Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Fully Exploiting Data Sources

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Fully Exploiting Data Sources


๐Ÿ’ก Newskategorie: Windows Tipps
๐Ÿ”— Quelle: windowsir.blogspot.com

Very often, we view data sources as somewhat one dimensional, and don't think about how we can really get value from that data source. We're usually working on a case, just that investigation that's in front of us, and we're so "heads down" that we may not consider that what we see as a single data source, or an entry from that data source (artifact, indicator), is really much more useful, more valuable, than how we're used to viewing it.

So, what am I talking about? Let's consider some of the common data sources we access during investigations, and how they're accessed. Consider something that we're looking at during an investigation...say, a data source that we often say (albeit incorrectly) indicates program execution the "AppCompatCache", or "ShimCache". Let's say that we parse the AppCompatCache, and find an entry of interest, a path to a file with a name that is relevant to our investigation. Many of us will look at that entry and just think, "...that program executed at this time...". But would that statement be correct?

As with most things in life, the answer is, "it depends." For example, if you read Caching Out: The Value Of ShimCache to Investigators (Mandiant), it becomes pretty clear that the AppCompatCache is not the same on all versions of Windows. On some, an associated time stamp does indeed indicate that the file was executed, but on others, only that the file existed on the system, and not that it was explicitly executed. The time stamp associated with the entry is not (with the exception of 32-bit Windows XP) the time that the file was executed; rather, it's the last modification time from the $STANDARD_INFORMATION attribute in the MFT record for that file. To understand if that time stamp corresponds to the time that the file was executed, we need to consider artifact constellations, correlating the data point with other data sources to develop the context, to develop a better understanding of the data source (and point), and to validate our findings.

Further, we need to remember that ShimCache entries are written at shutdown; as a result, a file may exist on the system long enough to be included in the ShimCache, but a shutdown or two later, that entry will no longer be available within the data source. This can tell us something about the efforts of the threat actor or malware author (malware authors have been known to embed and launch copies of sdelete.exe), and it also tells us something about the file system at a point in time during the incident.

The point is that the data sources we rely on very often have much more value and context than we realize or acknowledge, and are often much more nuanced that we might imagine. With the ShimCache, for example, an important factor to understand is which version of Windows from which the data was retrieved...because it matters. And that's just the beginning.

I hope this is beginning to shine light on the fact that the data sources we very often rely on are actually multidimensional, have context and nuance, and have a number of attributes. For example, some artifacts (constituents of data sources) do not have an indefinite lifetime on the system, and some artifacts are more easily mutable than others. To that point, Joe Slowik wrote an excellent paper last year on Formulating a Robust Pivoting Methodology. On the top of the third page of that paper, Joe refers to IOCs as "compound objects linking multiple observations and context into a single indicator", and I have to say, that is the best, most succinct description I think I've ever seen. The same can be said for indicators found with the various data sources we access during investigations, so the question is, are we fully exploiting those data sources?

...



๐Ÿ“Œ Fully Exploiting Data Sources


๐Ÿ“ˆ 40.7 Punkte

๐Ÿ“Œ Fully-Homomorphic-Encryption - Libraries And Tools To Perform Fully Homomorphic Encryption Operations On An Encrypted Data Set


๐Ÿ“ˆ 28.9 Punkte

๐Ÿ“Œ Samsung to Launch Fully Foldable Phone in 2018, Sources Report


๐Ÿ“ˆ 26.26 Punkte

๐Ÿ“Œ Fully Open, Fully Sovereign mobile devices - deutsche รœbersetzung


๐Ÿ“ˆ 25.55 Punkte

๐Ÿ“Œ Fully Open, Fully Sovereign mobile devices


๐Ÿ“ˆ 25.55 Punkte

๐Ÿ“Œ Import data from over 40 data sources for no-code machine learning with Amazon SageMaker Canvas


๐Ÿ“ˆ 20.2 Punkte

๐Ÿ“Œ Building a .freq file with Public Domain Data Sources, (Fri, Jul 31st)


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Azure Purview | Map, Discover, and Find Insights Across Data Sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ What are the Published Sources of Collecting Secondary Data?


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Neural Networks with Multiple Data Sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ CVE-2022-41561 | TIBCO JasperReports Server JNDI Data Sources Privilege Escalation


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ The Noticeable Shift in SIEM Data Sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Microsoft open sources SandDance, a visual data exploration tool


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Microsoft open-sources coronavirus threat data


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Sotero Opaque: Keeping data protected when shared across sources and ecosystems


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ For the Linux desktop market share, do these data sources also account for users who dual boot their computers with a Linux distro?


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Sub3 Suite, a research grade tool for information gathering and target mapping. Pulls data from 100+ OSINT sources.


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Build a robust text-to-SQL solution generating complex queries, self-correcting, and querying diverse data sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Enveil ZeroReveal ML Encrypted Training enables secure usage of cross-silo data sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Alation Connected Sheets enables business users to pull data from other sources into spreadsheets


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Two Important Sources of Secondary Data: Census of India and Reports & Publications of NSSO


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Capital One open-sources new project for generating synthetic data


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ How To Perform Mixed Computing With Multiple Data Sources


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ Cleanlab Open-Sourcesย ActiveLab: A Novel Active Learning Method For Data Labeling To Improve Machine Learning Models


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ 10 realtime data sources you won't believe are free!


๐Ÿ“ˆ 16.84 Punkte

๐Ÿ“Œ We've made a fully-featured self-hosted Data Vault app and we need your opinion!


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ IBM takes another step towards fully homomorphic data encryption


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ Fully Homomorphic Encryption: Unlocking the Value of Sensitive Data While Preserving Privacy


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ 99.992% of Fully Vaccinated People Have Dodged COVID, CDC Data Shows


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ Vaultree unveils Fully Functional Data-In-Use Encryption solution for the healthcare sector


๐Ÿ“ˆ 16.13 Punkte

๐Ÿ“Œ Healthcare organizations must create a strong data foundation to fully benefit from generative AI


๐Ÿ“ˆ 16.13 Punkte











matomo