Ten marijuana brands took home trophies from the inaugural MJBowl, a bi-coastal cannabis competition presented by MJBizCon and social review platform Budist.
From rosin gummies to hash holes: Meet the winners of MJBowl is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Itβs relatively easy to understand how optical microscopes work at low magnifications: one lens magnifies an image, the next magnifies the already-magnified image, and so on until it reaches the eye or sensor. At high magnifications, however, that model starts to fail when the feature size of the specimen nears the optical systemβs diffraction limit. In a recent video, [xoreaxeax] built a simple microscope, then designed another microscope to overcome the diffraction limit without lenses or mirrors (the video is in German, but with automatic English subtitles).
The first part of the video goes over how lenses work and how they can be combined to magnify images. The first microscope was made out of camera lenses, and could resolve onion cells. The shorter the focal length of the objective lens, the stronger the magnification is, and a spherical lens gives the shortest focal length. [xoreaxeax] therefore made one by melting a bit of soda-lime glass with a torch. The picture it gave was indistinct, but highly magnified.
Besides the dodgy lens quality given by melting a shard of glass, at such high magnification some of the indistinctness was caused by the specimen acting as a diffraction grating and directing some light away from the objective lens. [xoreaxeax] visualized this by taking a series of pictures of a laser shining through a pinhole at different focal lengths, thus getting cross sections of the light field emanating from the pinhole. When repeating the procedure with a section of onion skin, it became apparent that diffraction was strongly scattering the light, which meant that some light was being diffracted out of the lensβs field of view, causing detail to be lost.
To recover the lost details, [xoreaxeax] eliminated the lenses and simply captured the interference pattern produced by passing light through the sample, then wrote a ptychography algorithm to reconstruct the original structure from the interference pattern. This required many images of the subject under different lighting conditions, which a rotating illumination stage provided. The algorithm was eventually able to recover a sort of image of the onion cells, but it was less than distinct. The fact that the lens-free setup was able to produce any image at all is nonetheless impressive.
To see another approach to ptychography, check out [Ben Krasnowβs] approach to increasing microscope resolution. With an electron microscope, ptychography can even image individual atoms.
Security headlines distract, but the threats keeping CISOs awake are fundamental gaps and software supply chain risks. Learn why basics and visibility matter most.
The post Sleepless in Security: Whatβs Actually Keeping CISOs Up at NightΒ appeared first on Security Boulevard.
Bitcoin Magazine
Bitcoin Price Plunges 8% to $84,000 as December Opens With More Market Jitters
Bitcoin price fell sharply to the mid-$84,000s early Monday, sliding 8% over the past 24 hours as a wave of macro anxiety, thin liquidity and fresh crypto-native stress hit markets simultaneously.Β
The worldβs largest digital asset traded between a 24-hour high of $91,866 and a low of $84,722, extending a two-month drawdown that has now erased more than 30% from Octoberβs record highs, according to Bitcoin Magazine Pro data.Β
The downturn marks a swift reversal from last weekβs tentative recovery. After plunging below $81,000 on Nov. 21, the Bitcoin price steadily climbed into the end of November and briefly pushed above $92,500 during Black Fridayβs morning session.Β
But momentum reversed again Sunday evening, with BTC slipping back below $85,000 early Monday. At the time of writing, the bitcoin price is $86,469. Β
Multiple forces might be behind the renewed selloff. The most immediate shock could be from a security incident at Yearn Finance, where a flaw in the protocolβs yETH pool allowed an attacker to mint an abnormally large amount of tokens.Β
The exploit flooded the pool with invalid supply and triggered a rush for the exits across DeFi βΒ spilling over into majors like BTC and ETH.
But macro pressure has been building in parallel. A sharp spike in Japanese government bond yields β part of a broader global repricing of interest-rate expectationsβsparked a risk-off move in Asia trading hours, hitting an already fragile, low-volume crypto market.
Comments from Bank of Japan Governor Kazuo Ueda signaled the possibility of a December rate hike β an event that would be Japanβs first move away from negative interest rate policy in years.Β
The remarks sent Japanβs 30-, 10-, and 2-year government bond yields to their highest levels since 2008. A stronger yen could force hedge funds that borrow cheaply in Japan to unwind carry trades, adding fresh pressure to bitcoin and other risk assets.
According to 10x Research, last week marked one of the lowest-liquidity stretches since July, leaving order books thin and amplifying the impact of institutional selling.
The result was a deeper drawdown than fundamentals alone might suggest. Bitcoinβs market depth evaporated over the weekend, turning what might have been a modest correction into a full-scale liquidity event.Β
More than 220,000 traders were liquidated over 24 hours, with total losses exceeding $630 million.
The derivatives picture underscores the imbalance: Bitcoin price futures open interest fell by $1.1 billion leading into the decline, suggesting traders had already started de-risking.Β
Monetary policy uncertainty remains at the center of investorsβ anxiety. Markets now assign an 80%β87% probability that the Federal Reserve will cut rates by 25 basis points at its Dec. 9β10 meeting.
Rate cuts would be supportive for the Bitcoin price, boosting liquidity and risk appetite. But if the Fed opts to hold steady, traders fear a sharper unwind across risk assets.
Corporate developments added another wrinkle. Strategy Inc. (formerly MicroStrategy) said Monday it created a $1.4 billion reserveβfunded by common-stock salesβto cover at least 21 months of preferred-stock dividend payments amid Bitcoinβs slide.Β
The company, which now holds 650,000 BTC, also reported purchasing another 130 BTC last week for $11.7 million.
Last week, fresh disclosures showed BlackRock ramping up its exposure to its own spot Bitcoin ETF while JPMorgan rolled out a high-stakes structured note tied to the fund.
Bitcoin price briefly dipped to $86,129 before rebounding above $90,300 amid ongoing Q4 volatility. BlackRockβs Strategic Income Opportunities Portfolio now holds 2.39 million IBIT shares worth $155.8 million, up 14% from June, signaling deeper internal allocation to BTC-linked assets.
Meanwhile, JPMorganβs new derivative-style note lets institutions bet on IBITβs future price, offering a 16% fixed return if targets are met next year, and up to 1.5x upside by 2028 if Bitcoin surges.
At the time of writing, the bitcoin price is rebounding up to $86,469. Β
This post Bitcoin Price Plunges 8% to $84,000 as December Opens With More Market Jitters first appeared on Bitcoin Magazine and is written by Micah Zimmerman.
Welcome back, aspiring digital forensics investigators!
In the previous article we introduced Autopsy and noted its wide adoption by law enforcement, federal agencies and other investigative teams. Autopsy is a forensic platform built on The Sleuth Kit and maintained by commercial and community contributors, including the Department of Homeland Security. It packages many common forensic functions into one interface and automates many of the repetitive tasks you would otherwise perform manually.
Today, letβs focus on Autopsy and how we can investigate a simple case with the help of this app. We will skip the basics as we have previously covered it.Β
Start from the files you are given. In this walkthrough we received an E01 file, which is the EnCase evidence file format. An E01 is a forensic image container that stores a sector-by-sector copy of a drive together with case metadata, checksums and optional compression or segmentation. It is a common format in forensic workflows and preserves the information needed to verify later that an image has not been altered.
Before any analysis begins, confirm that your working copy matches the original by comparing hash values. Tools used to create forensic images, such as FTK Imager, normally generate a short text report in the same folder that lists the image metadata and hashes you can use for verification.
Autopsy also displays the same hash values once the image is loaded. To see that select the Data Source and view the Summary in the results pane to confirm checksums and metadata.
Enter all receipts and transfers into the chain of custody log. These records are essential if your findings must be presented in court.
Create a new case and add the data source. If you have multiple EnCase segments in the same directory, point Autopsy to the first file and it will usually pick up the remaining segments automatically. Let the ingest modules run as required for your investigative goals, and keep notes about which modules and keyword searches you used so your process is reproducible.
First letβs see the computer name we are looking at. Names and labelling conventions can differ from the actual system name recorded in the image. You can quickly find the host name listed under Operating System Information, next to the SYSTEM entry.Β
Knowing the host name early helps orient the rest of your analysis and simplifies cross-referencing with network or domain logs.
To understand who accessed the machine and when, we can review last login and account activity artifacts. Windows records many actions in different locations. These logs are extremely useful but also mean attackers sometimes attempt to use those logs to their own advantage. For instance, after a domain compromise an attacker can review all security logs and find machines that domain admins frequently visit. It doesnβt take much time to find out what your critical infrastructure is and where it is located with the help of such logs.Β
In Autopsy, review Operating System, then User Accounts and sort by last accessed or last logon time to see recent activity. Below we see that Sivapriya was the last one to login.
A last logon alone does not prove culpability. Attackers may act during normal working hours to blend in, and one userβs credentials can be used by another actor. You need to use time correlation and additional artifacts before drawing conclusions.
Review installed applications and files on the system. Attackers often leave tools such as Python, credential dumpers or reconnaissance utilities on disk. Some are portable and will be found in Temp, Public or user directories rather than in Program Files. Execution evidence can be recovered from Prefetch, NTUSER.DAT, UserAssist, scheduled tasks, event logs and other sources we will cover separately.
In this case we found a network reconnaissance tool, Look@LAN, which is commonly used for mapping local networks.
Signed and legitimate tools are sometimes abused because they follow expected patterns and can evade simple detection.
Finding the IP address assigned to the host is useful for reconstructing lateral movement and correlating events across machines and the domain controller. The domain controller logs validate domain logons and are essential for tracing where an attacker moved next. In the image you can find network assignments in registry hives: the SYSTEM hive contains TCP/IP interface parameters under CurrentControlSet\Services\Tcpip\Parameters\Interfaces and Parameters, and the SOFTWARE hive stores network profile signatures under Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed and \Unmanaged or NetworkList
If the host used DHCP, registry entries may show previously assigned IPs, but sometimes the attackerβs tools carry their own configuration files. In our investigation we inspected an application configuration file (irunin.ini) found in Program Files (x86) and recovered the IP and MAC address active when that tool was executed.Β
The network adapter name and related entries are also recorded under SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards.
Examine the Users folder thoroughly. Attackers may intentionally store tools and scripts in other directories to create false flags, so check all profiles, temporary locations and shared folders. When you extract an artifact for analysis, hash it before and after processing to demonstrate integrity. In this case we located a PowerShell script that attempts privilege escalation.
The script checks if it is running as an administrator. If elevated it writes the output of whoami /all to %ALLUSERSPROFILE%\diag\exec_<id>.dat. If not elevated, it temporarily sets a value under HKCU\Environment\ProcExec with a PowerShell launch string, then triggers the built-in scheduled task \Microsoft\Windows\DiskCleanup\SilentCleanup via schtasks /run in the hope that the privileged task will pick up and execute the planted command, and finally removes the registry value. Errors are logged to a temporary diag file.
The goal was to validate a privilege escalation path by causing a higher-privilege process to run a payload and record the resulting elevated identity.
We also found evidence of credential dumping tools in user directories. Mimikatz was present in Hasanβs folder, and Lazagne was also detected in Defender logs. These tools are commonly used to extract credentials that support lateral movement. The presence of python-3.9.1-amd64.exe in the same folder suggests the workstation could have been used to stage additional tools or scripts for propagation.
Remember that with sufficient privileges an attacker can place malicious files into other usersβ directories, so initial attribution based only on file location is tentative.
If endpoint protection was active, its detection history can hold valuable context about what was observed and when. Windows Defender records detection entries can be found under C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory*.Β
Below we found another commonly used tool called LaZagne, which is available for both Linux and Windows and is used to extract credentials. Previously, we have covered the use of this tool a couple of times and you can refer to Powershell for Hackers β Basics to see how it works on Windows machines.
Correlate those entries with file timestamps, prefetch data and event logs to build a timeline of execution.
It was also mentioned that the attackers attempted the Zerologon exploit. Zerologon (CVE-2020-1472) is a critical vulnerability in the Netlogon protocol that can allow an unauthenticated attacker with network access to a domain controller to manipulate the Netlogon authentication process, potentially resetting a computer account password and enabling impersonation of the domain controller. Successful exploitation can lead to domain takeover.Β
Using keyword searches across the drive we can find related files, logs and strings that mention zerologon to verify any claims.Β
In the image above you can see NTUSER.DAT contains βZerologonβ. NTUSER.DAT is the per-user registry hive stored in each profile and is invaluable for forensics. It contains persistent traces such as Run and RunOnce entries, recently opened files and MRU lists, UserAssist, TypedURLs data, shells and a lot more. The presence of entries in a userβs NTUSER.DAT means that the userβs account environment recorded those actions. The entry appears in Sandhyaβs NTUSER.DAT in this case, it suggests that the account participated in this activity or that artifacts were created while that profile was loaded.
Pulling together the available artifacts suggests the following sequence. The first login on the workstation appears to have been by Sandhya, during which a Zerologon exploit was attempted but failed. After that, Hasan logged in and used tools to dump credentials, possibly to start moving laterally. Evidence of Mimikatz and a Python installer were found in Hasanβs directory. Finally, Sivapriya made the last recorded login on this workstation and a PowerShell script intended to escalate privileges was found in their directory. This script could have been used during lateral activity to escalate privileges on other hosts or if local admin rights were not assigned to Hasan, another attacker could have tried to escalate their privileges using Sivapriyaβs account. At this stage it is not clear whether multiple accounts represent separate actors working together or a single hacker using different credentials. Resolving that requires cross-host correlation, domain controller logs and network telemetry.
This was a basic Autopsy workflow. For stronger attribution and a complete reconstruction we need to collect domain controller logs, firewall and proxy logs and any endpoint telemetry available. Specialised tools can be used for deeper analysis where appropriate.
As you can see, Autopsy is an extensible platform that can organize many routine forensic tasks, but it is only one part of a comprehensive investigation. Successful disk analysis depends on careful evidence handling and multiple data sources. Itβs also important to confirm hashes and chain of custody before and after the analysis. When you combine solid on-disk analysis with domain and network logs, you can move from isolated observations to a defensible timeline and conclusions.Β
If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.
A hearty, comforting and fulfilling soup that you must try this winter season is the classic restaurant style chicken noodle soup which is a one pot wonder that will keep you full for the entire night!
Winter is just round the corner and so is the craving for that soulful bowl of warm soup that will perfectly fit the bill as a one pot meal!
So here I come with my homemade chicken noodle soup that not only looks gorgeous but can also give the restaurant version a run for its money in terms of its flavors and taste!
Try it once and you will know why I am saying what I am saying!
What is chicken noodle soup?
Asian chicken noodle soup is a widely popular soup and I am not surprised at all! If a single dish can work as an entree as well as main course, who wouldnβt love it?
I made this a week before Diwali when we were feeling a little under the weather; we loved it so much that we immediately decided to prepare it for our little blog and share it with yaβall!
The best thing about this soup recipe is that you wonβt need a long list of ingredients; just the basic aromatics, chicken & noodles and you are ready to whip up the most comforting soup of the season!
The post Best Ever Chicken Noodle Soup for Winter | Restaurant Style Chicken Noodle Soup first appeared on Flavor Quotient.
Bitcoin Magazine
Bitcoin Price Surged Above $106,000 As Strategy Buys 487 More Bitcoin
Bitcoinβs price climbed above $106,000 on Monday as Strategy, the worldβs largest corporate holder of Bitcoin, announced its latest acquisition of 487 BTC for approximately $49.9 million.
According to an SEC filing, the purchases were made between November 3 and November 9 at an average price of $102,557 per Bitcoin, inclusive of fees and expenses.
The business intelligence firmβs total Bitcoin holdings have now reached 641,692 BTC, acquired for an aggregate purchase price of $47.54 billion at an average price of $74,079 per Bitcoin. This latest purchase marks Strategyβs largest Bitcoin acquisition since late September, demonstrating the companyβs continued commitment to its Bitcoin treasury strategy.
The recent purchase was funded through multiple preferred stock offerings under Strategyβs at-the-market (ATM) programs. Notably, the company utilized its STRC βStretchβ preferred stock series for the first time, raising $26.2 million through the sale of 262,311 shares. Additional funding came from other preferred stock series, including $18.3 million from STRF βStrifeβ shares, $4.5 million from STRK βStrikeβ shares, and $1 million from STRD βStrideβ shares.
BREAKING:
β Bitcoin Magazine (@BitcoinMagazine) November 10, 2025
Strategyβs innovative approach to financing Bitcoin acquisitions through various preferred stock offerings has created a sustainable model for corporate Bitcoin accumulation. The company recently increased the STRC seriesβ annualized dividend rate to 10.5%, paid monthly, to attract investors.
Bitcoinβs price responded positively to the announcement, trading at $106,219 as of press time, up 3.12% in the past 24 hours. The market has shown increased stability and maturity, with institutional adoption continuing to grow despite recent market volatility.
Despite recent criticism and a decline in Strategyβs stock price, market sentiment appears to be shifting. Notable short-seller Jim Chanos recently announced the closure of his position against MSTR, while contrarian investors are noting potential bottom signals in Bitcoin treasury companies.
The companyβs aggressive accumulation strategy comes amid broader institutional acceptance of Bitcoin as a treasury reserve asset. Recent regulatory clarity regarding the treatment of Bitcoin in corporate treasury operations has further strengthened institutional confidence.
Strategy maintains significant capacity for future Bitcoin purchases. The companyβs systematic approach to Bitcoin accumulation, combined with transparent reporting and regulatory compliance, continues to provide a blueprint for other corporations entering the space.
The corporate Bitcoin treasury model has evolved beyond early adoption into a mainstream treasury management strategy. Weβre seeing unprecedented interest from companies across various sectors and regions.
As more corporations adopt Bitcoin treasury strategies and regulatory frameworks become clearer, the trend appears poised to accelerate through 2026. With Strategy leading the way and new entrants like Germanyβs aifinyo AG joining the space, corporate Bitcoin adoption has become an established feature of the institutional Bitcoin landscape, potentially setting the stage for the next phase of Bitcoinβs mainstream integration.
This post Bitcoin Price Surged Above $106,000 As Strategy Buys 487 More Bitcoin first appeared on Bitcoin Magazine and is written by Vivek Sen.
Bitcoin Magazine
Bitcoin Price Jumps to $103,000 After Tumultuous WeekΒ
Bitcoin price reached $103,500 today after a week of tumultuous trading. Bitcoin started the day down close to $100,000 but rebounded throughout market trading to highs of $103,859 today.Β
Earlier this week, Bitcoin plunged below $100,000 for the first time since June on November 4.Β
The slump came amid macro pressures, political headlines, and fading risk appetite, pushing bitcoin down to $99,070 and more than 20% off its October high of $126,000, technically entering a bear phase.Β
The sell-off follows Octoberβs massive liquidation events, a series of hacks, and trade tensions with China.Β
The Federal Reserveβs hawkish tone, including a modest rate cut and signals that further cuts may not come, weighed on sentiment.Β
During the Fedβs most recent press conference, Jerome Powell said that Decemberβs rate cuts arenβt guaranteed, Bitcoinβs price immediately reacted β plunging to $109,000 on the day. Since then, the price continued bleeding into this week. The broader crypto market reacted similarly.Β
Powell said that inflation excluding the impact of tariffs is βnot so farβ from the central bankβs 2% target, but emphasized that policymakers have βnot made a decision about December.β Powell noted that officials held βstrongly differing viewsβ during todayβs meeting.
A stronger U.S. dollar added pressure. Technical charts show Bitcoin struggling around its 200-day moving average, with support near $96,000, according to Bitcoin Magazine Pro data.Β Β
Despite this, some bulls, including Michael Saylorβs firm, continue buying the dip, signaling cautious confidence.
Despite the volatility, major institutions like JPMorgan remain bullish, forecasting a potential rise to $170,000 within 6β12 months, citing undervaluation relative to gold and the conclusion of heavy deleveraging.
Technical indicators offer mixed signals. Up to today, Bitcoin has been trading in a tight $100,000 β$102,000 support corridor, facing resistance at $106Kβ$114K.Β
Short-term buyers have exhausted momentum, while on-chain data highlights friction between capitulating short-term holders at $107Kβ$110K and long-term holders defending $95Kβ$96K.Β
Institutional flows show tentative accumulation: after six days of withdrawals totaling $2.05 billion, U.S. spot Bitcoin ETFs recorded $240 million in inflows, led by BlackRock and Fidelity.Β
Whale activity indicates profit-taking rather than panic, with over 319,000 BTC reactivated in the past month, mostly held six to twelve months.
Recently, Cathie Wood lowered ARK Investβs 2030 Bitcoin forecast from $1.5 million to $1.2 million, citing stablecoins increasingly taking on Bitcoinβs transactional role while reaffirming its long-term βdigital goldβ potential.Β
Galaxy Digital also cut its year-end Bitcoin target from $185,000 to $120,000, pointing to whale selling, rotations into other assets, and leveraged liquidations, while describing the market as entering a βmaturity era.βΒ
This post Bitcoin Price Jumps to $103,000 After Tumultuous WeekΒ first appeared on Bitcoin Magazine and is written by Micah Zimmerman.
Welcome back, aspiring DFIR investigators!
If youβre diving into digital forensics, memory analysis is one of the most exciting and useful skills you can pick up. Essentially, you take a snapshot of whatβs happening inside a computerβs brain right at that moment and analyze it. Unlike checking files on a hard drive, which shows what was saved before, memory tells you about live actions. Things like running programs or hidden threats that might disappear when the machine shuts down. This makes it super helpful for solving cyber incidents, especially when bad guys try to cover their tracks.
In this guide, weβre starting with the basics of memory analysis using a tool called Volatility. Weβll cover why itβs so important, how to get started, and some key commands to make you feel confident. This is part one, where we focus on the foundations and give instructions. Stick around for part two, where weβll keep exploring Volatility and dive into network details, registry keys, files, and scans like malfind and Yara rules. Plus, if you make it through part two, there are some bonuses waiting to help you extract even more insights quickly.
Memory analysis captures stuff that disk forensics might miss. For example, after a cyber attack, malware could delete its own files or run without saving anything to the disk at all. That leaves you with nothing to find on the hard drive. But in memory, you can spot remnants like active connections or secret codes. Even law enforcement grabs memory dumps from suspectsβ computers before powering them off. Once itβs off, the RAM clears out, and booting back up might be tricky if the hacker sets traps. Hackers often use tricks like USB drives that trigger wipes of sensitive data on shutdown, cleaning everything in seconds so authorities find nothing. Weβre not diving into those tricks here, but they show why memory comes first in many investigations.
Lucky for us, Volatility makes working with these memory captures straightforward. It started evolving, and in 2019, Volatility 3 arrived with better syntax and easier to remember commands. Weβll look at both Volatility 2 and 3, sharing commands to get you comfortable. These should cover what most analysts need.
Below is some valuable data you can find in RAM for investigations:
1. Network connections
2. File handles and open files
3. Open registry keys
4. Running processes on the system
5. Loaded modules
6. Loaded device drivers
7. Command history and console sessions
8. Kernel data structures
9. User and credential information
10. Malware artifacts
11. System configuration
12. Process memory regions
Keep in mind, sometimes key data like encryption keys hides in memory. Memory forensics can pull this out, which might be a game-changer for a case.
In this section we will describe a structured method for conducting memory forensics, designed to support investigations of data in memory. It is based on the six-step process from SANS for analyzing memory.
Start by listing all processes that are currently running. Harmful programs can pretend to be normal ones, often using names that are very similar to trick people. To handle this:
1. List every active process.
2. Find out where each one comes from in the operating system.
3. Compare them to lists of known safe processes.
4. Note any differences or odd names that stand out.
After spotting processes that might be problematic, look closely at the related dynamic link libraries (DLLs) and resources they use. Bad software can hide by misusing DLLs. Key steps include:
1. Review the DLLs connected to the questionable process.
2. Look for any that are not approved or seem harmful.
3. Check for evidence of DLLs being inserted or taken over improperly.
A lot of malware needs to connect to the internet, such as to contact control servers or send out stolen information. To find these activities:
1. Check the open and closed network links stored in memory.
2. Record any outside IP addresses and related web domains.
3. Figure out what the connection is for and why itβs happening.
4. Confirm if the process is genuine.
5. See if it usually needs network access.
6. Track it back to the process that started it.
7. Judge if its actions make sense.
Skilled attackers may use methods like replacing a processβs code or working in hidden memory areas. To detect this:
1. Apply tools for memory analysis to spot unusual patterns or signs of these tactics.
2. Point out processes that use strange memory locations or act in unexpected ways.
Attackers often aim for long-term access and hiding. Rootkits bury themselves deep in the system, giving high-level control while staying out of sight. To address them:
1. Search for indicators of rootkit presence or major changes to the OS.
2. Spot any processes or drivers with extra privileges or hidden traits.
Once suspicious processes, drivers, or files are identified, pull them out for further study. This means:
1. Extract the questionable parts from memory.
2. Save them safely for detailed review with forensic software.
A widely recommended option for memory forensics is Volatility. This is a prominent open-source framework used in the field. Its main component is a Python script called Volatility, which relies on various plugins to carefully analyze memory dumps. Since it is built on Python, it can run on any system that supports Python.
Volatilityβs modules, also known as plugins, are additional features that expand the frameworkβs capabilities. They help pull out particular details or carry out targeted examinations on memory files.
Here are some modules that are often used:
pslist: Shows the active processes.
cmdline: Reveals the command-line parameters for processes.
netscan: Checks for network links and available ports.
malfind: Looks for possible harmful code added to processes.
handles: Examines open resources.
svcscan: Displays services in Windows.
dlllist: Lists the dynamic-link libraries loaded in a process.
hivelist: Identifies registry hives stored in memory.
You can find documentation on Volatility here:
Volatility v2: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Volatility v3: https://volatility3.readthedocs.io/en/latest/index.html
Installing Volatility 3 is quite easy and will require a separate virtual environment to keep things organized. Create it first before proceeding with the rest:
bash$ > python3 -m venv ~/venvs/vol3
bash$ > source ~/venvs/vol3
Now you are ready to install it:
bash$ > pip install volatility3
Since we are going to cover Yara rules in Part 2, we will need to install some dependencies:
bash$ > sudo apt install -y build-essential pkg-config libtool automake libpcre3-dev libjansson-dev libssl-dev libyara-dev python3-dev
bash$ > pip install yara-python pycryptodome
Yara rules are important and they help you automate half the analysis. There are hundreds of these rules available on Github, so you can download and use them each time you analyze the dump. While these rules can find a lot of things, there is always a chance that malware can fly under the radar, as attackers change tactics and rewrite payloads.Β
Now we are ready to work with Volatility 3.
Volatility comes with multiple plugins. To list all the available plugins do this:
bash$ > vol -h
Each of these plugins has a separate help menu with a description of what it does.
Imagine youβre an analyst investigating a hacked computer. You start with image information because it tells you basics like the OS version and architecture. This helps Volatility pick the right settings to read the memory dump correctly. Without it, your analysis could go wrong. For example, if a company got hit by ransomware, knowing the exact Windows version from the dump lets you spot if the malware targeted a specific weakness.
In Volatility 2, βimageinfoβ scans for profiles, and βkdbgscanβ digs deeper for kernel debug info if needed. Volatility 3βs βwindows.infoβ combines this, showing 32/64-bit, OS versions, and kernel details all in one and itβs quicker.
bash$ > vol -f Windows.vmem windows.info
Hereβs what the output looks like, showing key system details to guide your next steps.
As a beginner analyst, youβd run process commands to list whatβs running on the system, like spotting a fake βexplorer.exeβ that might be malware stealing data. Say youβre checking a bank employeeβs machine after a phishing attack, these commands can tell you if suspicious programs are active, and help you trace the breach.
βpslistβ shows active processes via kernel structures. βpsscanβ scans memory for hidden ones (good for rootkits). βpstreeβ displays parent-child relationships like a family tree. βpsxviewβ in Vol 2 compares lists to find hidden processes.
Note that Volatility 2 wants you to specify the profile. You can find out the profile while gathering the image info.
Volatility 2:
vol.py -f β/path/to/fileβ ββprofile <profile> pslist
vol.py -f β/path/to/fileβ ββprofile <profile> psscan
vol.py -f β/path/to/fileβ ββprofile <profile> pstree
vol.py -f β/path/to/fileβ ββprofile <profile> psxview
Volatility 3:
vol.py -f β/path/to/fileβ windows.pslist
vol.py -f β/path/to/fileβ windows.psscan
vol.py -f β/path/to/fileβ windows.pstree
Now letβs see what we get:
bash$ > vol -f Windows7.vmem windows.pslist
This output lists processes with PIDs, names, and start times. Great for spotting outliers.
bash$ > vol -f Windows.vmem windows.psscan
Here, youβll see a broader scan that might catch processes trying to hide.
bash$ > vol -f Windows7.vmem windows.pstree
This tree view helps trace how processes relate, like if a browser spawned something shady.
Displaying the entire process tree will look messy, so we recommend a more targeted approach with βpid
Youβd use process dump when you spot a suspicious process and want to extract its executable for closer inspection, like with antivirus tools. For instance, if youβre analyzing a system after a data leak, dumping a weird process could reveal it is spyware sending info to hackers.
Vol 2βs βprocdumpβ pulls the exe for a PID. Vol 3βs βdumpfilesβ grabs the exe plus related DLLs, giving more context.
Volatility 2:
vol.py -f β/path/to/fileβ ββprofile <profile> procdump -p <PID> ββdump-dir=β/path/to/dirβ
Volatility 3:
vol.py -f β/path/to/fileβ -o β/path/to/dirβ windows.dumpfiles ββpid <PID>
We already have a process we are interested in:
bash$ > vol -f Windows.vmem windows.dumpfiles --pid 504
After the dump, check the output and analyze it further.
Memdump is key for pulling the full memory of a process, which might hold passwords or code snippets. Imagine investigating insider theft, dumping memory from an email app could show unsent drafts with stolen data.
Vol 2βs βmemdumpβ extracts raw memory for a PID. Vol 3βs βmemmapβ with βdump maps and dumps regions, useful for detailed forensics.
Volatility 2:
vol.py -f β/path/to/fileβ ββprofile <profile> memdump -p <PID> ββdump-dir=β/path/to/dirβ
Volatility 3:
vol.py -f β/path/to/fileβ -o β/path/to/dirβ windows.memmap ββdump ββpid <PID>
Letβs see the output for our process:
bash$ > vol -f Windows7.vmem windows.memmap --dump --pid 504
This shows the memory map and dumps files for deep dives.
Listing DLLs helps spot injected code, like malware hiding in legit processes. Unusual DLLs might point to infection.
Both versions list loaded DLLs for a PID, but Vol 3 is profile-free and faster.
Volatility 2:
vol.py -f β/path/to/fileβ ββprofile <profile> dlllist -p <PID>
Volatility 3:
vol.py -f β/path/to/fileβ windows.dlllist ββpid <PID>
Letβs see the DLLs loaded in our memory dump:
bash$ > vol -f Windows7.vmem windows.dlllist --pid 504
Here you see all loaded DLLs of this process. You already know how to dump processes with their DLLs for a more thorough analysis.Β
Handles show what a process is accessing, like files or keys crucial for seeing if malware is tampering with system parts. In a ransomware case, handles might reveal encrypted files being held open or encryption keys used to encrypt data.
Both commands list handles for a PID. Similar outputs, but Vol 3 is streamlined.
Volatility 2:
vol.py -f β/path/to/fileβ ββprofile <profile> handles -p <PID>
Volatility 3:
vol.py -f β/path/to/fileβ windows.handles ββpid <PID>
Letβs see the handles our process used:
bash$ > vol -f Windows.vmem windows.handles --pid 504
It gave us details, types and names for clues.
Services scan lists background programs, helping find persistent malware disguised as services. If youβre probing a server breach, this could uncover a backdoor service.
Use | more to page through long lists. Outputs are similar, showing service names and states.
Volatility 2:
vol -f β/path/to/fileβ ββprofile <profile> svcscan | more
Volatility 3:
vol -f β/path/to/fileβΒ windows.svcscan | more
Since this technique is often abused, a lot can be discovered here:
bash$ > vol -f Windows7.vmem windows.svcscan
Give it a closer look and spend enough time here. Itβs good to familiarize yourself with native services and their locations
Weβve covered the essentials of memory analysis with Volatility, from why itβs vital to key commands for processes, dumps, DLLs, handles, and services. Apart from the commands, now you know how to approach memory forensics and what actions you should take. As we progress, more articles will be coming where we practice with different cases. We already have a memory dump of a machine that suffered a ransomware attack, which we analyzed with you recently. In part two, you will build on this knowledge by exploring network info, registry, files, and advanced scans like malfind and Yara rules. And for those who finish part two, some handy bonuses await to speed up your work even more. Stay tuned!
The post Digital Forensics: Volatility β Memory Analysis Guide, Part 1 first appeared on Hackers Arise.
Bitcoin Magazine
Bitcoin Price Craters to $107,000 as Fed Turns Cautious, Traders React to TrumpβXi Meeting
Bitcoin price tumbled sharply Thursday morning, falling to the low $107,000s as traders digested cautious remarks from Federal Reserve Chair Jerome Powell and mixed signals from the latest TrumpβXi meeting.Β
The bitcoin price drop erased last weekβs rebound and extended the bitcoinβs weak October performance, weighed down by macro headwinds and China-U.S. trade relations.
The worldβs largest cryptocurrency was down to $107,472 by early Thursday, according to Bitcoin Magazine Pro data, after briefly plunging to $107,925 overnight.
The move followed the Fedβs 25-basis-point rate cut on Wednesday β its second of 2025 β bringing the target range to 3.75%β4%. While the cut was widely anticipated, Powellβs message was clear: further easing this year is far from guaranteed.
There were βstrongly differing views among policymakers,β Powell said during his post-meeting press conference, adding that the Fed might βwait a cycleβ before considering another reduction.Β
The remarks rattled markets that had been pricing in a December cut, with CME FedWatch data showing probabilities for another move dropping from 90% to just 71% after his comments.
Risk assets broadly weakened yesterday. The S&P 500 finished flat, the Dow Jones Industrial Average slipped 0.2%, and the Nasdaq Composite managed a modest 0.6% gain. As of writing, markets for Thursday look bleak as well.Β
Bitcoin, which traded near $116,000 earlier in the week, sank as Powell spoke, briefly touching $109,000 in a sharp sell-off before stabilizing near $111,000 overnight.
The Fedβs tone also overshadowed what had appeared to be a positive outcome from the TrumpβXi summit. Following the meeting, President Trump said China would βimmediately resume soybean purchasesβ and that βall rare-earth issues have been resolved.βΒ
Still, it looks like traders remained cautious, focusing instead on the Fedβs hawkish pivot and the ongoing U.S. government shutdown, now entering its fourth week.
Institutional demand also showed early signs of weakness. U.S.-listed spot Bitcoin ETFs saw $470.7 million in outflows on Wednesday, ending a four-day inflow streak and marking the largest daily outflow since October 16, per Bitcoin Magazine Pro data.Β Β
Powell did confirm that the Fed is nearing the end of its Quantitative Tightening (QT) program β a move that could eventually boost liquidity in risk assets.Β
Since 2022, QT has drained nearly $1 trillion from the Fedβs balance sheet by allowing Treasury and mortgage holdings to mature without reinvestment.Β
Powell said the process could conclude by December but warned that future decisions remain data-dependent. Despite the sharp correction, analysts remain divided on Bitcoinβs near-term direction.
This post Bitcoin Price Craters to $107,000 as Fed Turns Cautious, Traders React to TrumpβXi Meeting first appeared on Bitcoin Magazine and is written by Micah Zimmerman.
Bitcoin Magazine
Bitcoin Price Crashes to $109,000 Then Rebounds as Jerome Powell Stays Neutral on Future Cuts
Bitcoinβs price fell to $109,000 Wednesday afternoon after Federal Reserve Chair Jerome Powell signaled that additional rate cuts may not follow in December.Β Since then, Bitcoin price has leveled near $111,000.
The drop came shortly after the central bank reduced its benchmark interest rate by 0.25 percentage points to a target range of 3.75%β4%.
The cut β the Fedβs second of 2025 after a move in September β ended a long stretch of rate holds. The policy shift is intended to lower borrowing costs and support economic activity. But Powellβs comments that further cuts are not guaranteed this year sparked selling across risk assets.
Before the announcement, Bitcoin traded near $116,000 on Monday and briefly dipped below $111,000 early Tuesday. The price briefly bounced on the news before sliding again as Powell spoke. Bitcoin is currently trading near $111,200, according to Bitcoin Magazine Pro data.
During the press conference, as Jerome Powell said that Decemberβs rate cuts arenβt guaranteed, Bitcoinβs price immediately reacted β plunging to $109,000 in a sharp red candle before quickly recovering. The broader crypto market reacted similarly.Β
Powell said that inflation excluding the impact of tariffs is βnot so farβ from the central bankβs 2% target, but emphasized that policymakers have βnot made a decision about December.β Powell noted that officials held βstrongly differing viewsβ during todayβs meeting.Β
Following his remarks, markets sharply trimmed expectations for another rate cut this year. Fed funds futures now price a 71% chance of a December cut, down from about 90% earlier in the day, according to CME data and on prediction markets like Kalshi and Polymarket.
The two-year Treasury yield jumped 9 basis points as traders reassessed the Fedβs near-term trajectory.
Historically, Bitcoin has reacted sharply to monetary-policy changes. After the Fedβs emergency cuts in March 2020, Bitcoin plunged nearly 39% before recovering. When the Fed cut in September 2025, market reaction was limited β suggesting expectations were already priced in.
Powell also said the central bank is approaching the end of its Quantitative Tightening program, confirming the Fed expects to stop QT by December. This involves letting some holdings of Treasuries and mortgage securities run off the balance sheet as they mature, rather than reinvesting the principal.
QT reduces liquidity by shrinking the Fedβs balance sheet through allowing government bonds to mature without reinvestment or by selling them into the market.Β
The process has been underway since 2022, removing nearly $1 trillion in securities as part of efforts to fight inflation.
JUST IN:
β Bitcoin Magazine (@BitcoinMagazine) October 29, 2025
Ending QT would stop that drain on liquidity β a shift many analysts believe could eventually support flows into risk assets, including Bitcoin.Β
Powell warned, however, that policy will remain dependent on economic data, adding further uncertainty to market expectations.
This post Bitcoin Price Crashes to $109,000 Then Rebounds as Jerome Powell Stays Neutral on Future Cuts first appeared on Bitcoin Magazine and is written by Micah Zimmerman.
Maine cannabis regulators recalled cannabis vape cartridges after a consumer reported an adverse reaction to the βwatermelon chimeraβ strain.
Maine recalls cannabis vape carts after adverse health reaction is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Bitcoin Magazine
Bitcoin Price Crashes to $112,000 Ahead of Fed Decision, Markets Eye U.S.-China Talks
Bitcoin price continued its semi-green week for a bit today trading above $115,000 today and briefly reaching $116,077. Since then, bitcoinβs price has dumped to the mid $112,000s, according to Bitcoin Magazine Pro data.
This bitcoin price movement comes as traders weigh the Federal Reserveβs upcoming interest-rate decision and renewed optimism in the U.S.-China trade relations.
Data from Bitcoin Magazine Pro showed a 1.6% daily gain for BTC before the dump in late afternoon.
Despite historical trends of Bitcoin pulling back ahead of major U.S. economic events, the cryptocurrency held steady ahead of Wednesdayβs Federal Open Market Committee (FOMC) meeting, where a 25-basis-point rate cut is widely expected.
Traders remain divided on near-term price targets. Some believe the market may be bottoming and an uptrend could follow for the rest of the week, while others believe $117,000 as a potential pre-Fed local top before BTC revisits the CME futures gap near $111,000.
The broader macro backdrop also supported risk-on assets. Gold fell to under $4,000 per ounce, its lowest since Oct. 6, helping fuel gains in Bitcoin and altcoins.
Bitcoinβs price has entered one of its tightest trading ranges in history, moving between $106,000 and $123,000 for over four months. This extended calm has driven volatility to record lows on six-month metrics β levels that have historically preceded major directional moves. The weekly Bollinger Band Width, a key volatility indicator, has reached its lowest reading ever, suggesting that a large expansion in volatility could be imminent.
In past cycles, similar compression periods have led to price surges exceeding 65% within 100 days.Β
Applying those historical patterns implies a potential target of $170,000β$180,000 by 2026 if Bitcoin follows a comparable trajectory. However, these low-volatility phases can persist for months before breaking out, meaning Bitcoin may continue trading sideways into early 2026.
Corporate and institutional crypto activity is also making headlines. Japanese hotelier-turned-Bitcoin treasury Metaplanet Inc. announced a $500 million share buyback, while Cathie Wood and Ark Invest increased its holdings in Block Inc. by $30.9 million across three ETFs.
Wood, known for her $1.5 million Bitcoin prediction, is one of the most bullish investors in crypto. Through ARK Invest, she has consistently invested millions in major crypto-related stocks.Β
Her firm held positions in Circle Internet Group, Coinbase, Robinhood, and Bitmine Immersion Technologies.Β
Recently, ARK expanded its crypto exposure by purchasing about $31 million worth of Block Inc. shares. The ARK Innovation ETF bought 210,916 shares, the ARK Next Generation Internet ETF added 59,827 shares, and the ARK Fintech Innovation ETF acquired 114,842 shares.
This post Bitcoin Price Crashes to $112,000 Ahead of Fed Decision, Markets Eye U.S.-China Talks first appeared on Bitcoin Magazine and is written by Micah Zimmerman.
Bluetooth-enabled "smart" dab rigs are a harbinger of consumer cannabis trends.
How high-tech dab rigs are shaping the cannabis industry is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Medical marijuana patients may soon be able to get reimbursed for doctorsβ visits, cannabis products and MMJ cards.
When will U.S. health insurance cover medical cannabis? is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Welcome back, aspiring forensic and incident response investigators.
Today we are going to learn more about a branch of digital forensics that focuses on networks, which is Network Forensics. This field often contains a wealth of valuable evidence. Even though skilled attackers may evade endpoint controls, active network captures are harder to hide. Many of the attackerβs actions generate traffic that is recorded. Intrusion detection and prevention systems (IDS/IPS) can also surface malicious activity quickly, although not every organization deploys them. In this exercise you will see what can be extracted from IDS/IPS logs and a packet capture during a network forensic analysis.
The incident we will investigate today involved a credential-stuffing attempt followed by exploitation of CVE-2022-25237. The attacker abused an API to run commands and establish persistence. Below are the details and later a timeline of the attack.
Our subject is a fast-growing startup that uses a business management platform. Documentation for that platform is limited, and the startup administrators have not followed strong security practices. For this exercise we act as the security team. Our objective is to confirm the compromise using network packet captures (PCAP) and exported security logs.
We obtained an archive containing the artifacts needed for the investigation. It includes a .pcap network traffic file and a .json file with security events. Wireshark will be our primary analysis tool.
The company suspects its management platform was breached. To identify which platform and which hosts are involved, we start with the pcap file. In Wireshark, view the TCP endpoints from the Statistics menu and sort by packet count to see which IP addresses dominate the capture.
This quickly highlights the IP address 172.31.6.44 as a major recipient of traffic. The traffic to that host uses ports 37022, 8080, 61254, 61255, and 22. Common service associations for these ports are: 8080 for HTTP, 22 for SSH, and 37022 as an arbitrary TCP data port that the environment is using.
When you identify heavy talkers in a capture, export their connection lists and timestamps immediately. That gives you a focused subset to work from and preserves the context of later findings.
The port usage suggests the management platform is web-based. Filter HTTP traffic in Wireshark with http.request to inspect client requests. The first notable entry is a GET request whose URL and headers match Bonitasoftβs platform, showing the company uses Bonitasoft for business management.
Below that GET request you can see a series of authentication attempts (POST requests) originating from 156.146.62.213. The login attempts include usernames that reveal the attacker has done corporate OSINT and enumerated staff names.
The credentials used for the attack are not generic wordlist guesses, instead the attacker tries a focused set of credentials. That behavior is consistent with credential stuffing: the attacker uses previously leaked username/password pairs (often from other breaches) and tries them against this service, typically automated and sometimes distributed via a botnet to blend with normal traffic.
A credential-stuffing event alone does not prove a successful compromise. The next step is to check whether any of the login attempts produced a successful authentication. Before doing that, we review the IDS/IPS alerts.
To inspect the JSON alert file in a shell environment, format it with jq and then see whatβs inside. Here is how you can make the json output easier to read:
bash$ > cat alerts.json | jq .
Obviously, the file will be too big, so we will narrow it down to indicators such as CVE:
bash$ > cat alerts.json | jq .
Security tools often map detected signatures to known CVE identifiers. In our case, alert data and correlation with the observed HTTP requests point to repeated attempts to exploit CVE-2022-25237, a vulnerability affecting Bonita Web 2021.2. The exploit abuses insufficient validation in the RestAPIAuthorizationFilter (or related i18n translation logic). By appending crafted data to a URL, an attacker can reach privileged API endpoints, potentially enabling remote code execution or privilege escalation.
Now we verify whether exploitation actually succeeded.
To find successful authentications, filter responses with:
http.response.code >= 200 and http.response.code < 300 and ip.addr == 172.31.6.44
Among the successful responses, HTTP 204 entries stand out because they are less common than HTTP 200. If we follow the HTTP stream for a 204 response, the request stream shows valid credentials followed immediately by a 204 response and cookie assignment. That means he successfully logged in. This is the point where the attacker moves from probing to interacting with privileged endpoints.
After authenticating, the attacker targets the API to exploit the vulnerability. In the traffic we can see an upload of rce_api_extension.zip, which enables remote code execution. Later this zip file will be deleted to remove unnecessary traces.
Following the upload, we can observe commands executed on the server. The attacker reads /etc/passwd and runs whoami. In the output we see access to sensitive system information.
During a forensic investigation you should extract the uploaded files from the capture or request the original file from the source system (if available). Analyzing the uploaded code is essential to understand the artifact of compromise and to find indicators of lateral movement or backdoors
After initial control, attackers typically establish persistence. In this incident, all attacker activity is over HTTP, so we follow subsequent HTTP requests to find persistence mechanisms.
The attacker downloads a script hosted on a paste service (pastes.io), named bx6gcr0et8, which then retrieves another snippet hffgra4unv, appending its output to /home/ubuntu/.ssh/authorized_keys when executed. The attacker restarts SSH to apply the new key.
A few lines below we can see that the first script was executed via bash, completing the persistence setup.
Appending keys to authorized_keys allows SSH access for the attackerβs key pair and doesnβt require a password. Itβs a stealthy persistence technique that avoids adding new files that antivirus might flag. In this case the attacker relied on built-in Linux mechanisms rather than installing malware.
When you find modifications to authorized_keys, pull the exact key material from the capture and compare it with known attacker keys or with subsequent SSH connection fingerprints. That helps attribute later logins to this initial persistence action.
Further examination of the pcap shows the server reaching out to Ubuntu repositories to download a .deb package that contains Nmap.Β
Shortly after SSH access is obtained, we see traffic from a second IP address, 95.181.232.30, connecting over port 22. Correlating timestamps shows the command to download the .deb package was issued from that SSH session. Once Nmap is present, the attacker performs a port scan of 34.207.150.13.
This sequence, adding an SSH key, then using SSH to install reconnaissance tools and scan other hosts fits a common post-exploitation pattern. Hackers establish persistent access, stage tools, and then enumerate the network for lateral movement opportunities.
During forensic investigations, save the sequence of timestamps that link file downloads, package installation, and scanning activity. Those correlations are important for incident timelines and for identifying which sessions performed which actions.
At the start, the attacker attempted credential stuffing against the management server. Successful login occurred with the credentials seb.broom / g0vernm3nt. After authentication, the attacker exploited CVE-2022-25237 in Bonita Web 2021.2 to reach privileged API endpoints and uploaded rce_api_extension.zip. They then executed commands such as whoami and cat /etc/passwd to confirm privileges and enumerate users.
The attacker removed rce_api_extension.zip from the web server to reduce obvious traces. Using pastes.io from IP 138.199.59.221, the attacker executed a bash script that appended data to /home/ubuntu/.ssh/authorized_keys, enabling SSH persistence (MITRE ATT&CK: SSH Authorized Keys, T1098.004). Shortly after persistence was established, an SSH connection from 95.181.232.30 issued commands to download a .deb package containing Nmap. The attacker used Nmap to scan 34.207.150.13 and then terminated the SSH session.
During our network forensics exercise we saw how packet captures and IDS/IPS logs can reveal the flow of a compromise, from credential stuffing, through exploitation of a web-application vulnerability, to command execution and persistence via SSH keys. We practiced using Wireshark to trace HTTP streams, observed credential stuffing in action, and followed the attackerβs persistence mechanism.
Although our class focused on analysis, in real incidents you should always preserve originals and record every artifact with exact timestamps. Create cryptographic hashes of artifacts, maintain a chain of custody, and work only on copies. These steps protect the integrity of evidence and are essential if the incident leads to legal action.
For those of you interested in deepening your digital forensics skills, we will be running a practical SCADA forensics course soon in November. This intensive, hands-on course teaches forensic techniques specific to Industrial Control Systems and SCADA environments showing you how to collect and preserve evidence from PLCs, RTUs, HMIs and engineering workstations, reconstruct attack chains, and identify indicators of compromise in OT networks. Its focus on real-world labs and breach simulations will make your CV stand out. Practical OT/SCADA skills are rare and highly valued, so completing a course like this is definitely going to make your CV stand out.Β
We also offer digital forensics services for organizations and individuals. Contact us to discuss your case and which services suit your needs.
Learn more: https://hackersarise.thinkific.com/courses/scada-forensics
The post Network Forensics: Analyzing a Server Compromise (CVE-2022-25237) first appeared on Hackers Arise.
Welcome back, aspiring forensic investigators!
We continue our practical series on digital forensics and will look at the memory dump of a Windows machine after a ransomware attack. Ransomware incidents are common, although they may not always be the most profitable attacks because they require a lot of effort and stealth. Some operations take months of hard work and sleepless nights and still never pay off. Many attackers prefer to steal data and sell it on the dark web. Such data sells well and quickly. State sponsored APTs act similarly. Their goal is to stay silent and extract as much intelligence as possible.
Today, a thousand unique entries of private information of Russian citizens cost about $100. Thatβs cheap. But it also shows how effective Ukrainian and foreign hackers are against Russia. All this raises demand for digital forensics and incident response, since fines for data leaks can be enormous. Itβs not only fines that are a threat. Reputation damage is critical. If your competitor has never, at least yet, experienced a data breach and you did and it went public, trust in your company will start crumbling and customers will be inclined to use your competitorsβ services. An even worse scenario is a ransomware attack that locks down much of your organization and wipes out your backups. Paying the attackers gives no guarantee of recovering your data, and some companies never manage to recover at all.
So letβs investigate one of those attacks and learn something new to stay sharp.
It all begins with a memory dump. Here we already have a memory dump file of an infected machine that we are going to inspect.
On our Kali machine we created a new Python virtual environment for Volatility. Keeping separate environments is good practice because it prevents tools from interfering with other dependencies. Sometimes installing one tool can break another. Here is how you do it:
bash$ > python3 -m venv env_name
bash$ > source env_name/bin/activate
Now we are ready to install Volatility in this environment:
bash$ > pip3 install volatility3
It is also good practice to record the exact versions of Volatility and Python you used (for example, pip3 show volatility3 and python3 --version). Memory forensics tools change over time and some plugins behave slightly differently between releases. Recording versions makes your work reproducible later.
One of the first things we look at after receiving a memory dump is the captured metadata. The Volatility 3 command is simple:
bash$ vol -f infected.vmem windows.info
When you run windows.info, inspect the OS build, memory size, and timestamps shown by the capture tool. That OS build value helps Volatility pick the correct symbol tables. Incorrect symbols can cause missing or malformed output. This is especially important if you are working with Volatility 2. Also confirm the capture method and metadata such as who made the capture, when, and whether the capture was acquired after isolating the machine. Recording this chain-of-custody metadata is a small step that greatly strengthens any forensic report.
The goal of the memory dump is to preserve processes, injections, and shellcode before they disappear after a reboot. That means we need to focus on the processes that existed at capture time. Letβs list them all:
bash$ > vol -f infected.vmem windows.pslist
Suspicious processes are not always easy to spot. It depends on the attackerβs tactics. Ransomware processes, unlike persistence mechanisms, are often obvious because attackers tend to pick violent or alarming names for encryptors. But thatβs not always the case, so letβs give our image a closer look.
Among other processes, a ransomware process sticks out. You may also notice or4qtckT.exe and other processes with unknown names. Random executable names are not definitive proof of maliciousness, but theyβre a reliable starting point for closer inspection. Some legitimate software may also generate processes with random names, for example, Dr.Web, a Russian antivirus.
When a process name looks random, check several things: the process parent, the process start time (did it start right before the incident?), open network sockets, loaded DLLs, and whether the executable exists on disk or only in memory. Processes that only exist in the RAM image (no matching file on disk) often indicate in-memory unpacking or fileless behavior. These are important signals in malware analysis. Use plugins like windows.psscan (process scan) to find processes that pslist might miss and windows.pstree to visualize parent/child relationships. Also check windows.dlllist to see suspicious DLLs loaded into a process. Injected code often pulls suspicious DLL names or shows unnatural memory protections on executable pages.
Once you find malware, your next step is to find its parent. A parent is the process that launches another process. This is how you unravel the attack by going back in the timeline. windows.pslist has two important columns: PID (process ID) and PPID (parent process ID). The parent of WanaDecryptor has PID 2732. We can quickly search and find it.
Now we know that the process with a random name or4qtckT.exe initiated WanaDecryptor. As it might not be the only process initiated by that parent, letβs grep its PID and find out:
bash$ > vol -f infected.vmem windows.psscan | grep 2732
The parent process can show how the attacker entered the machine. It might be a user process opened by a phishing email, a scheduled task that ran at an odd hour, or a system service that got abused. Tracing parents helps you decide whether this was an interactive compromise (an attacker manually ran something) or an automated spread. If you see network-facing services as parents or child processes that match known service names (for example, svchost.exe variants), dig deeper. Some ransomware uses service abuse, scheduled tasks, or built-in Windows mechanisms to reach higher privileges or persistence.
In Windows forensics, when we say we are βviewing the handles of a process,β we mean examining the internal references that a process has opened to system resources. A handle in Windows is essentially a unique identifier (a number) that a process uses to access an operating system object. Processes do not work directly with raw resources like files, registry keys, threads, or network connections. Instead, when a process needs access to something, it asks Windows to open that object, and Windows returns a handle. That handle acts like a ticket which the process can use to interact with the object safely.
bash$ > vol -f infected.vmem windows.handles --pid 2732
First, we see a user (hacker) directory. That should be noted for further analysis, because user directories contain useful evidence in NTUSER.DAT and USRCLASS.DAT. These objects can be accessed after a full disk capture and will include thorough information about shares, directories, and objects the user accessed.
Inspecting the handles, we found an .eky file that was used to encrypt the system
This .eky file contains the secret the attacker needed to lock files on the system. These keys are brought from the outside and are not native system objects. Obtaining this key does not guarantee successful decryption. It depends on what kind of key file it is and how it was protected.
When you find cryptographic artifacts in handles, copy the file bytes, if possible, and get the hashes (SHA-256) before touching them. Export them into an isolated analysis workstation. Then compare the artifact to public resources and sandbox reports. Not every key-like file is the private key you need to decrypt. Sometimes attackers include only a portion or an encrypted container that requires an additional password or remote secret. Public repositories and collective projects (for example, NoMoreRansom and vendor decryptors) may already have decryption tools for some ransomware families, so check there before calling data irrecoverable.
Now letβs inspect the command lines of the processes. Listing all command lines gives you more visibility to spot malicious behavior:
bash$ > vol -f infected.vmem windows.cmdline
You can also narrow it down to the needed PIDs or file names:
bash$ > vol -f infected.vmem windows.cmdline | grep or4
We can now see where the attack originated. After a successful compromise of a system or a domain, the attacker brought their malware to the system and encrypted it with their own keys.
The command line often contains the exact flags or network locations the attacker used (for example, -server 192.168.x.x or a path to an unpacker). Attackers sometimes use command-line switches to hide behavior, choose a configuration file, or provide a URL to download further payloads. If you can capture the command line, you often capture the attackerβs intent in plain text, which is invaluable evidence. Also check process environment variables, if those are available, because they might contain temporary filenames, credentials, or proxy settings the malware used.
Obviously the investigation does not stop here. You need to extract the file from memory, calculate its hash, and inspect how the malware behaves on AnyRun, VirusTotal, and other platforms. To extract the malware we first need to find its address in memory:
bash$ > vol -f infected.vmem windows.file | grep -i or4qtckT
Letβs pick the second hit and extract it now:
bash$ > vol -f infected.vmem windows.dumpfiles --physaddr 0x1fcaf798
The ImageSection dump (.img) usually looks like the program that was running in memory. It can include changes made while the program was loaded, such as unpacked code or adjusted memory addresses. The DataSection dump (.dat), on the other hand, shows what the file looks like on disk, or at least part of it. Thatβs why there are two dumps with the same name. Volatility detected both the in-memory version and the on-disk version of or4qtckT.exe
Next we generate the hash of the DataSectionObject and look it up on VirusTotal:
bash$ > sha256sum file.0x1fcaf798.0x85553db8.DataSectionObject.or4qtckT.exe.dat
We recommend using robust hashing (SHA-256 instead of MD5) to avoid collision issues.
For more information, go to Hybrid Analysis to get a detailed report on the malwareβs capabilities.
Some platforms like VirusTotal, AnyRun, Hybrid Analysis, Joe Sandbox will produce behavioral reports, network traffic captures, and dropped files that help you map capabilities like network C2, persistence techniques, and whether the sample attempts to self-propagate. In our case, this sample has been found in online sandbox reports and is flagged with ransomware/WannaCry-like behavior. Sandbox summaries showed malicious activity consistent with file encryption and automated spread. When reading sandbox output, focus on three things: dropped files, outbound connections, and any use of legacy Windows features (SMB, WMI, PsExec) to move laterally.
First, preserve the memory image and any extracted files exactly as you found them. Do not run suspicious samples on your analysis workstation unless it is fully isolated. Second, gather network indicators (IP addresses, domain names) and add them to your blocklists and detection rules. Third, check for related persistence mechanisms on disk and in registry hives, if you have the disk image. Scheduled tasks, HKLM\Software\Microsoft\Windows\CurrentVersion\Run entries, service modifications, and driver loads are common. Fourth, feed the sample hash and any dropped files into public repositories and vendor sandboxes. These can help you find other victims and understand the campaignβs breadth. Finally, document everything, every command and every timestamp, so you can later show how the evidence was acquired, processed, and analyzed. For memory-specific checks, run Volatility plugins such as malfind (detect injection), ldrmodules (module loads), dlllist, netscan (network sockets), and registry plugins to inspect in-memory registry hives.
Think of memory as the attackerβs black box. It often holds the fleeting traces disk images miss, things like unpacked code, live network sockets, and cryptographic keys. Prioritizing memory first allows you to catch those traces before theyβre gone. Volatility can help you list running processes, trace parentβchild chains, inspect handles and command lines. You can also dump in-memory binaries and use them as artifacts for a more thorough analysis. Submitting these artifacts to sandboxes will give you a clear picture of what happened on your network, which will give you valuable IOCs to prevent this attack and techniques used. As a forensic analyst you are required to preserve the image intact, work with suspicious files in an isolated lab, and write down every command and timestamp to keep the chain of custody reliable and actions repeatable.
If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.
For more Memory Forensics, check out our upcoming Memory Forensics class.
The post Digital Forensics: Investigating a Ransomware Attack first appeared on Hackers Arise.
Moving from a startup to a scalable enterprise is a goal for any ambitious company, but the path to growth is filled with unique challenges.
8 strategies to scale your cannabis business is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Building a stable, engaged and motivated team for your cannabis business is the foundation of long-term success.
10 ways to improve employee retention in the cannabis industry is a post from: MJBizDaily: Financial, Legal & Cannabusiness news for cannabis entrepreneurs
Login