcement to sports integrity
1:08:15
1:08:15
Play later
Play later
Lists
Like
Liked
1:08:15
Join Thomas as he delves into an enthralling conversation with Phil Suddick, the Head of Sport and Safeguarding at Clue Software, unravelling his remarkable career journey from law enforcement to becoming a torchbearer for sports integrity. Drawing from his specialised background in covert operations, Phil unveils how his prowess in undercover inte…
…
continue reading
The UserAssist key is a Windows Registry artifact that logs details about user activity, such as recently accessed programs and files. It encodes information on the frequency and last access time of items launched via Windows Explorer. This helps investigators understand user behavior and timeline of actions on a system, providing evidence of progr…
…
continue reading
Every incident response outfit should have a set of guidelines for their team which outlines the standard actions or common considerations for security investigations. In this episode, I highlight some of the key points for security teams with a special focus on initial actions which typically set the tone for success during the subsequent investig…
…
continue reading
1
Adam Pacifico – Developing a mindset for investigative leadership
1:10:27
1:10:27
Play later
Play later
Lists
Like
Liked
1:10:27
Thomas joins Adam Pacifico, as the lawyer and leadership podcaster shares his unconventional career trajectory from barrister to police officer and back. This episode explores how technology shaped Adam’s work in law over the years and underscores the importance of meticulous detail and rationale in investigations. Discover how the passage of time …
…
continue reading
Understanding the different types of databases is important for security incident response investigations, as databases are often targeted by attackers seeking sensitive information. Each database type—relational, NoSQL, in-memory, and cloud-based—has unique structures, query languages, and security mechanisms. Familiarity with these variations ena…
…
continue reading
CIS (Center for Internet Security) Benchmarks provide a comprehensive set of best practices for securing IT systems and data, which are vital for security response investigations. These benchmarks, developed through a consensus-driven process by cybersecurity experts, offer detailed guidelines for configuring operating systems, applications, and ne…
…
continue reading
