Welcome back, aspiring digital forensic investigators!

The world of cybercrime continues to grow every year, and attackers constantly discover new opportunities and techniques to break into systems. One of the most dangerous and well-organized ransomware groups in recent years was Conti. Conti operated almost like a real company, with dedicated teams for developing malware, gaining network access, negotiating with victims, and even providing “customer support” for payments. The group targeted governments, hospitals, corporations, and many other high-value organizations. Their attacks included encrypting systems, stealing data, and demanding extremely high ransom payments.

For investigators, Conti became an important case study because their operations left behind a wide range of forensic evidence from custom malware samples to fast lateral movement and large-scale data theft. Even though the group officially shut down after their internal chats were leaked, many of their operators, tools, and techniques continued to appear in later attacks. This means Conti’s methods still influence modern ransomware operations which makes it a valid topic for forensic investigators.

Today, we are going to look at a ransomware incident involving Conti malware and analyze it with Splunk to understand how an Exchange server was compromised and what actions the attackers performed once inside.

Splunk

Splunk is a platform that collects and analyzes large amounts of machine data, such as logs from servers, applications, and security tools. It turns this raw information into searchable events, graphs, and alerts that help teams understand what is happening across their systems in real time. Companies mainly use Splunk for monitoring, security operations, and troubleshooting issues. Digital forensics teams also use Splunk because it can quickly pull together evidence from many sources and show patterns that would take much longer to find manually.

Time Filter

Splunk’s default time range is the last 24 hours. However, when investigating incidents, especially ransomware, you often need a much wider view. Changing the filter to “All time” helps reveal older activity that may be connected to the attack. Many ransomware operations begin weeks or even months before the final encryption stage. Keep in mind that searching all logs can be heavy on large environments, but in our case this wider view is necessary.

Index

An index in Splunk is like a storage folder where logs of a particular type are placed. For example, Windows Event Logs may go into one index, firewall logs into another, and antivirus logs into a third. When you specify an index in your search, you tell Splunk exactly where to look. But since we are investigating a ransomware incident, we want to search through every available index:

index=*

This ensures that nothing is missed and all logs across the environment are visible to us.

Fields

Fields are pieces of information extracted from each log entry, such as usernames, IP addresses, timestamps, file paths, and event IDs. They make your searches much more precise, allowing you to filter events with expressions like src_ip=10.0.0.5 or user=Administrator. In our case, we want to focus on executable files and that is the “Image”. If you don’t see it in the left pane, click “More fields” and add it.

Once you’ve added it, click Image in the left pane to see the top 10 results. 

These results are definitely not enough to begin our analysis. We can expand the list using top: 

index=* | top limit=100 Image

Here the cmd.exe process running in the Administrator’s user folder looks very suspicious. This is unusual, so we should check it closely. We also see commands like net1, net, whoami, and rundll32.

In one of our articles, we learned that net1 works like net and can be used to avoid detection in PowerShell if the security rules only look for net.exe. The rundll32 command is often used to run DLL files and is commonly misused by attackers. It seems the attacker is using normal system tools to explore the system. It also might be that the hackers used rundll32 to stay in the system longer.

At this point, we can already say the attacker performed reconnaissance and could have used rundll32 for persistence or further execution.

Hashes

Next, let’s investigate the suspicious cmd.exe more closely. Its location alone is a red flag, but checking its hashes will confirm whether it is malicious.

index=* Image="C:\\Users\\Administrator\\Documents\\cmd.exe" | table Image, Hashes

Copy one of the hashes and search for it on VirusTotal.

The results confirm that this file belongs to a Conti ransomware sample. VirusTotal provides helpful behavior analysis and detection labels that support our findings. When investigating, give it a closer look to understand exactly what happened to your system.

Net1

Now let’s see what the attacker did using the net1 command:

index=* Image=*net1.exe

The logs show that a new user was added to the Remote Desktop Users local group. This allows the attacker to log in through RDP on that specific machine. Since this is a local group modification, it affects only that workstation.

In MITRE ATT&CK, this action falls under Persistence. The hackers made sure they could connect to the host even if other credentials were lost. Also, they may have wanted to log in via GUI to explore the system more comfortably.

TargetFilename

This field usually appears in file-related logs, especially Windows Security Logs, Sysmon events, or EDR data. It tells you the exact file path and file name that a process interacted with. This can include files being created, modified, deleted, or accessed. That means we can find files that malware interacted with. If you can’t find the TargetFilename field in the left pane, just add it.

Run:

index=* Image="C:\\Users\\Administrator\\Documents\\cmd.exe"

Then select TargetFilename

We see that the ransomware created many “readme” files with a ransom note. This is common behavior for ransomware to spread notes everywhere. Encrypting data is the last step in attacks like this. We need to figure out how the attacker got into the system and gained high privileges.

Before we do that, let’s see how the ransomware was propagated across the domain:

index=* TargetFileName=*cmd.exe

While unsecapp.exe is a legitimate Microsoft binary. When it appears, it usually means something triggered WMI activity, because Windows launches unsecapp.exe only when a program needs to receive asynchronous WMI callbacks. In our case the ransomware was spread using WMI and infected other hosts where the port was open. This is a very common approach. 

Sysmon Events

Sysmon Event ID 8 indicates a CreateRemoteThread event, meaning one process created a thread inside another. This is a strong sign of malicious activity because attackers use it for process injection, privilege escalation, or credential theft.

List these events:

index=* EventCode=8

Expanding the log reveals another executable interacting with lsass.exe. This is extremely suspicious because lsass.exe stores credentials. Attacking LSASS is a common step for harvesting passwords or hashes.

Another instance of unsecapp.exe being used. It’s not normal to see it accessing lsass.exe. Our best guess here would be that something used WMI, and that WMI activity triggered code running inside unsecapp.exe that ended up touching LSASS. The goal behind it could be to dump LSASS every now and then until the domain admin credentials are found. If the domain admins are not in the Protected Users group, their credentials are stored in the memory of the machine they access. If that machine is compromised, the whole domain is compromised as well.

Exchange Server Compromise

Exchange servers are a popular target for attackers. Over the years, they have suffered from multiple critical vulnerabilities. They also hold high privileges in the domain, making them valuable entry points. In this case, the hackers used the ProxyShell vulnerability chain. The exploit abused the mailbox export function to write a malicious .aspx file (a web shell) to any folder that Exchange can access. Instead of a harmless mailbox export, Exchange unknowingly writes a web shell directly into the FrontEnd web directory. From there, the attacker can execute system commands, upload tools, and create accounts with high privileges.

To find the malicious .aspx file in our logs we should query this:

index=* source=*sysmon* *aspx

We can clearly see that the web shell was placed where Exchange has web-accessible permissions. This webshell was the access point.

Timeline

The attack began when the intruder exploited the ProxyShell vulnerabilities on the Exchange server. By abusing the mailbox export feature, they forced Exchange to write a malicious .aspx web shell into a web-accessible directory. This web shell became their entry point and allowed them to run commands directly on the server with high privileges. After gaining access, the attacker carried out quiet reconnaissance using built-in tools such as cmd.exe, net1, whoami and rundll32. Using net1, the attacker added a new user to the Remote Desktop Users group to maintain persistence and guarantee a backup login method. The attacker then spread the ransomware across the network using WMI. The appearance of unsecapp.exe showed that WMI activity was being used to launch the malware on other hosts. Sysmon Event ID 8 logged remote thread creation where the system binary attempts to access lsass.exe. This suggests the attacker tried to dump credentials from memory. This activity points to a mix of WMI abuse and process injection aimed at obtaining higher privileges, especially domain-level credentials. 

Finally, once the attacker had moved laterally and prepared the environment, the ransomware (cmd.exe) encrypted systems and began creating ransom note files throughout these systems. This marked the last stage of the operation.

Summary

Ransomware is more than just a virus, it’s a carefully planned attack where attackers move through a network quietly before causing damage. In digital forensics we often face these attacks and investigating them means piecing together how it entered the system, what tools it used, which accounts it compromised, and how it spread. Logs, processes, file changes tell part of the story. By following these traces, we understand the attacker’s methods, see where defenses failed, and learn how to prevent future attacks. It’s like reconstructing a crime scene. Sometimes, we might be lucky enough to shut down their entire infrastructure before they can cause more damage.

If you need forensic assistance, you can hire our team to investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field. 

Welcome back, aspiring cyberwarriors!

In today’s highly targeted environment, a well-designed Security Operations Center (SOC) isn’t just an advantage – it’s essential for a business’s survival. In addition to that, the job market has far more jobs on the blue team than the red team. Getting into a SOC is often touted as one of the more accessible entry points into cybersecurity.

This article will delve into some of the key concepts of SOC.

Step #1: Purpose and Components

The core purpose of a Security Operations Center is to detect, analyze, and respond to cyber threats in real time, thereby protecting an organization’s assets, data, and reputation. To achieve this, a SOC continuously monitors logs, alerts, and telemetry from networks, endpoints, and applications, maintaining constant situational awareness.

Detection involves identifying four key security concerns.

Vulnerabilities are weaknesses in software or operating systems that attackers can exploit beyond their authorized permissions. For example, the SOC might find Windows computers needing patches for published vulnerabilities. While not strictly the SOC’s responsibility, unfixed vulnerabilities impact company-wide security.

Unauthorized activity occurs when attackers use compromised credentials to access company systems. Quick detection is important before damage occurs, using clues like geographic location to identify suspicious logins.

Policy violations happen when users break security rules designed to protect the company and ensure compliance. These violations vary by organization but might include downloading pirated media or transmitting confidential files insecurely.

Intrusions involve unauthorized access to systems and networks, such as attackers exploiting web applications or users getting infected through malicious websites.
Once incidents are detected, the SOC supports the incident response process by minimizing impact and conducting root cause analysis alongside the incident response team.

Step #2: Building a Baseline

Before you can detect threats, you must first understand what “normal” looks like in your environment. This is the foundation upon which all SOC operations are built.

Your baseline should include detailed documentation of:

Network Architecture: Map out all network segments, VLANs, DMZs, and trust boundaries. Understanding how data flows through your network is critical for detecting lateral movement and unauthorized access attempts. Document which systems communicate with each other, what protocols they use, and what ports are typically open.

Normal Traffic Patterns: Establish what typical network traffic looks like during different times of day, days of the week, and during special events like month-end processing or quarterly reporting. This includes bandwidth utilization, connection counts, DNS queries, and external communications.

User Behavior Baselines: Document normal user activities, including login times, typical applications accessed, data transfer volumes, and geographic locations. For example, if your accounting department typically logs in between 8 AM and 6 PM local time, a login at 3 AM should trigger an investigation. Similarly, if a user who normally accesses 5-10 files per day suddenly downloads 5,000 files, that’s a deviation worth investigating.

System Performance Metrics: Establish normal CPU usage, memory consumption, disk I/O, and process execution patterns for critical systems. Cryptocurrency miners, rootkits, and other malware often create performance anomalies that stand out when compared against baselines.

Step #3: The Role of People

Despite increasing automation, human oversight remains essential in SOC operations. Security solutions generate numerous alerts that create significant noise. Without human intervention, teams waste time and resources investigating irrelevant issues.

The SOC team operates through a tiered analyst structure with supporting roles.

Level 1 Analysts serve as first responders, performing basic alert triage to determine if detections are genuinely harmful and reporting findings through proper channels. When detections require deeper investigation, Level 2 Analysts correlate data from multiple sources to conduct thorough analysis. Level 3 Analysts are experienced professionals who proactively hunt for threat indicators and lead incident response activities, including containment, eradication, and recovery of critical severity incidents escalated from lower tiers.

Supporting these analysts are Security Engineers who deploy and configure the security solutions the team relies on. Detection Engineers develop the security rules and logic that enable these solutions to identify harmful activities, though Level 2 and 3 Analysts sometimes handle this responsibility. The SOC Manager oversees team processes, provides operational support, and maintains communication with the organization’s CISO regarding security posture and team efforts.

Step # 4: The Detection-to-Response Pipeline

When a potential security incident is detected, every second counts. Your SOC needs clearly defined processes for triaging, investigating, and responding to alerts.

This pipeline typically follows these stages:

Alert Triage: Not all alerts are created equal. Your SOC analysts must quickly determine which alerts represent genuine threats versus false positives. Implement alert enrichment that automatically adds context—such as asset criticality, user risk scores, and threat intelligence—to help analysts prioritize their work. Use a tiered priority system (P1-Critical, P2-High, P3-Medium, P4-Low) based on potential business impact.

Investigation and Analysis: Once an alert is prioritized, analysts must investigate to determine the scope and nature of the incident. This requires access to multiple data sources, forensic tools, and the ability to correlate events across time and systems. Document your investigation procedures for common scenarios (phishing, malware infection, unauthorized access) to ensure consistent and thorough analysis. Every investigation should answer the five Ws: what happened? where it occurred? When did it take place? Why did it happen? And how did it unfold?

Containment and Eradication: When you confirm a security incident, your first priority is containment to prevent further damage. This might involve isolating infected systems, disabling compromised accounts, or blocking malicious network traffic.

Recovery and Remediation: After eradicating the threat, safely restore affected systems to normal operation. This may involve rebuilding compromised systems from clean backups, rotating credentials, patching vulnerabilities, and implementing additional security controls.

Post-Incident Review: Every significant incident should conclude with a lessons-learned session. What went well? What could be improved? Were our playbooks accurate? Did we have the right tools and access? Use these insights to update your procedures, improve your detection capabilities, and refine your security controls.

Step #5: Technology

At a minimum, a functional SOC needs several essential technologies working together:

SIEM Platform: The central nervous system of your SOC that aggregates, correlates, and analyzes security events from across your environment. Popular options include Splunk, for which we offer a dedicated course.

Endpoint Detection and Response (EDR): Provides deep visibility into endpoint activities, detects suspicious behavior, and enables remote investigation and response.

Firewall: A firewall functions purely for network security and acts as a barrier between your internal and external networks (such as the Internet). It monitors incoming and outgoing network traffic and filters any unauthorized traffic.

Besides those core platforms, other security solutions such as antivirus, SOAR, and various niche tools each play distinct roles. Each organization selects technology that matches its specific requirements, so no two SOCs are exactly alike.

Summary

A Security Operations Center (SOC) protects organizations from cyber threats. It watches networks, computers, and applications to find problems like security weaknesses, unauthorized access, rule violations, and intrusions.

A good SOC needs three things: understanding what normal activity looks like, having a skilled team with clear roles, and following a structured process to handle threats. The team works in levels – starting with basic alert checking, then deeper investigation, and finally threat response and recovery.

If you want to get a deep understanding of SIEM and SOC workflow, consider our SOC Analyst Lvl 1 course.

The post Security Operations Center (SOC):Getting Started with SOC first appeared on Hackers Arise.

Welcome back, aspiring forensic and incident response investigators.

Today we are going to learn more about a branch of digital forensics that focuses on networks, which is Network Forensics. This field often contains a wealth of valuable evidence. Even though skilled attackers may evade endpoint controls, active network captures are harder to hide. Many of the attacker’s actions generate traffic that is recorded. Intrusion detection and prevention systems (IDS/IPS) can also surface malicious activity quickly, although not every organization deploys them. In this exercise you will see what can be extracted from IDS/IPS logs and a packet capture during a network forensic analysis.

The incident we will investigate today involved a credential-stuffing attempt followed by exploitation of CVE-2022-25237. The attacker abused an API to run commands and establish persistence. Below are the details and later a timeline of the attack.

Intro

Our subject is a fast-growing startup that uses a business management platform. Documentation for that platform is limited, and the startup administrators have not followed strong security practices. For this exercise we act as the security team. Our objective is to confirm the compromise using network packet captures (PCAP) and exported security logs.

We obtained an archive containing the artifacts needed for the investigation. It includes a .pcap network traffic file and a .json file with security events. Wireshark will be our primary analysis tool.

Analysis

Defining Key IP Addresses

The company suspects its management platform was breached. To identify which platform and which hosts are involved, we start with the pcap file. In Wireshark, view the TCP endpoints from the Statistics menu and sort by packet count to see which IP addresses dominate the capture.

This quickly highlights the IP address 172.31.6.44 as a major recipient of traffic. The traffic to that host uses ports 37022, 8080, 61254, 61255, and 22. Common service associations for these ports are: 8080 for HTTP, 22 for SSH, and 37022 as an arbitrary TCP data port that the environment is using.

When you identify heavy talkers in a capture, export their connection lists and timestamps immediately. That gives you a focused subset to work from and preserves the context of later findings.

Analyzing HTTP Traffic

The port usage suggests the management platform is web-based. Filter HTTP traffic in Wireshark with http.request to inspect client requests. The first notable entry is a GET request whose URL and headers match Bonitasoft’s platform, showing the company uses Bonitasoft for business management.

Below that GET request you can see a series of authentication attempts (POST requests) originating from 156.146.62.213. The login attempts include usernames that reveal the attacker has done corporate OSINT and enumerated staff names.

The credentials used for the attack are not generic wordlist guesses, instead the attacker tries a focused set of credentials. That behavior is consistent with credential stuffing: the attacker uses previously leaked username/password pairs (often from other breaches) and tries them against this service, typically automated and sometimes distributed via a botnet to blend with normal traffic.

A credential-stuffing event alone does not prove a successful compromise. The next step is to check whether any of the login attempts produced a successful authentication. Before doing that, we review the IDS/IPS alerts.

Finding the CVE

To inspect the JSON alert file in a shell environment, format it with jq and then see what’s inside. Here is how you can make the json output easier to read:

bash$ > cat alerts.json | jq .

Obviously, the file will be too big, so we will narrow it down to indicators such as CVE:

bash$ > cat alerts.json | jq .

Security tools often map detected signatures to known CVE identifiers. In our case, alert data and correlation with the observed HTTP requests point to repeated attempts to exploit CVE-2022-25237, a vulnerability affecting Bonita Web 2021.2. The exploit abuses insufficient validation in the RestAPIAuthorizationFilter (or related i18n translation logic). By appending crafted data to a URL, an attacker can reach privileged API endpoints, potentially enabling remote code execution or privilege escalation.

Now we verify whether exploitation actually succeeded.

Exploitation

To find successful authentications, filter responses with:

http.response.code >= 200 and http.response.code < 300 and ip.addr == 172.31.6.44

Among the successful responses, HTTP 204 entries stand out because they are less common than HTTP 200. If we follow the HTTP stream for a 204 response, the request stream shows valid credentials followed immediately by a 204 response and cookie assignment. That means he successfully logged in. This is the point where the attacker moves from probing to interacting with privileged endpoints.

After authenticating, the attacker targets the API to exploit the vulnerability. In the traffic we can see an upload of rce_api_extension.zip, which enables remote code execution. Later this zip file will be deleted to remove unnecessary traces.

Following the upload, we can observe commands executed on the server. The attacker reads /etc/passwd and runs whoami. In the output we see access to sensitive system information.

During a forensic investigation you should extract the uploaded files from the capture or request the original file from the source system (if available). Analyzing the uploaded code is essential to understand the artifact of compromise and to find indicators of lateral movement or backdoors

Persistence

After initial control, attackers typically establish persistence. In this incident, all attacker activity is over HTTP, so we follow subsequent HTTP requests to find persistence mechanisms.

The attacker downloads a script hosted on a paste service (pastes.io), named bx6gcr0et8, which then retrieves another snippet hffgra4unv, appending its output to /home/ubuntu/.ssh/authorized_keys when executed. The attacker restarts SSH to apply the new key.

A few lines below we can see that the first script was executed via bash, completing the persistence setup.

Appending keys to authorized_keys allows SSH access for the attacker’s key pair and doesn’t require a password. It’s a stealthy persistence technique that avoids adding new files that antivirus might flag. In this case the attacker relied on built-in Linux mechanisms rather than installing malware.

When you find modifications to authorized_keys, pull the exact key material from the capture and compare it with known attacker keys or with subsequent SSH connection fingerprints. That helps attribute later logins to this initial persistence action.

Post-Exploitation

Further examination of the pcap shows the server reaching out to Ubuntu repositories to download a .deb package that contains Nmap. 

Shortly after SSH access is obtained, we see traffic from a second IP address, 95.181.232.30, connecting over port 22. Correlating timestamps shows the command to download the .deb package was issued from that SSH session. Once Nmap is present, the attacker performs a port scan of 34.207.150.13.

This sequence, adding an SSH key, then using SSH to install reconnaissance tools and scan other hosts fits a common post-exploitation pattern. Hackers establish persistent access, stage tools, and then enumerate the network for lateral movement opportunities.

During forensic investigations, save the sequence of timestamps that link file downloads, package installation, and scanning activity. Those correlations are important for incident timelines and for identifying which sessions performed which actions.

Timeline

At the start, the attacker attempted credential stuffing against the management server. Successful login occurred with the credentials seb.broom / g0vernm3nt. After authentication, the attacker exploited CVE-2022-25237 in Bonita Web 2021.2 to reach privileged API endpoints and uploaded rce_api_extension.zip. They then executed commands such as whoami and cat /etc/passwd to confirm privileges and enumerate users.

The attacker removed rce_api_extension.zip from the web server to reduce obvious traces. Using pastes.io from IP 138.199.59.221, the attacker executed a bash script that appended data to /home/ubuntu/.ssh/authorized_keys, enabling SSH persistence (MITRE ATT&CK: SSH Authorized Keys, T1098.004). Shortly after persistence was established, an SSH connection from 95.181.232.30 issued commands to download a .deb package containing Nmap. The attacker used Nmap to scan 34.207.150.13 and then terminated the SSH session.

Conclusion

During our network forensics exercise we saw how packet captures and IDS/IPS logs can reveal the flow of a compromise, from credential stuffing, through exploitation of a web-application vulnerability, to command execution and persistence via SSH keys. We practiced using Wireshark to trace HTTP streams, observed credential stuffing in action, and followed the attacker’s persistence mechanism.

Although our class focused on analysis, in real incidents you should always preserve originals and record every artifact with exact timestamps. Create cryptographic hashes of artifacts, maintain a chain of custody, and work only on copies. These steps protect the integrity of evidence and are essential if the incident leads to legal action.

For those of you interested in deepening your digital forensics skills, we will be running a practical SCADA forensics course soon in November. This intensive, hands-on course teaches forensic techniques specific to Industrial Control Systems and SCADA environments showing you how to collect and preserve evidence from PLCs, RTUs, HMIs and engineering workstations, reconstruct attack chains, and identify indicators of compromise in OT networks. Its focus on real-world labs and breach simulations will make your CV stand out. Practical OT/SCADA skills are rare and highly valued, so completing a course like this is definitely going to make your CV stand out. 

We also offer digital forensics services for organizations and individuals. Contact us to discuss your case and which services suit your needs.

Learn more: https://hackersarise.thinkific.com/courses/scada-forensics

The post Network Forensics: Analyzing a Server Compromise (CVE-2022-25237) first appeared on Hackers Arise.

The internet is full of opportunities — but also traps. From fake online shops to phishing pages that mimic your bank, scams are evolving faster than most people can keep up. A single click can mean lost money or stolen data.

The scale of the problem is staggering (source):

• An estimated 3.4 billion phishing emails are sent every day, making up about 1.2% of all global email traffic.
• Google blocks around 100 million phishing emails daily, yet millions still slip through.
• Since the COVID-19 pandemic, phishing attacks have more than doubled in frequency.
• Phishing sites increased from 110,000 in 2019 to over 1 million in 2024 — and the trend is still rising.

With the help of AI, scams now look more realistic than ever. Professional-looking sites, convincing emails, and manipulative tactics make it harder than ever to know who to trust. That’s why reliable resources for checking websites before you interact with them are essential.

That’s where ScamRaven comes in.

What is ScamRaven?

ScamRaven.com publishes human-verified scam reports. Instead of relying only on automated scans or blacklists, ScamRaven investigates suspicious domains, checks technical signals, reviews their content, and cross-references public feedback.

The result is a detailed, structured report that anyone can read before deciding whether to trust a site. Each report includes:

• Technical background
• Content analysis
• Public feedback
• A final verdict — Scam, Suspicious, or Legitimate

How is this different than other scanners?

Most “scam checkers” act like instant virus scans: type in a URL, and they return a one-line safe/unsafe label. While fast, these tools often miss newer or more sophisticated scams. ScamRaven takes a different approach:

• Manual verification — every report is reviewed and validated by humans, not just automated filters.
• Evidence-based — reports include screenshots, technical traces, and links to external discussions.
• Transparency — all reports are archived and searchable, so users can check history and patterns.

In short: ScamRaven values accuracy and trust over speed.

Why it matters

Scams are getting more professional every year. Many sites look polished, copy real brands, and advertise aggressively on social media. With phishing attacks rising 150% year-over-year from 2019 to 2022 — and still climbing — gut feeling is no longer enough.

By combining automation, AI, and community input, ScamRaven makes scam detection accessible to everyone, not just cybersecurity experts.

---

Before you buy from an unfamiliar shop or click a suspicious link, make it a habit to check ScamRaven first. If a report exists, you’ll see clear evidence to help you decide whether to proceed or steer clear. Safer browsing starts with trusted information.

ScamRaven is currently in beta, with a public scanner in development — but the reports are already available for anyone who wants to browse smarter and stay safer.

The post How to Trust a Website: Scam Raven for Safer Browsing appeared first on Bug Hacking.

Welcome back, aspiring forensic investigators!

Today, we continue our exploration of digital forensics with a hands-on case study. So far, we have laid the groundwork for understanding forensic principles, but now it’s time to put theory into practice. Today we will analyze a malicious USB drive, a common vector for delivering payloads, and walk through how forensic analysts dissect its components to uncover potential threats.

USB drives remain a popular attack vector because they exploit human curiosity and trust. Often, the most challenging stage of the cyber kill chain is delivering the payload to the target. Many users are cautious about downloading unknown files from the internet, but physical media like USB drives can bypass that hesitation. Who wouldn’t be happy with a free USB? As illustrated in Mr. Robot, an attacker may drop USB drives in a public place, hoping someone curious will pick them up and plug them in. Once connected, the payload can execute automatically or rely on the victim opening a document. While this is a simple strategy, curiosity remains a powerful motivator, which hackers exploit consistently. 

(Read more: https://hackers-arise.com/mr-robot-hacks-how-elliot-hacked-the-prison/)

Forensic investigation of such incidents is important. When a USB drive is plugged into a system, changes may happen immediately, sometimes leaving traces that are difficult to detect or revert. Understanding the exact mechanics of these changes helps us reconstruct events, assess damage, and develop mitigation strategies. Today, we’ll see how an autorun-enabled USB and a malicious PDF can compromise a system, and how analysts dissect such threats.

Analyzing USB Files

Our investigation begins by extracting the files from the USB drive. While there are multiple methods for acquiring data from a device in digital forensics, this case uses a straightforward approach for demonstration purposes.

After extraction, we identify two key files: a PDF document and an autorun configuration file. Let’s learn something about each.

Autorun

The autorun file represents a legacy technique, often used as a fallback mechanism for older systems. Windows versions prior to Windows 7 frequently executed instructions embedded in autorun files automatically. In this case, the file defines which document to open and even sets an icon to make the file appear legitimate.

On modern Windows systems, autorun functionality is disabled by default, but the attacker likely counted on human curiosity to ensure the document would still be opened. Although outdated, this method remains effective in environments where older systems persist, which are common in government and corporate networks with strict financial or operational constraints. Even today, autorun files can serve as a backup plan to increase the likelihood of infection.

PDF Analysis

Next, we analyze the PDF. Before opening the file, it is important to verify that it is indeed a PDF and not a disguised executable. Magic bytes, which are unique identifiers at the beginning of a file, help us confirm its type. Although these bytes can be manipulated, altering them may break the functionality of the file. This technique is often seen in webshell uploads, where attackers attempt to bypass file type filters.

To inspect the magic bytes:

bash$ > xxd README.pdf | head

In this case, the file is a valid PDF. Opening it appears benign initially, allowing us to read its contents without immediate suspicion. However, a forensic investigation cannot stop at surface-level observation. We will proceed with checking the MD5 hash of it against malware databases:

bash$ > md5sum README.pdf

VirusTotal and similar services confirm the file contains malware. At this stage, a non-specialist might consider the investigation complete, but forensic analysts need a deeper understanding of the file’s behavior once executed.

Dynamic Behavior Analysis

Forensic laboratories provide tools to safely observe malware behavior. Platforms like AnyRun allow analysts to simulate the malware execution and capture detailed reports, including screenshots, spawned processes, and network activity.

Key observations in this case include multiple instances of msiexec.exe. While this could indicate an Adobe Acrobat update or repair routine, we need to analyze this more thoroughly. Malicious PDFs often exploit vulnerabilities in Acrobat to execute additional code.

Next we go to AnyRun and get the behavior graph. We can see child processes such as rdrcef.exe spawned immediately upon opening.

Hybrid Analysis reveals that the PDF contains an embedded JavaScript stream utilizing this.exportDataObject(...). This function allows the document to silently extract and save embedded files. The file also defines a /Launch action referencing Windows command execution and system paths, including cmd /C and environment variables such as %HOMEDRIVE%%HOMEPATH%.

The script attempts to navigate into multiple user directories in both English and Spanish, such as Desktop, My Documents, Documents, Escritorio, Mis Documentos, before executing the payload README.pdf. Such malware could be designed to operate across North and South American systems. At this stage the malware acts as a dropper duplicating itself.

Summary

In our case study we demonstrated how effective USB drives can be to deliver malware. Despite modern mitigations such as disabled autorun functionality, human behavior, especially curiosity and greed remain a key vulnerability.  Attackers adapt by combining old strategies with new mechanisms such as embedded JavaScript and environment-specific paths. Dynamic behavior analysis, supported by platforms like AnyRun, allows us to visualize these threats in action and understand their system-level impact. 

To stay safe, be careful with unknown USB drives and view unfamiliar PDF files in a browser or in the cloud with JavaScript blocked in settings. Dynamic behavior analysis from platforms like AnyRun, VirusTotal and Hybrid Analysis helps us to visualize these threats in action and understand their system-level impact.

If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.

The post Digital Forensics: Analyzing a USB Flash Drive for Malicious Content first appeared on Hackers Arise.

Welcome, aspiring forensic investigators!

Welcome to the new Digital Forensics module. In this guide we introduce digital forensics, outline the main phases of a forensic investigation, and survey a large set of tools you’ll commonly meet. Think of this as a practical map: the article briefly covers the process and analysis stages and points to tools you can use depending on your objectives. Later in the course we’ll dig deeper into Windows and Linux artifacts and show how to apply the most common tools to real cases.

Digital forensics is growing fast because cyber incidents are happening every day. Budget limits, legacy systems, and weak segmentation leave many organizations exposed. AI and automation make attacks easier and fasterю. Human mistakes, especially successful phishing, remain a top cause of breaches. When prevention fails, digital forensics helps answer what happened, how it happened, and what to do next. It’s a mix of technical skills, careful procedure, and clear reporting.

What is Digital Forensics?

Digital forensics (also called computer forensics or cyber forensics) is the discipline of collecting, preserving, analyzing, and presenting digital evidence from computers, servers, mobile devices, networks, and storage media. It grew from early law-enforcement needs in the 1980s into a mature field in the 1990s and beyond, as cybercrime increased and investigators developed repeatable methods.

Digital forensics supports incident response, fraud investigations, data recovery, and threat hunting. The goals are to reconstruct timelines, identify malicious activity, measure impact, and produce evidence suitable for legal, regulatory, or incident-response use.

Main Fields Inside Digital Forensics

Digital forensics branches into several focused areas. Each requires different tools and approaches.

Computer forensics

Focuses on artifacts from a single machine: RAM, disk images, the Windows registry, system logs, file metadata, deleted files, and local application data. The aim is to recreate what a user or a piece of malware did on that host.

Network forensics

Covers packet captures, flow records, and logs from routers, firewalls and proxies. Analysts use network data to trace communications, find command-and-control channels, spot data exfiltration, and follow attacker movement across infrastructure.

Forensic data analysis

Deals with parsing and interpreting files, database contents, and binary data left after an intrusion. It includes reverse engineering malware fragments, reconstructing corrupted files, and extracting meaningful information from raw or partially damaged data.

Mobile device forensics

Targets smartphones and tablets. Android and iOS store data differently from desktops, so investigators use specialized methods to extract messages, app data, calling records, and geolocation artifacts.

Hardware forensics

The most specialized area: low-level analysis of firmware, microcontrollers, and embedded devices. This work may involve extracting firmware from chips, analyzing device internals, or studying custom hardware behavior (for example, the firmware of an IoT transmitter or a skimmer installed on an ATM).

Methods and approaches

Digital forensics work generally falls into two modes: static (offline) analysis and live (in-place) analysis. Both are valid. The choice depends on goals and constraints.

Static analysis

The traditional workflow. Investigators take the device offline, build a bit-for-bit forensic image, and analyze copies in a lab. Static analysis is ideal for deep disk work: carving deleted files, examining file system metadata, and creating a defensible chain of custody for evidence.

Live analysis

Used when volatile data matters or when the system cannot be taken offline. Live techniques capture RAM contents, running processes, open network connections, and credentials kept in memory. Live collection gives access to transient artifacts that vanish on reboot, but it requires careful documentation to avoid altering evidence.

Live vs Static

Static work preserves the exact state of disk data and is easier to reproduce. Live work captures volatile evidence that static imaging cannot. Modern incidents often need both. They start with live capture to preserve RAM and active state, then create static images for deeper analysis.

The forensic process

1. Create a forensic image

Make a bit-for-bit copy of storage or memory. Work on the copy. Never change the original.

2. Document the system’s state

Record running processes, network connections, logged-in users, system time, and any other volatile details before power-down.

3. Identify and preserve evidence

Locate files, logs, configurations, memory dumps, and external devices. Preserve them with hashes and a clear chain of custody.

4. Analyze the evidence

Use appropriate tools to inspect logs, binaries, file systems, and memory. Look for malware artifacts, unauthorized accounts, and modified system components.

5. Timeline analysis

Correlate timestamps across artifacts to reconstruct the sequence of events and show how an incident unfolded.

6. Identify indicators of compromise (IOCs)

Extract file hashes, IP addresses, domains, registry keys, and behavioral signatures that indicate malicious activity.

7. Report and document

Produce a clear, well-documented report describing methods, findings, conclusions, and recommended next steps.

Toolset Overview

Below is a compact reference to common tools grouped by purpose. Later modules will show hands-on use for Windows and Linux artifacts.

Imaging and acquisition

FTK Imager — Windows tool for creating forensic copies and basic preview.

dc3dd / dcfldd — Forensic versions of dd with improved logging and hashing.

Guymager — Fast, reliable imaging with a GUI.

DumpIt / Magnet RAM Capture — Simple, effective RAM capture utilities.

Live RAM Capturer — For memory collection from live systems.

Image mounting and processing

Imagemounter — Mount images for read-only analysis.

Libewf — Support for EnCase Evidence File format.

Xmount — Convert and remap image formats for flexible analysis.

File and binary analysis

HxD / wxHexEditor / Synalyze It! — Hex editors for direct file and binary inspection.

Bstrings — Search binary images with regex for hidden strings.

Bulk_extractor — Extract emails, credit card numbers, and artifacts from disk images.

PhotoRec — File carving and deleted file recovery.

Memory and process analysis

Volatility / Rekall — Industry standard frameworks for memory analysis and artifact extraction.

Memoryze — RAM analysis, including swap and process memory.

KeeFarce — Extracts KeePass data from memory snapshots.

Network and browser forensics

Wireshark — Packet capture and deep protocol analysis.

SiLK — Scalable flow collection and analysis for large networks.

NetworkMiner — Passive network forensics that rebuilds sessions and files.

Hindsight / chrome-url-dumper — Recover browser history and user activity from Chrome artifacts.

Mail and messaging analysis

PST/OST/EDB Viewers — Tools to inspect Exchange and Outlook data files offline.

Mail Viewer — Supports multiple mailstore formats for quick inspection.

Disk and filesystem utilities

The Sleuth Kit / Autopsy — Open-source forensic platform for disk analysis and timeline creation.

Digital Forensics Framework — Modular platform for file and system analysis.

Specialized extraction and searching

FastIR Collector — Collects live forensic artifacts from Windows hosts quickly.

FRED — Registry analysis and parsing.

NTFS USN Journal Parser / RecuperaBit — Recover change history and reconstruct deleted/changed files.

Evidence processing and reporting

EnCase — Commercial suite for imaging, analysis, and court-ready reporting.

Oxygen Forensic Detective — Strong platform for mobile device extraction and cloud artifact analysis.

Practical notes and best practices

a) Preserve original evidence. Always work with verified copies and record cryptographic hashes.

b) Capture volatile data early. RAM and live state can vanish on reboot. Prioritize their collection when necessary.

c) Keep clear records. Document every action, including tools and versions, timestamps, and the chain of custody.

d) Match tools to goals. Use lightweight tools for quick triage and more powerful suites for deep dives.

e) Plan for scalability. Network forensics can generate huge data sets. Prepare storage and filtering strategies ahead of time.

Summary

We introduced digital forensics and laid out the main concepts you’ll need to start practical work: the different forensic disciplines, the distinction between live and static analysis, a concise process checklist, and a broad toolset organized by purpose. Digital forensics sits at the intersection of incident response, threat intelligence, and legal evidence collection. The methods and tools presented here form a foundation. In later lessons we’ll work through hands-on examples for Windows and Linux artifacts, demonstrate key tools in action, and show how to build timelines and extract actionable IOCs. 

Keep in mind that good forensic work is disciplined, repeatable, and well documented. That’s what makes the evidence useful and the investigation reliable.

If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.

The post Digital Forensics: Getting Started Becoming a Forensics Investigator first appeared on Hackers Arise.

Proximity access cards have been a popular target for hackers. These key cards allow a hacker to clone, replicate, or produce a copy of the original card without the user’s knowledge. When the clone has been activated, they will have access to a facility. These cards are very popular choice for the physical access. And that’s for a reason – it is cheap to buy them, and easy to use. We have some of best access card readers for ethical hackers on the article, so keep reading to find out.

Now, a random thief shouldn’t be able to manually clone proximity access cards. This is a pretty technical process that requires knowledge, and tools. However, just like there are many other hacking tools, cloning/reading devices are being available for buy.

Card cloning became a thriving industry because to these low-cost, easy-to-use gadgets.

What Are the RFID Cards?

A magnetic card reader is a piece of hardware that reads the information recorded on the magnetic stripe found on the back of a plastic badge or identification card. Credit, debit, or any other kind of card may be used to make these badges.

An embedded code is found on the back of these cards, and with the aid of the magnets that are integrated in the hardware device, a magnet card reader is able to read these codes and therefore allow the card to be accessible. The gadget is intended to lower the amount of effort required by the user while simultaneously saving time. Because of these readers, there is no longer any need to manually input data, and you can just swipe the card into the reader to have access to the information. They are used by ethical hackers to carry out physical penetration testing.

Can RFID cards can be cloned by hackers?

Because proximity access cards just include a password, they are very simple to duplicate. Unlike a bank card, which stores PIN numbers within, these devices store them outside? It may be difficult to keep up with all of the new developments and technology in the security sector. There are two common technologies that you may not have realized are integrated in our daily lives, ranging from hotel access control to car parks to logistics, so let’s have a look. While these two phrases are commonly used interchangeably, there are some crucial differences and uses that we’ll examine in this article.

To clone a proximity access card using a duplicating machine, you must bring the reader as near as possible to the targeted card. This is how it is easy to clone a RFID card.

The cloning (i.e. copying) of an RFID card without the user’s knowledge is another common attack method used by attackers to defeat RFID access systems. If an RFID card can be cloned without physical access, the attacker has succeeded. An attacker can, in fact, use off-the-shelf components to read an RFID card’s encoded data and then write the data to a blank compatible RFID card several feet away. Large RFID readers used in parking garages and other places where a user cannot get close to the card scanner to scan their card are frequently the source of these cloning devices.

It is possible for an attacker to use one of these low-cost cloning devices as they walk past a worker on the street or in a coffee shop. At your facility, the cloned data from an attacker’s RFID card can be used to gain access to your property. In the workplace, it is generally preferable for employees to wear their RFID card in the open, as it can reveal their identity at times. There are a few ways to protect against a long-range cloning attack in the workplace, including:

• RFID cards should not be used to access personal identification information, such as a photo ID. RFID-blocking sleeves or wallets can be used to keep an employee’s identification safe while they work.

• Employees should wear their credentials above their waist, such as a lapel clip, if the RFID card’s identification details cannot be separated from the card. As a result of this, it is more likely that an employee will notice someone attempting to clone the employee’s card.

RFID card protection is significantly more difficult in public places or while employees are out for lunch than it is in the office, where employees are more likely to notice suspicious activity. Workers should keep their cards in a secure location (e.g., in their vehicle) so that they are out of harm’s way from potential attackers. Employees who cannot leave their badges in a safe place should use an RFID blocking sleeve.

Best RFID Card Readers for Ethical Hackers

If you are a professional penetration tester, there is a chance you have to perform a physical penetration testing. Your main goal might be to get into the office. After having an access, you then can perform other objectives, such as getting the sensitive information, or reaching restricted area. And this can be made by using the correct tools. In this case – best magnetic stripe RFID card copiers for ethical hackers.

MSR90 USB Swipe Magnetic Credit Card Reader

This is one of the best selling card readers for ethical hackers on Amazon. It is really simple to use it, and it also can be connected to the PC via USB.

With the reader you can read up to 3 tracks of information, it supports the most popular card data formats, such as AAMVA, CA DMV, ISO7811. The reader has LED indicator that shows the current state of the reader.

The minimalist design and simple usage are definitely good features of the product However, the core features makes the device a perfect fit. It has the bi-directional swipe reading, superior reading of high hitter, and the device supports up to 1 000 000 card swipes.

Deftun Bluetooth MSR-X6(BT) MSRX6BT Magnetic Stripe Card Reader

While the price of this one is on the high end, it is really worth the money. This is considered being as the world’s only wireless Bluetooth magnetic stripe credit card reader. The best hing about it is that it is small and portable.

It has three tracks, and has read, write, and erase functions. Just like the other readers, it has a LED indicator that shows the current phase of the card reading. Deftun Bluetooth MSR-X6 also supports the ISO 7811-6 standard.

Another great feature of this access card reader, is that it can be used on different platforms: Windows, Android, Mac, iPhone, and iPad. There is a special application that helps to communicate with the device. However, while for the PCs it is free, if you want to have it on your Android on iOS device, you have to pay extra.

The reader comes with 20 blank magnetic cards that you can use for experimenting.

ETEKJOY USB 3-Track Magnetic Stripe Card Reader POS Credit Card Reader Swiper MagStripe Swipe Card Reader ET-MSR90

This is another affordable access card reader that suits the goal of cloning RFID cards, perfectly. It has the USB interface and is being detected as a keyboard. You do not need to use any additional software.

ETEKJOY reader reads data from three tracks, supports ISO7811, AAMVA, CA DMV and other widely used magnetic card data formats.

It can be used on almost any platform. All you need to have is the USB port, and you will be able to control the device from Windows, Mac, or other OS.

MSR605 & 206 Magnetic Card Reader

While more expensive that the most basic access card readers, MSR605 is a high quality reader that will last long. It support different OS, and the software of the reader is even backward compatible with operating systems, such as Windows 98, Me, XP, or Vista.

The reader is capable of writing data to all 3 tracks. The device has single direction swipe. It also comes with 20 blank cards.

OSAYDE PRO USB Silver Magnetic Credit Card Reader Writer Encoder

OSAYDE Pro, as the name implies, is the reader for professional usage. While it surely can be used if you are a hobbyist, if you are a pentester and looking for a best access card reader for ethical hackers, this one is surely way to go.

The device has a high-grade design, and has the main functions. You can easily manipulated with the data in the card: write, rewrite, erase, copy, compare, write to/from file, setup and change password.

The software supports most of the Windows distributions, including the legacy Windows 98, Me, and XP. It also does not have any problem working with the newest Windows versions.

As this is a high-end product it also has built-in over voltage, over current, leakage, short circuit, and anti-interference protection module inside. The reader can be used for 1 000 000 swipes.

Keep in mind that the software works on Windows only, so you might have trouble on Linux and macOS.

How Does the RFID Cards Work and Where Are These Cards Used?

Many contactless smart cards employ radio frequency identification technology (RFID). RFID Cards have a chip built right into them to save all of your personal and financial information. Microprocessor or comparable intelligence and internal memory are built in to the chip. Added security is provided via an antenna built inside the card’s plastic shell. For communication between the reader and the card, RFID induction technology is used. At a distance of less than four inches, this RFID technology is effective. As a result, the card has to be kept as close to the reader as possible. There are antennas placed in the reader and the card that interact with each other utilizing radio waves.

There is no way for a non-certified RFID reader to read the data on an RFID smart card, making them safe. In order to decrypt data stored on a card, the reader program would need access to the card’s secret keys. Attempts to access data on the chip may be prevented if the encryption keys do not match. Similarly, the card and reader’s communication may be encrypted. For example, a user’s application may dictate the degree of security. An authorized user with access to the card’s keys may write data to its smart card memory only with their consent.

Most people utilize RFID technology in their daily lives without even realizing it. Today, we’re going to look at some examples of where it may be found. You may be amazed at how many times you use RFID technology in your daily life.

• Item level inventory Tracking

A wide range of businesses may benefit from item-level asset tracking, but the retail industry offers the greatest potential for RFID adoption.

• Asset management

Today’s most contemporary and productive firms are adopting RFID technology to automate the tracking of their valuable assets. There are various issues with manual tracking that may be avoided using RFID systems. When things are tracked using a radio-frequency identification (RFID) system, they are more secure and accurate.

• WAREHOUSES AND Inventories

The primary goal of using RFID in warehouses is to reduce labor and logistical expenses while increasing warehouse efficiency. Similarly, a precise inventory of items with all kinds of information, such as size, quality, country, and so on, can be obtained promptly. The need for costly and imprecise physical inventory counts has passed. This saves you money and time.

• ANIMAL IDENTIFICATION WORKS

RFID tagging animals is an essential tool for a farmer in order to identify each animal with its origin, lineage, medical data, and other relevant information..” Additionally, with the aid of software, it is possible to maintain the information up to date by uploading fresh data, such as veterinarian appointments.

• SURGERIES

A hospital’s inventory, access control, personnel and patients’ tracking and tracking tools, disposable consumables and large/expensive equipment are some of the most prevalent RFID uses.

How to Prevent RFID Hacking?

There are many best access readers for ethical hackers, however, not always they are being used for ethical reasons. Hence, how can you prevent RFID signals from being picked up? Metal and water are the most effective ways to block radio signals to and from your RFID chip, respectively. The RFID tag can no longer be read if this signal is blocked.

• Equip your wallet and pocket to stop RFID signals

Aluminum foil can be used to block RFID signals at a low cost. A wallet blocker you make at home can be as simple as a wad of foil or cardboard. Aluminum foil, on the other hand, does not completely block the signal, and it will eventually wear out. Because of this, it’s a bad idea.

There are even RFID protected wallets that might be used to protect your card from cloning. For example:

Zitahli Wallet for Men Slim Larger Capacity with 20 slots:

TNevertheless, an RFID wallet does not guarantee that your card will be safe from fraud. If you’re irresponsible and lose the card, an ATM skimmer may still obtain your personal information. In other words, even if you have an RFID-blocking wallet, you should keep up your excellent credit card security habits.

• Double check your RFID security

It’s also possible to make sure your security strategy doesn’t solely rely on RFID. Your credit card company, for example, may be able to block RFID-only purchases on your card. It’s unlikely that your card would be stolen even if the RFID tag was cloned. If your workplace relies on RFID door passes, for example, you need put in place an additional, more powerful security mechanism.

Consider building your own RFID reader and using it to check your home on a regular basis to see what is readable and how well your RFID security is functioning if you are worried about being tracked by RFID. Periodic sweeps to check for changes are an option for the very paranoid.

For taking care of your belongings, a great choice is to use a faraday cage, that block the RF signals.

• Defending Yourself against Invisible Threats

RFID, as demonstrated by hackers, is not impenetrable. There are inexpensive methods to create a scanner, which may then be used to scan tags for sensitive data. If you’re concerned about this kind of assault, it’s still important to learn how to protect yourself in the event that it does happen.

Always remain vigilant about your access cards. If a suspicious person is trying to get next to your card, make sure you do not let him to get a low hanging fruit and clone it. The access card reader might be in his bag, and all it takes to clone your card, is to get near you.

Final Words

If you are a pentester, we hope that our list of the best access card readers for ethical hackers helped you to find the best one for you. Everyone, from hobbyist, to a professional ethical hacker might choose the reader suiting their needs. After all, the best reader is the one that can be used for writing/reading data. Every other function is extra.

And if you are using RFID cards, you might take the necessary precautions. Despite the fact that you don’t anticipate individuals to leave their access cards hanging from their back pockets, a motivated thief and a negligent keycard bearer are all that is needed.

The post Best Access Card Readers for Ethical Hackers appeared first on Bug Hacking.