Bitcoin price fell sharply over the past 36 hours, sliding more than 5% over that time and briefly dipping below $90,000 early Tuesday as macroeconomic uncertainty and renewed scrutiny of corporate bitcoin treasuries weighed on the market.
The world’s largest cryptocurrency was trading near $95,500 on Sunday night but fell to around $89,800 by Tuesday morning, extending losses that began with a violent sell-off late Saturday and into Sunday evening and Monday morning.
The move erased nearly $5,700 from bitcoin’s price in less than two days, according to Bitcoin Magazine Pro data.
The initial leg lower came Sunday night, when the bitcoin price plunged nearly $4,000 in a two-hour window amid heavy selling across crypto markets.
Around 6 p.m. EST, a wave of liquidation-driven selling hit derivatives markets, wiping out more than $500 million in leveraged long positions in roughly an hour, with total crypto long liquidations topping $525 million during the period.
Tariff drama
The sell-off coincided with heightened macro uncertainty after U.S. President Donald Trump announced plans to impose sweeping new tariffs on European nations beginning February 1.
Under the proposal, a 10% tariff would apply to goods from eight countries — Denmark, Norway, Sweden, France, Germany, the United Kingdom, the Netherlands and Finland — rising to 25% by June 1 if no agreement is reached.
Trump tied the measures to U.S. efforts to secure Greenland, further escalating transatlantic tensions.
European leaders pushed back strongly, warning the tariff threats could trigger a “dangerous downward spiral.”
All this is happening as gold surges to a new all-time high near $4,750, underscoring a flight toward traditional safe-haven assets as risk markets sold off. This flight hasn’t been reflected in the bitcoin price.
Adding to uncertainty, the U.S. Supreme Court is expected to rule on whether Trump had the authority to impose broad tariffs under emergency powers.
The case centers on the use of the International Emergency Economic Powers Act (IEEPA) to declare trade deficits a national emergency.
A ruling against the administration could force the government to refund more than $100 billion in tariffs already collected, potentially disrupting budget and defense funding assumptions.
Corporations affecting the bitcoin price
On-chain data shows GameStop allegedly transferring a total of 2,396 BTC to Coinbase Prime in January, including 100 BTC on Jan. 17 and 2,296 BTC on Jan. 20.
The transfers represent roughly 51% of the company’s original 4,710 BTC holdings, sparking speculation that the meme-stock retailer may be preparing to sell part of its bitcoin position.
GameStop added bitcoin to its corporate treasury in mid-2025, purchasing 4,710 BTC during a brief window in May at an average price near $106,000 per coin.
While transfers to brokerage wallets are often interpreted as potential selling signals, the company has made no official announcement confirming a sale.
In contrast, Strategy (MSTR), the world’s largest publicly traded corporate bitcoin holder, continued to buy aggressively last week.
The company disclosed the purchase of 22,305 BTC for approximately $2.13 billion at an average price of $95,284 per bitcoin. As of Jan. 19, Strategy holds 709,715 BTC acquired at an average price of $75,979, representing more than 3% of bitcoin’s circulating supply.
Despite the accumulation, Strategy shares fell about 7% in early trading as the bitcoin price slid below $90,000, highlighting the growing sensitivity of bitcoin-exposed equities to short-term price moves.
The bitcoin price is trading at $90,252, down 3% over the past 24 hours on $45 billion in volume, leaving it about 3% below its seven-day high of $93,302.
The network’s market capitalization stands at roughly $1.8 trillion, with 19.98 million BTC in circulation out of a capped supply of 21 million.
Picture this: You just experienced Matt Damon and Ben Affleck reuniting in The Rip. The adrenaline is pumping, the heart is racing, and you’re ready to watch another movie. While there’s never a bad time to watch a classic like Good Will Hunting, you’re probably looking for some more action.
The bitcoin price surged above $97,000 this week, marking its strongest level in more than two months, on a mix of economic news and renewed inflows into U.S. spot Bitcoin exchange-traded funds (ETFs.
Crypto investors appear to be kicking off 2026 with a familiar playbook: allocating heavily to Bitcoin ETFs.
On Tuesday, the dozen U.S.-listed spot Bitcoin funds recorded roughly $760 million in net inflows, the largest single-day total since October. Fidelity’s Wise Origin Bitcoin Fund (FBTC) led the pack, absorbing about $351 million, while Bitwise’s BITB and BlackRock’s iShares Bitcoin Trust (IBIT) also posted strong gains.
The momentum accelerated on Wednesday. Data from SoSoValue shows spot Bitcoin ETFs took in another $843.6 million, extending the positive streak to three consecutive days and bringing total inflows over that period to approximately $1.71 billion.
Eight of the 12 funds reported net inflows, with BlackRock’s IBIT alone drawing in $648 million, underscoring its dominance among institutional allocators.
Bitcoin’s price action reflected that renewed interest. After spending much of November and December trading below $92,000, BTC broke decisively higher this week, reclaiming the $94,000–$97,000 range and pushing toward $100,000.
The move triggered roughly $700 million in short liquidations, amplifying volatility and accelerating the rally, according to Bitcoin Magazine Data.
ETF flows have become a key barometer of institutional sentiment since spot products launched in early 2024. While cumulative inflows reached more than $56 billion by mid-January, flows turned negative in late December amid typical year-end caution.
The sharp reversal this week suggests investors are once again viewing Bitcoin as both a growth asset and a diversification tool. This reflects in a growing bitcoin price.
Economic conditions affecting the bitcoin price
Macro conditions have also played a role. A softer-than-expected U.S. Consumer Price Index (CPI) reading released on January 13 eased fears of further aggressive monetary tightening, lifting “risk-on” sentiment.
At the same time, escalating geopolitical tensions and political uncertainty in the U.S. have boosted interest in alternative stores of value, including the Bitcoin price.
Still, volatility risks remain. Markets are closely watching a potential U.S. Supreme Court ruling on President Donald Trump’s tariffs, which could inject fresh uncertainty into global trade and financial markets.
At the time of writing, Bitcoin price is trading at $97,046, up 2% over the past 24 hours, with roughly $67 billion in daily trading volume.
The asset is sitting about 1% below its seven-day high of $97,705 and 2% above its seven-day low of $95,318. Bitcoin’s circulating supply stands at 19.98 million BTC, giving it a total market capitalization of approximately $1.94 trillion, also up 2% on the day.
The bitcoin price continued its strong run this week, breaking out of a multi‑week trading range and climbing well above key psychological levels as market participants digest macroeconomic data and new institutional interest.
The bitcoin price hit an eight-week high and triggered roughly $700 million in short liquidations, per Bitcoin Magazine Data. Polymarket now estimates a 73% chance that Bitcoin will reach $100K in January.
After trading relatively sideways near the low‑$90,000 or lower for the last two months, the bitcoin price began gaining traction over the weekend, ultimately surging above $97,000 at the time of writing. This is its best level in more than two months.
The rally, which has persisted through January 14, reflects a convergence of technical, macro, and sentiment drivers that have reignited bullish conviction across crypto markets.
This squeeze helped propel the Bitcoin price through resistance and toward fresh highs, triggering liquidations of speculative short bets and amplifying volatility.
Technically, Bitcoin’s reclaim of the $94,000–$96,000 zone has been widely interpreted as a breakout from its recent consolidation range.
Macro economic signals that are fueling bitcoin
The timing of Bitcoin’s rally coincides with some pivotal economic developments.
The U.S. Consumer Price Index (CPI) report released on January 13 showed inflation moderating — a result that eased fears of further aggressive monetary tightening and boosted “risk‑on” sentiment (think bitcoin) in global markets.
While stocks and traditional risk assets reacted modestly, Bitcoin’s sensitivity to macro cues was evident as investors sought alternative stores of value and growth exposure. Stable inflation numbers have also alleviated concerns about elevated real yields, which historically challenge non‑yielding assets like Bitcoin.
With inflation more contained than feared, traders and investors appear more willing to allocate capital to crypto, further underpinning the rally.
Another notable development in the world is the ongoing unrest in Iran that has intensified this week as nationwide protests against economic collapse and government repression raged amid a near‑total internet blackout, with authorities signaling fast‑track trials and possible executions of detainees.
In digital markets, Bitcoin has shown resilience and renewed investor interest, with BTC climbing despite broader risk‑off sentiment.
Also this week, the Department of Justice opened a criminal investigation into Federal Reserve Chair Jerome Powell, sending ripples through markets — including Bitcoin.
The investigation stems from Powell’s June 2025 testimony on a $2.5 billion Fed building renovation, which he says is politically motivated amid pressure from the Trump administration over interest rates.
The escalating feud between the White House and the Fed has shaken U.S. markets, boosting safe‑haven assets like gold and bitcoin.
New institutional demand is boosting the bitcoin price
Beyond technical factors and macroeconomic data, institutional demand has resurfaced as a credible driver of bullish momentum.
Spot Bitcoin ETFs recorded notable inflows over the past days — with figures suggesting the largest net inflows since late 2025 — signaling renewed interest from long‑term capital allocators and financial advisors.
Additionally, major corporate Bitcoin holders have contributed to the narrative. Strategy Inc., a widely followed holder of Bitcoin, announced a massive $1.3 billion acquisition of BTC in the days leading up to the price surge.
What comes next for bitcoin price
Despite the strong advance, there is strong resistance near the $97,000–$100,000 range that may pose a test for bulls, per Bitcoin Magazine Data.
The market’s ability to hold these gains and continue absorbing inflows will be critical in determining whether the Bitcoin price can extend this rally further into the weekend and further into 2026.
Market sentiment — often measured by metrics like the Fear & Greed Index — is climbing away from extreme fear and toward more optimistic territory, though it has not yet reached levels typically associated with blow‑off tops.
At the time of writing, the bitcoin price is near $97,200, up over 4% in the last 24 hrs.
We continue our PowerShell for Hackers series with another article that shows how PowerShell can be used during real pentests and purple team engagements. Today we are going to explore an attack called Timeroasting. However, instead of focusing only on computers, we will look at how a modified script can be used to abuse user accounts as well. The final result of this technique is a user hash that is already formatted to be cracked with hashcat.
Before we go any deeper, there is something important to clarify. This attack relies on modifying properties of user accounts inside Active Directory. That means you must already have domain administrator privileges. Normally, when an attacker compromises a domain admin account, the game is over for the organization. That account gives unrestricted control over the domain. But even with that level of privilege, there are still times when you may want credentials for a specific domain user, and you do not want to trigger obvious high-risk actions.
Defenders can monitor techniques such as dumping NTDS, extracting LSASS memory, or performing DCSync. There are situations where those methods are either blocked, monitored, or simply not ideal. The script we are discussing today exists exactly for such cases. It helps retrieve hashes in a way that may blend more quietly into normal domain behavior.
Timeroasting
You may be wondering what Timeroasting actually is. Timeroasting is a technique originally designed to obtain hashes from domain computers rather than users. It abuses a weakness in how certain computer and trust accounts store passwords in Active Directory. These machine passwords are then used to compute MS-SNTP authentication material, which attackers can collect and later attempt to crack offline. Normally, computer accounts in a domain have very long, randomly generated passwords. Because of that complexity, cracking them is usually impractical. However, this was not always the case. Older systems, including so-called “Pre-Windows 2000 Computers,” sometimes stored weak or predictable passwords. These legacy systems are what made Timeroasting especially interesting.
The attack was originally discovered and documented by Tom Tervoort from Secura. He showed how weak computer or trust account passwords in Active Directory could be exploited. For example, if a computer account had enough rights to perform DCSync, and its password was weak enough, you might even use the computer name itself as the password during attacks such as DCSync. The problem is that for modern systems, machine passwords are long and complex. Running those hashes through even powerful wordlists can take a very long time and still fail. That is why the use of the original Timeroasting attack was quite limited.
This limitation was addressed by Giulio Pierantoni, who took the original idea and upgraded it. He demonstrated that domain user accounts could also be abused in a similar way, which significantly changes the value and use-cases of this attack.
Targeted Timeroasting
Giulio Pierantoni called this technique “Targeted Timeroasting,” similar in spirit to Targeted Kerberoasting and AS-REP Roasting. Since domain administrators can modify attributes of user accounts, you can temporarily convert a user account into something that looks like a domain machine account, you can convince the domain controller to treat it as such and return a hash for it. In other words, the domain controller believes the account is a computer, and therefore exposes authentication material normally associated with machine accounts, except now it belongs to a human user.
Every Active Directory user object has a field called sAMAccountType. This field defines what kind of account it is. Under normal circumstances, regular users and machine accounts have different values. For example, a normal user account belongs to the SAM_NORMAL_USER_ACCOUNT category, while a machine account belongs to SAM_MACHINE_ACCOUNT.
Although you cannot directly modify this field, there is another attribute called userAccountControl. This is a set of flags that determines the characteristics of the account. Some of these flags correspond to workstations, servers, or domain controllers. When the userAccountControl value is changed to the flag representing a workstation trust account, the sAMAccountType attribute is automatically updated. The domain controller then believes it is dealing with a machine account.
Under normal security rules, you are not supposed to be able to convert one type of account into another. However, domain administrators are exempt from this limitation. That is exactly what makes Targeted Timeroasting possible. This technique cannot be executed by unprivileged users and is therefore different from things like Targeted Kerberoasting, AS-REP roasting, shadow credentials, or ESC14.
Before the hash is computed, the domain controller also checks that the sAMAccountName ends with a dollar sign. For domain administrators, changing this is trivial unless another account with the same name already exists. Once the userAccountControl and sAMAccountName values have been modified, the controller is willing to hand out the MS-SNTP hash for the account to anyone who asks appropriately.
There is one important operational warning shared by Giulio Pierantoni. When a user account is converted into a workstation trust account, that user will lose the ability to log into workstations. However, this does not affect existing active sessions. If you immediately revert the attributes after extracting the hash, the user will likely never notice anything happening.
Exploitation
A rough proof-of-concept script was created by modifying Jacopo Scannella’s original PowerShell Timeroasting script. The script is now available on GitHub.
To use it, you need to be a domain administrator running from a domain-joined system that already has the Active Directory PowerShell module installed.
The script works in several logical steps. It first retrieves important attributes such as the objectSid and userAccountControl values for the target account. Then it changes the userAccountControl attribute so that the account is treated as a workstation trust account. After that, it appends a dollar sign to the sAMAccountName, making the user look like a machine account. Once the attributes are updated, the script extracts the RID, sends a client MS-SNTP request to the domain controller, and retrieves the resulting hash from the response. Finally, it restores all the original values so that nothing appears out of the ordinary.
When observed in packet captures, the whole exchange looks like a simple NTP transaction. There is a request containing the RID and a response containing a signature generated from the NT hash of the account. The salt is also drawn from the NTP response packet.
The author of the modified script provided two usage modes. One mode allows you to target specific users individually. Another mode allows you to abuse every user in a supplied list.
To target a specific user, you would normally run:
PS > .\TargetedTimeroast.ps1 -domainController IP -v -victim USERNAME
If you want to target multiple users at once, you prepare a list and run:
PS > .\TargetedTimeroast.ps1 -v -file .\users.txt -domainController IP
Hashcat
Once you have collected the hashes you want, you can move to your Kali machine and begin cracking them with hashcat. It is recommended that you remove the RIDs from each hash to avoid issues during cracking. Your command will look like this:
bash$ > sudo hashcat -a 0 -m 31300 hashes.txt dictionary.txt
If the password is weak or reused, you may recover it relatively quickly.
Detection
Defenders should find this section important. Even though this attack requires domain administrator privileges, it should still be monitored, because insider threats or compromised admins do exist. There are several key behaviors that may indicate that Timeroasting or Targeted Timeroasting is taking place. One example is when a single host sends many MS-SNTP client requests, but those requests include different RIDs. Another example is when the RIDs in those requests belong to user accounts instead of normal computer accounts. You may also observe that the userAccountControl value of one or more user accounts changes from a normal user value to a workstation trust account value and then back again soon afterward. In addition, the sAMAccountName of a user account may briefly have a dollar sign added to the end.
These behaviors are unusual in normal environments. If they are monitored properly, attackers will have far fewer opportunities to exploit this weakness. Unfortunately, such monitoring is quite rare in many organizations.
Summary
This is a new creative application of a long-known attack concept. It is very likely that this technique will be adopted by a wide range of attackers, from red teamers to malicious actors. We should also remember the risk of insider threats, because a domain administrator could easily perform this technique without escalating privileges any further. The process is surprisingly straightforward when the correct level of access already exists.
Users should therefore aim to use strong, complex passwords inside corporate domains, not just meeting but exceeding the minimum policy requirements. It is also wise never to reuse passwords or even reuse the same style of password across different systems. Wherever possible, two-factor authentication should be enabled. Good architecture and strong monitoring will make techniques like Targeted Timeroasting far less attractive and much easier to detect.
In our continuing effort to offer you the very best in cybersecurity training, Hackers-Arise is proud to preset PowerShell for Hackers training. It is included with the Subscriber and Subscriber Pro packages. March 10-12.
Bitcoin began 2026 with some renewed strength, climbing roughly 8% since the start of the year as institutional inflows, derivatives positioning and geopolitical developments have come together to lift sentiment across crypto markets.
The bitcoin price is trading near $94,100 today, reaching levels last seen in early December. The price briefly touched an intraday high of $94,352 after opening the year near $87,400 on Jan. 1, per Bitcoin Magazine Pro data.
As of this morning, bitcoin was changing hands around $94,000, according to market data, putting it within 1% of its recent seven-day high.
The rally pushed bitcoin’s market capitalization to roughly $1.87 trillion, with daily trading volume hovering near $51 billion. Bitcoin’s circulating supply stands just under 20 million coins, out of a fixed cap of 21 million.
The move higher followed a period of sideways trading through late December, when the bitcoin price struggled to break above resistance near $91,000. That level has since turned into short-term support, opening the door to a renewed test of the $94,000 – $98,000 range that capped prices for much of the past two months.
Geopolitics and the hedge narrative
Bitcoin’s rebound coincided with weekend reports that the United States had captured Venezuelan President Nicolás Maduro, a development that rippled across commodity and crypto markets.
Oil stocks jumped on expectations that Venezuela’s energy sector could reopen under new leadership, while crypto-linked equities such as Coinbase and Strategy each rose more than 4%.
Analysts cautioned that the event itself was not a direct catalyst for bitcoin. Instead, it reinforced bitcoin’s role as a hedge against geopolitical pressures and sanctions risk.
“Escalating pressure without direct military conflict is supportive of bitcoin,” said Dean Chen, an analyst at crypto derivatives exchange Bitunix. He pointed to historical patterns in which tighter sanctions, capital controls or restrictions on the global banking system have coincided with increased real-world bitcoin usage.
Bitcoin price options market targets six figures and ETF inflows return
Derivatives markets suggest traders are positioning for further upside. On Deribit, the world’s largest crypto options exchange, open interest has surged in January call options with a $100,000 strike price.
The $100,000 January call has become the most popular contract on the platform, with total notional open interest reaching about $1.45 billion.
Spot bitcoin exchange-traded funds have also reemerged as a key driver. U.S.-listed bitcoin ETFs recorded nearly $700 million in net inflows on Monday, the strongest single-day total since October, according to industry data.
That demand represents more than 7,000 BTC, far exceeding daily new issuance from miners. Sustained ETF buying can tighten available supply and support higher prices, particularly when paired with declining balances on exchanges.
On-chain data shows roughly $1.2 billion worth of bitcoin was withdrawn from exchanges over the past 24 hours, a sign that investors are moving coins into self-custody rather than preparing to sell.
Bitcoin price technical levels
From a technical perspective, bitcoin price’s breakout from a multi-week consolidation has shifted attention to resistance near $98,000. A move above that level could bring the psychological $100,000 mark back into play, a threshold bitcoin failed to hold during late-2025 rallies.
Support for bitcoin price now sits near $91,400, with stronger backing around $87,000 if prices pull back. A failure below $84,000 would weaken the bitcoin price near-term structure, though longer-term bulls argue that rising yearly lows continue to define bitcoin’s broader uptrend.
For now, traders enter the new year with momentum on their side. Whether bitcoin price can turn the early-January surge into a sustained breakout will depend on continued ETF demand, options market dynamics and how global macro risks evolve in the weeks ahead.
Desney Tan speaks at the 2018 GeekWire Summit. (GeekWire File Photo / Kevin Lisota)
Desney Tan, who rose from researcher to corporate vice president and managing director of Microsoft Research, announced Monday that he’s leaving the company after 21 years.
Tan became known in part for research in “whole body computing,” physiological sensing, brain-computer interfaces and other novel forms of human-computer interaction. His work spanned areas including Windows multi-monitor functionality, handwriting recognition, motion tracking for Xbox Kinect, and the technology behind the Microsoft Band fitness tracker.
In more recent years, he shifted his focus to healthcare, for a time leading Microsoft Health Futures, the company’s health and life sciences “moonshot factory.” He oversaw major partnerships including Microsoft’s collaboration with Adaptive Biotechnologies.
“New year, new adventures,” Tan wrote on LinkedIn, adding that he’s “signing off with a heart full of gratitude and a deep sense of pride.” He thanked colleagues at Microsoft Research for “the warm home, the unwavering trust, and the inspired pursuit of impactful innovation.”
In a message to GeekWire, Tan said he’s intentionally keeping his options open, without anything concrete lined up yet, so he can experiment with a few different things.
Beyond Microsoft, he serves on the boards of ResMed and the Washington Research Foundation, and advises startups including surgical navigation company Proprio and cognitive health startup NewDays. He’s also senior advisor and chief technologist at Seattle-based incubator IntuitiveX, and holds an affiliate faculty position at the University of Washington.
Bitcoin’s price action in 2025 pointed to a market shaped less by speculative and impulsive excess and more by macro forces.
The bitcoin price traded through a wide range last year. According to Bitcoin Magazine Pro data, bitcoin rallied above $126,000 during mid-to-late-year advances fueled by ETF inflows and optimism around U.S. regulatory clarity. Those highs did not hold.
By the fourth quarter, tighter financial conditions and elevated real yields weighed on risk assets. The bitcoin price slid sharply from its peak and ended the year near $87,000. It is on track for its first full-year decline since 2022.
While the drop from the highs was steep and can feel negative, longer-term charts tell a different, more bullish, story.
Bitcoin’s yearly lows continued to trend higher. Data shows the yearly low rose from $366 in 2016 to $76,329 in 2025. Each major cycle has set a higher floor despite deep drawdowns along the way.
The pattern held after major downturns in 2018 and 2022. In both cases, bitcoin later established higher yearly lows. The 2025 low stands well above prior cycle troughs, even after a volatile year.
The gap between yearly highs and lows widened in 2025. That spread reflects persistent volatility and rapid shifts in sentiment. It also highlights a market still adjusting to its growing size and popularity.
Analysts say the rising floor suggests deeper capital support than in past cycles. Long-term holders have shown greater willingness to accumulate during declines. Forced selling has remained concentrated during brief liquidation events rather than extended crashes.
Macro conditions played a central role throughout the year. Inflation remained sticky. Central banks kept policy restrictive longer than expected. That backdrop favored yield-bearing assets and pressured speculative positioning.
The bitcoin price’s correlation with broader risk markets increased. Price movements tracked equities more closely, especially during U.S. trading hours. Late in the year, crypto assets often sold off while American stocks were open.
That pattern showed signs of shifting as 2026 began. The bitcoin price climbed above $90,000 during early U.S. trading sessions.
October 10: Bitcoin price’s humbling ‘down to earth’ moment
Still, the defining moment of 2025 came earlier.
On Oct. 10, the bitcoin price suffered a massive and sharp intraday plunge of roughly $12,000. The move triggered billions of dollars in liquidations across derivatives markets. Total crypto market capitalization fell sharply in a single session.
The selloff set the stage for a prolonged pullback that is still being felt in the broader crypto market. Within weeks, bitcoin was trading more than 30% below its peak near $126,000. The decline erased much of the optimism that had dominated forecasts at the start of the year.
Entering 2025, price targets were aggressive. Many analysts and executives expected a sustained breakout well beyond prior highs. ETF inflows and institutional adoption formed the core of most bullish theses.
Those expectations failed to materialize. ETF demand absorbed supply but did not spark reflexive rallies. Liquidity conditions remained tight. Leverage repeatedly capped upside moves.
By year-end, the gap between forecasts and realized prices was clear. Bitcoin closed far below even the more conservative projections made earlier in the year.
Despite that, the yearly lows chart should attract attention and comforting thoughts.
The steady yearly lows reflect a maturing market. Bitcoin is larger, more regulated, and more integrated into global markets than during prior cycles. That structure may limit explosive rallies but also reduce the risk of total collapse.
The data suggests one clear trend. Even in a year marked by sharp corrections and unmet expectations, bitcoin price’s long-term floor will rise.
The bitcoin price is trading at $90,321, up 3% in the past 24 hours, with a market cap of $1.81 trillion and a 24-hour volume of $46 billion. Its price is near its 7-day high of $90,789 and 3% above its 7-day low of $87,967, with 19.97 million BTC in circulation out of a 21 million max supply.
The bitcoin price could climb to $143,000 next year as continued adoption through exchange-traded funds and a more accommodating U.S. regulatory backdrop draw new capital into the market, according to a new forecast from Citi.
Analysts at the Wall Street bank set $143,000 as their base-case target for the bitcoin price over the next 12 months. They outlined a bullish scenario that places the price above $189,000, while their bearish case sees the bitcoin price falling to around $78,500 if macroeconomic conditions deteriorate, according to MarketWatch reporting.
The bitcoin price was trading near $88,000 on Friday, down roughly 30% from its late-October peak. The pullback followed a sharp wave of selling after the rally earlier this year, though Citi noted that outflows from spot bitcoin exchange-traded funds have moderated in recent weeks.
“Our forecasts, in particular for bitcoin, rest on an assumption that investor adoption continues with flows into ETFs of $15 billion boosting token prices,” the analysts wrote. The note was led by Alex Saunders, Citi’s head of global quantitative macro strategy.
JUST IN: $2.6 trillion Citi says Bitcoin could hit $189,000 in the next 12 months pic.twitter.com/CgGEZ1XKB1
Citi also pointed to potential regulatory clarity in the United States as a key driver of future demand. The U.S. Senate is negotiating its own version of the House-passed Clarity Act, legislation that would place bitcoin under the oversight of the Commodity Futures Trading Commission. The analysts said clearer rules could encourage broader institutional participation.
The bank’s bearish scenario assumes recessionary pressures and weaker appetite for risk assets. The bitcoin price fell to multi-month lows in November as concerns over high technology valuations and broader macro risks weighed on markets.
The cryptocurrency shed more than $18,000 that month, marking its largest dollar decline since May 2021 amid heavy investor withdrawals.
Banks are embracing bicoin
Two weeks ago, the Bank of America told its wealth management clients to allocate 1% to 4% of their portfolios to digital assets, signaling a major shift in its approach to Bitcoin exposure.
The move allowed over 15,000 advisers across Merrill, Bank of America Private Bank, and Merrill Edge to proactively recommend crypto to clients.
Last week, PNC Bank launched direct spot bitcoin trading for eligible Private Bank clients, allowing them to buy, hold, and sell bitcoin natively through its own digital banking platform without using an external exchange. The move was powered by Coinbase’s Crypto-as-a-Service infrastructure.
Bitcoin price analysis
Bitcoin’s latest sell-off underscores a market stuck in consolidation, where positive macro catalysts fail to translate into sustained upside.
After briefly testing $89,000 on cooler-than-expected U.S. inflation data, bitcoin slid back toward the $84,000 range, extending a correction now entering its second month. The pattern has become familiar: sharp, data-driven rallies followed by quick retracements as sellers defend resistance below $90,000.
Macro signals offer mixed support. November CPI eased to 2.7% year over year, with core inflation at 2.6%, strengthening the case for eventual Federal Reserve rate cuts in 2026. That backdrop helped spark the intraday rally. Yet rising U.S. unemployment and uneven job growth complicate the outlook, reinforcing expectations that the Fed will move cautiously. Markets appear reluctant to price in aggressive easing.
A key drag remains U.S.-listed spot Bitcoin ETFs, which have shifted from consistent inflows to net redemptions. The outflows remove a stabilizing bid that previously absorbed sell pressure, making breakouts harder to sustain even on positive news.
Technically, the bitcoin price is range-bound. Resistance sits just below $90,000, while support near $84,000 is weakening. A decisive break lower could open a move toward the $72,000–$68,000 zone, where analysts expect stronger demand.
Extreme fear readings suggest potential undervaluation, but near-term momentum still favors sellers.
At the time of writing, the bitcoin price is dancing around the $88,000 level.
The bitcoin price dropped sharply today after a brief pump near $90,000, sliding to $84,544 as the price sell-off continued into its second month.
Bitcoin lost 2% over the past 24 hours. It remains 5% below its seven-day high of $89,220 and hovers near the week’s low of $84,596. Trading volume reached $56 billion. Bitcoin’s market capitalization stands at $1.69 trillion. The circulating supply is roughly 19.96 million BTC out of a total 21 million, according to Bitcoin Magazine Pro data.
The drop follows a brief rally that earlier saw the Bitcoin price test $89,000. The surge came after the U.S. released new Consumer Price Index data. Inflation rose 2.7% year over year in November, lower than expected. Core CPI, which excludes food and energy, fell to 2.6%, the lowest since early 2021.
Bitcoin jumped from intraday lows near $86,000 to challenge $89,000. Traders viewed the cooler inflation report as a potential signal for looser Federal Reserve policy in 2026. CME FedWatch data suggested slightly higher odds of a rate cut by March, though January moves remain unlikely.
The rally did not last. The bitcoin price failed to break $90,000 and slid to $84,4000. This pattern is familiar: sharp spikes followed by quick retracements.
What’s dragging down the bitcoin price?
A persistent challenge is U.S.-listed spot Bitcoin ETFs. These funds, once a major source of demand, have seen net redemptions. The outflows remove institutional support that previously helped stabilize the price. Without consistent ETF inflows, breakouts above $89,000 are harder to sustain.
Other economic indicators add uncertainty. Recent labor market data showed U.S. unemployment rising to 4.6%, its highest since 2021. Job growth remains uneven. The mixed signals complicate Federal Reserve policy, suggesting a cautious approach despite easing inflation.
Political factors add to market complexity. President Donald Trump has publicly urged lower interest rates and suggested nominating a Fed chair favoring aggressive easing. Markets have largely treated the comments as noise, but the statements add a variable to the macro picture.
Technically, the bitcoin price is consolidating rather than trending. Resistance forms just below $90,000. Supply above this level remains strong, held by investors who bought during prior rallies.
Analysts at Bitwise recently suggested Bitcoin could break its historical four-year cycle. The firm noted BTC might reach new all-time highs in 2026 with lower volatility and reduced correlation to equities.
The Bitcoin Fear and Greed Index currently sits at 17/100, signaling extreme fear. Historically, readings in this range have coincided with undervaluation. Contrarian investors see potential buying opportunities, though sentiment remains cautious.
Is $70,000 next?
Technical analysts from Bitcoin Magazine wrote earlier this week that the $84,000 support level is under pressure. If the bitcoin price falls below this point, it could test the $72,000 to $68,000 zone. Initial bounces are expected, but a break below $84,000 could trigger faster declines toward $70,000.
Bitcoin’s price may drop to the $72,000–$68,000 support zone after breaking the $84,000 level, with bears currently in control. A strong bounce is likely from that lower zone, potentially retesting $84,000, though the 4-Year Cycle suggests further downside could occur later in 2026.
Resistance extends from $94,000 to $118,000. Bulls will need substantial buying volume to break above these levels, per Bitcoin Magazine analysts.
Short-term momentum favors sellers. Last week, the Bitcoin price closed the weekly candle in red, failing to sustain gains near $94,000. Bears are well-positioned to push prices lower this week.
At the time of writing, the bitcoin price is $84,812. Trading volume reached $56 billion. Bitcoin’s market capitalization stands at $1.69 trillion. The circulating supply is roughly 19.96 million BTC out of a total 21 million, according to Bitcoin Magazine Pro data.
Bitcoin briefly surged above $89,000 on Thursday as a sharply cooler-than-expected U.S. inflation report came in.
At the time of writing, the bitcoin price was trading near $88,374, down roughly 2% over the past 24 hours, according to market data. The pullback leaves BTC about 2% below its recent seven-day high of $90,165 and roughly 4% above its week’s low near $85,374. Bitcoin’s market capitalization stands at approximately $1.77 trillion, with 19.96 million BTC currently in circulation.
The initial rally was sparked by fresh Consumer Price Index (CPI) data from the U.S. Bureau of Labor Statistics, which showed inflation cooling faster than economists expected. Headline CPI rose 2.7% year over year in November, well below consensus expectations of around 3% and down from earlier readings. Core CPI, which strips out food and energy, fell to 2.6%—its lowest level since early 2021.
The bitcoin price reacted swiftly around the time of the data, jumping from intraday lows near $86,000 to briefly challenge the psychologically important $89,000 level, according to Bitcoin Magazine pro data.
The move reflected renewed optimism that easing inflation could give the Federal Reserve greater room to cut interest rates in 2026, a backdrop that has historically supported risk assets, including bitcoin.
According to CME FedWatch data, odds of a rate cut by March edged higher following the release, though expectations for a January move remain muted.
Bitcoin price action
Still, the rally proved short-lived. The bitcoin price failed to reclaim $90,000 decisively and slipped back as the session wore on, currently sitting near $88,000. This has been a market dynamic that has become familiar in recent weeks: sharp, data-driven bursts higher followed by rapid retracements.
One key headwind remains sustained outflows from the U.S.-listed spot bitcoin exchange-traded funds. After serving as a major source of demand earlier in the year, ETFs have seen steady net redemptions, removing a layer of institutional support that previously helped absorb selling pressure. Market participants say the absence of consistent ETF inflows has made it harder for bitcoin to sustain breakouts, even on positive macro news.
Macro signals remain mixed beyond inflation. Earlier this week, delayed U.S. labor market data showed unemployment rising to 4.6%, its highest level since 2021, while job growth remained uneven. The data complicates the Federal Reserve’s outlook, reinforcing expectations that policymakers will proceed cautiously despite cooling inflation.
Political uncertainty is also lingering in the background. President Donald Trump has publicly called for significantly lower interest rates and indicated he plans to nominate a Federal Reserve chair who supports more aggressive easing. While markets have so far treated the comments as noise, they add another variable to an already complex policy landscape.
Zooming out, bitcoin’s price appears to be consolidating rather than trending. Despite remaining near record highs on a historical basis, price action has tightened, with resistance forming just below $90,000 and strong supply reported above that level from investors who accumulated during earlier rallies.
Analysts at Bitwise recently released a report suggesting Bitcoin could break away from its historical four-year market cycle, potentially achieving new all-time highs in 2026 while exhibiting lower volatility and reduced correlation with equities.
The Bitwise report argues that the Bitcoin price’s historical four-year cycle, tied to halvings and marked by gains followed by pullbacks, may no longer hold. The firm also challenged the long-standing criticism that BTC is too volatile for mainstream investors.
According to Bitwise, BTC was less volatile than Nvidia stock throughout 2025, a comparison Hougan says underscores the asset’s ongoing maturation.
Market in ‘extreme fear’
At the time of writing, the Bitcoin Fear and Greed Index sits at 17/100, signaling extreme fear among market participants. Historically, readings in this range have often coincided with undervalued market conditions, suggesting a contrarian buying opportunity for those willing to navigate the emotional volatility.
Two days ago, the market sat near 11/100 despite a higher bitcoin price point.
For now, bitcoin’s response to softer inflation highlights its continued sensitivity to macroeconomic data, but the inability to sustain gains above $89,000 suggests conviction remains limited. At the time of writing, the bitcoin price is $88,142.
Many of you found our previous WhatsApp forensics article interesting, where we explained how to pull data from a rooted Android device. That method works well in difficult situations, but it is not always practical. Not everyone has the technical skills required to root a phone, and in many cases it is simply not possible. On the iOS side, things can be easier if you have an iTunes backup saved on a computer. Some users even leave their backups unprotected because they worry about forgetting the password, which means you may be able to access everything quickly.
But what happens when you do not have those ideal conditions? What if you need to extract messages and media fast, without doing anything advanced to the device? Today, we want to show you simple and reliable ways to gather data from WhatsApp, Signal, and Telegram with almost no technical experience. Even though these apps use strong encryption, it does not matter much once you have the unlocked device in front of you. Capturing network traffic will not help because everything is encrypted during transit. The smarter approach is to work directly with the phone, where the app already decrypts information for the user.
For this you will need Belkasoft X, one of the professional forensic tools we use at Hackers-Arise. The software is paid, but they offer a thirty-day free trial that you can obtain simply by signing up with your email. After a short time you will receive a link from Belkasoft’s team that allows you to install the tool.
Method 1: Using Belkasoft X Screen Capturer with Top Messengers
One of the easiest ways to collect content from mobile messengers is through automated screen capturing. Screenshots are far more valuable than many people think because they show exactly what the user saw, including messages, contact lists, calls, and media previews. Belkasoft X includes an Android screen-capturer feature that automates this entire process. It scrolls through apps such as Signal, Telegram, and WhatsApp, takes screenshots for you, and then uses text-recognition techniques to rebuild readable, searchable chat logs.
Screen capturing is especially helpful because basic Android acquisition methods such as ADB backup often miss large portions of app data. Many apps encrypt their local files, and even if you manage to back them up, decrypting them afterward can be extremely difficult. More advanced approaches, like downgrading APK versions to extract unencrypted data, do work but come with their own risks. Screen capturing, on the other hand, is safe, fast, and based entirely on normal ADB commands. Following well-known digital forensics handling guidelines, such as the SANS “Six Steps,” it is always better to start with the least intrusive method, and screenshots fit perfectly into that philosophy. The Android screen capturer in Belkasoft X is quick because it moves through screens automatically and faster than any human could. It is also flexible because you can limit how much the tool captures, which helps avoid long sessions. For example, you can choose to capture only the most recent messages or specific screens within an app.
Using the tool is straightforward. You connect the Android device to a computer running Belkasoft X, enable USB debugging under the Developer Options menu, and usually switch the phone to Airplane Mode so new notifications do not interfere. If the app depends on loading older messages from the cloud, you can preload everything before activating Airplane Mode. After that you launch Belkasoft X, create a case, select the mobile acquisition option, and choose the Screen Capturer method.
Source: BelkasoftSource: Belkasoft
Once you select either a supported messenger or a generic app, the tool guides you step by step until the capture starts.
Source: Belkasoft
During acquisition you should not touch the device until the process finishes.
Source: Belkasoft
When Belkasoft X completes the capture, it offers to analyze the screenshots immediately and convert them into readable text.
Source: Belkasoft
For supported messengers like Signal, Telegram, and WhatsApp, the software organizes the results into familiar chat views, complete with names, contacts, timestamps, and messages. You can search, filter, and review everything, and if something looks suspicious, you can always return to the original screenshots for verification.
Method 2: Acquiring WhatsApp Cloud Backups
The second approach is useful when you do not have physical access to the device. If a WhatsApp user has configured their app to back up messages to their Google account, the backup files will appear in the user’s Google Drive storage. By default, end-to-end encrypted backups are turned off, and many people also choose to include videos in their backup, giving you more material to investigate. Google Drive itself does not allow direct downloading of WhatsApp’s backup files, so you will need Belkasoft X to retrieve them.
Source: Belkasoft
To acquire the backup, you start a case, add a new cloud data source, and select the WhatsApp option.
Source: Belkasoft
You then enter the user’s Google account credentials and follow the tool’s instructions.
Source: Belkasoft
The resulting data typically includes the encrypted msgstore database in its .crypt14 format, stored inside a folder named after the phone number registered with that WhatsApp account. While the messages themselves are encrypted, the media files are usually stored unencrypted and can be examined right away.
Source: Belkasoft
Method 3: WhatsApp QR Linking
The third method imitates the process of linking a new device to a WhatsApp account using a QR code. This is the same mechanism used when you open WhatsApp Web on your computer. The tool uses this linking process to obtain recent conversations and media from the account. Because of how WhatsApp handles synchronization, the data you receive will not be as complete as a full device extraction, but it is often enough to capture recent chats and shared files.
Source: Belkasoft
To use this method, the phone must be online and its camera must be functioning, because the user will need to scan a QR code presented on your screen. After creating a new case and selecting the WhatsApp QR acquisition option, the tool guides you through the linking process until the transfer is complete. The recovered messages are stored in an XML-based file along with a folder containing downloaded media.
Summary
You learned about simple and practical ways to extract messages and media from popular messaging apps such as WhatsApp, Signal, and Telegram without relying on advanced techniques like rooting an Android device. The key idea is that strong encryption protects data while it is being transmitted, but once you have access to the unlocked phone or its backups, much of that data becomes accessible through careful forensic methods. Belkasoft X is capable of doing this and a lot more. Screen capturing was shown as a safe and effective method that allows investigators to collect visible app content exactly as the user saw it. We also looked at acquiring WhatsApp cloud backups from Google Drive when physical access to the device is not available, and finally at using WhatsApp QR linking to retrieve recent conversations and media through account synchronization. Mobile forensics does not always require deep technical skills to produce valuable results. With the right tools and a thoughtful approach, investigators can quickly and reliably extract meaningful evidence from modern messaging applications.
Welcome back, aspiring digital forensics investigators!
In the previous article we introduced Autopsy and noted its wide adoption by law enforcement, federal agencies and other investigative teams. Autopsy is a forensic platform built on The Sleuth Kit and maintained by commercial and community contributors, including the Department of Homeland Security. It packages many common forensic functions into one interface and automates many of the repetitive tasks you would otherwise perform manually.
Today, let’s focus on Autopsy and how we can investigate a simple case with the help of this app. We will skip the basics as we have previously covered it.
Analysis
Artifacts and Evidence Handling
Start from the files you are given. In this walkthrough we received an E01 file, which is the EnCase evidence file format. An E01 is a forensic image container that stores a sector-by-sector copy of a drive together with case metadata, checksums and optional compression or segmentation. It is a common format in forensic workflows and preserves the information needed to verify later that an image has not been altered.
Before any analysis begins, confirm that your working copy matches the original by comparing hash values. Tools used to create forensic images, such as FTK Imager, normally generate a short text report in the same folder that lists the image metadata and hashes you can use for verification.
Autopsy also displays the same hash values once the image is loaded. To see that select the Data Source and view the Summary in the results pane to confirm checksums and metadata.
Enter all receipts and transfers into the chain of custody log. These records are essential if your findings must be presented in court.
Opening Images In Autopsy
Create a new case and add the data source. If you have multiple EnCase segments in the same directory, point Autopsy to the first file and it will usually pick up the remaining segments automatically. Let the ingest modules run as required for your investigative goals, and keep notes about which modules and keyword searches you used so your process is reproducible.
Identifying The Host
First let’s see the computer name we are looking at. Names and labelling conventions can differ from the actual system name recorded in the image. You can quickly find the host name listed under Operating System Information, next to the SYSTEM entry.
Knowing the host name early helps orient the rest of your analysis and simplifies cross-referencing with network or domain logs.
Last Logins and User Activity
To understand who accessed the machine and when, we can review last login and account activity artifacts. Windows records many actions in different locations. These logs are extremely useful but also mean attackers sometimes attempt to use those logs to their own advantage. For instance, after a domain compromise an attacker can review all security logs and find machines that domain admins frequently visit. It doesn’t take much time to find out what your critical infrastructure is and where it is located with the help of such logs.
In Autopsy, review Operating System, then User Accounts and sort by last accessed or last logon time to see recent activity. Below we see that Sivapriya was the last one to login.
A last logon alone does not prove culpability. Attackers may act during normal working hours to blend in, and one user’s credentials can be used by another actor. You need to use time correlation and additional artifacts before drawing conclusions.
Installed Applications
Review installed applications and files on the system. Attackers often leave tools such as Python, credential dumpers or reconnaissance utilities on disk. Some are portable and will be found in Temp, Public or user directories rather than in Program Files. Execution evidence can be recovered from Prefetch, NTUSER.DAT, UserAssist, scheduled tasks, event logs and other sources we will cover separately.
In this case we found a network reconnaissance tool, Look@LAN, which is commonly used for mapping local networks.
Signed and legitimate tools are sometimes abused because they follow expected patterns and can evade simple detection.
Network Information and IP Addresses
Finding the IP address assigned to the host is useful for reconstructing lateral movement and correlating events across machines and the domain controller. The domain controller logs validate domain logons and are essential for tracing where an attacker moved next. In the image you can find network assignments in registry hives: the SYSTEM hive contains TCP/IP interface parameters under CurrentControlSet\Services\Tcpip\Parameters\Interfaces and Parameters, and the SOFTWARE hive stores network profile signatures under Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed and \Unmanaged or NetworkList
If the host used DHCP, registry entries may show previously assigned IPs, but sometimes the attacker’s tools carry their own configuration files. In our investigation we inspected an application configuration file (irunin.ini) found in Program Files (x86) and recovered the IP and MAC address active when that tool was executed.
The network adapter name and related entries are also recorded under SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards.
User Folders and Files
Examine the Users folder thoroughly. Attackers may intentionally store tools and scripts in other directories to create false flags, so check all profiles, temporary locations and shared folders. When you extract an artifact for analysis, hash it before and after processing to demonstrate integrity. In this case we located a PowerShell script that attempts privilege escalation.
The script checks if it is running as an administrator. If elevated it writes the output of whoami /all to %ALLUSERSPROFILE%\diag\exec_<id>.dat. If not elevated, it temporarily sets a value under HKCU\Environment\ProcExec with a PowerShell launch string, then triggers the built-in scheduled task \Microsoft\Windows\DiskCleanup\SilentCleanup via schtasks /run in the hope that the privileged task will pick up and execute the planted command, and finally removes the registry value. Errors are logged to a temporary diag file.
The goal was to validate a privilege escalation path by causing a higher-privilege process to run a payload and record the resulting elevated identity.
Credential Harvesting
We also found evidence of credential dumping tools in user directories. Mimikatz was present in Hasan’s folder, and Lazagne was also detected in Defender logs. These tools are commonly used to extract credentials that support lateral movement. The presence of python-3.9.1-amd64.exe in the same folder suggests the workstation could have been used to stage additional tools or scripts for propagation.
Remember that with sufficient privileges an attacker can place malicious files into other users’ directories, so initial attribution based only on file location is tentative.
Windows Defender and Detection History
If endpoint protection was active, its detection history can hold valuable context about what was observed and when. Windows Defender records detection entries can be found under C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory*. Below we found another commonly used tool called LaZagne, which is available for both Linux and Windows and is used to extract credentials. Previously, we have covered the use of this tool a couple of times and you can refer to Powershell for Hackers – Basics to see how it works on Windows machines.
Correlate those entries with file timestamps, prefetch data and event logs to build a timeline of execution.
Zerologon
It was also mentioned that the attackers attempted the Zerologon exploit. Zerologon (CVE-2020-1472) is a critical vulnerability in the Netlogon protocol that can allow an unauthenticated attacker with network access to a domain controller to manipulate the Netlogon authentication process, potentially resetting a computer account password and enabling impersonation of the domain controller. Successful exploitation can lead to domain takeover.
Using keyword searches across the drive we can find related files, logs and strings that mention zerologon to verify any claims.
In the image above you can see NTUSER.DAT contains “Zerologon”. NTUSER.DAT is the per-user registry hive stored in each profile and is invaluable for forensics. It contains persistent traces such as Run and RunOnce entries, recently opened files and MRU lists, UserAssist, TypedURLs data, shells and a lot more. The presence of entries in a user’s NTUSER.DAT means that the user’s account environment recorded those actions. The entry appears in Sandhya’s NTUSER.DAT in this case, it suggests that the account participated in this activity or that artifacts were created while that profile was loaded.
Timeline
Pulling together the available artifacts suggests the following sequence. The first login on the workstation appears to have been by Sandhya, during which a Zerologon exploit was attempted but failed. After that, Hasan logged in and used tools to dump credentials, possibly to start moving laterally. Evidence of Mimikatz and a Python installer were found in Hasan’s directory. Finally, Sivapriya made the last recorded login on this workstation and a PowerShell script intended to escalate privileges was found in their directory. This script could have been used during lateral activity to escalate privileges on other hosts or if local admin rights were not assigned to Hasan, another attacker could have tried to escalate their privileges using Sivapriya’s account. At this stage it is not clear whether multiple accounts represent separate actors working together or a single hacker using different credentials. Resolving that requires cross-host correlation, domain controller logs and network telemetry.
Next Steps and Verification
This was a basic Autopsy workflow. For stronger attribution and a complete reconstruction we need to collect domain controller logs, firewall and proxy logs and any endpoint telemetry available. Specialised tools can be used for deeper analysis where appropriate.
Conclusion
As you can see, Autopsy is an extensible platform that can organize many routine forensic tasks, but it is only one part of a comprehensive investigation. Successful disk analysis depends on careful evidence handling and multiple data sources. It’s also important to confirm hashes and chain of custody before and after the analysis. When you combine solid on-disk analysis with domain and network logs, you can move from isolated observations to a defensible timeline and conclusions.
If you need forensic assistance, we offer professional services to help investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field.
A hearty, comforting and fulfilling soup that you must try this winter season is the classic restaurant style chicken noodle soup which is a one pot wonder that will keep you full for the entire night!
Winter is just round the corner and so is the craving for that soulful bowl of warm soup that will perfectly fit the bill as a one pot meal!
So here I come with my homemade chicken noodle soup that not only looks gorgeous but can also give the restaurant version a run for its money in terms of its flavors and taste!
Try it once and you will know why I am saying what I am saying!
What is chicken noodle soup?
Asian chicken noodle soup is a widely popular soup and I am not surprised at all! If a single dish can work as an entree as well as main course, who wouldn’t love it?
I made this a week before Diwali when we were feeling a little under the weather; we loved it so much that we immediately decided to prepare it for our little blog and share it with ya’all!
The best thing about this soup recipe is that you won’t need a long list of ingredients; just the basic aromatics, chicken & noodles and you are ready to whip up the most comforting soup of the season!
If you’re diving into digital forensics, memory analysis is one of the most exciting and useful skills you can pick up. Essentially, you take a snapshot of what’s happening inside a computer’s brain right at that moment and analyze it. Unlike checking files on a hard drive, which shows what was saved before, memory tells you about live actions. Things like running programs or hidden threats that might disappear when the machine shuts down. This makes it super helpful for solving cyber incidents, especially when bad guys try to cover their tracks.
In this guide, we’re starting with the basics of memory analysis using a tool called Volatility. We’ll cover why it’s so important, how to get started, and some key commands to make you feel confident. This is part one, where we focus on the foundations and give instructions. Stick around for part two, where we’ll keep exploring Volatility and dive into network details, registry keys, files, and scans like malfind and Yara rules. Plus, if you make it through part two, there are some bonuses waiting to help you extract even more insights quickly.
Memory Forensics
Memory analysis captures stuff that disk forensics might miss. For example, after a cyber attack, malware could delete its own files or run without saving anything to the disk at all. That leaves you with nothing to find on the hard drive. But in memory, you can spot remnants like active connections or secret codes. Even law enforcement grabs memory dumps from suspects’ computers before powering them off. Once it’s off, the RAM clears out, and booting back up might be tricky if the hacker sets traps. Hackers often use tricks like USB drives that trigger wipes of sensitive data on shutdown, cleaning everything in seconds so authorities find nothing. We’re not diving into those tricks here, but they show why memory comes first in many investigations.
Lucky for us, Volatility makes working with these memory captures straightforward. It started evolving, and in 2019, Volatility 3 arrived with better syntax and easier to remember commands. We’ll look at both Volatility 2 and 3, sharing commands to get you comfortable. These should cover what most analysts need.
Memory Gems
Below is some valuable data you can find in RAM for investigations:
1. Network connections
2. File handles and open files
3. Open registry keys
4. Running processes on the system
5. Loaded modules
6. Loaded device drivers
7. Command history and console sessions
8. Kernel data structures
9. User and credential information
10. Malware artifacts
11. System configuration
12. Process memory regions
Keep in mind, sometimes key data like encryption keys hides in memory. Memory forensics can pull this out, which might be a game-changer for a case.
Approach to Memory Forensics
In this section we will describe a structured method for conducting memory forensics, designed to support investigations of data in memory. It is based on the six-step process from SANS for analyzing memory.
Identifying and Checking Processes
Start by listing all processes that are currently running. Harmful programs can pretend to be normal ones, often using names that are very similar to trick people. To handle this:
1. List every active process.
2. Find out where each one comes from in the operating system.
3. Compare them to lists of known safe processes.
4. Note any differences or odd names that stand out.
Examining Process Details
After spotting processes that might be problematic, look closely at the related dynamic link libraries (DLLs) and resources they use. Bad software can hide by misusing DLLs. Key steps include:
1. Review the DLLs connected to the questionable process.
2. Look for any that are not approved or seem harmful.
3. Check for evidence of DLLs being inserted or taken over improperly.
Reviewing Network Connections
A lot of malware needs to connect to the internet, such as to contact control servers or send out stolen information. To find these activities:
1. Check the open and closed network links stored in memory.
2. Record any outside IP addresses and related web domains.
3. Figure out what the connection is for and why it’s happening.
4. Confirm if the process is genuine.
5. See if it usually needs network access.
6. Track it back to the process that started it.
7. Judge if its actions make sense.
Finding Code Injection
Skilled attackers may use methods like replacing a process’s code or working in hidden memory areas. To detect this:
1. Apply tools for memory analysis to spot unusual patterns or signs of these tactics.
2. Point out processes that use strange memory locations or act in unexpected ways.
Detecting Rootkits
Attackers often aim for long-term access and hiding. Rootkits bury themselves deep in the system, giving high-level control while staying out of sight. To address them:
1. Search for indicators of rootkit presence or major changes to the OS.
2. Spot any processes or drivers with extra privileges or hidden traits.
Isolating Suspicious Items
Once suspicious processes, drivers, or files are identified, pull them out for further study. This means:
1. Extract the questionable parts from memory.
2. Save them safely for detailed review with forensic software.
The Volatility Framework
A widely recommended option for memory forensics is Volatility. This is a prominent open-source framework used in the field. Its main component is a Python script called Volatility, which relies on various plugins to carefully analyze memory dumps. Since it is built on Python, it can run on any system that supports Python.
Volatility’s modules, also known as plugins, are additional features that expand the framework’s capabilities. They help pull out particular details or carry out targeted examinations on memory files.
Frequently Used Volatility Modules
Here are some modules that are often used:
pslist: Shows the active processes.
cmdline: Reveals the command-line parameters for processes.
netscan: Checks for network links and available ports.
malfind: Looks for possible harmful code added to processes.
handles: Examines open resources.
svcscan: Displays services in Windows.
dlllist: Lists the dynamic-link libraries loaded in a process.
hivelist: Identifies registry hives stored in memory.
Installing Volatility 3 is quite easy and will require a separate virtual environment to keep things organized. Create it first before proceeding with the rest:
bash$ > python3 -m venv ~/venvs/vol3
bash$ > source ~/venvs/vol3
Now you are ready to install it:
bash$ > pip install volatility3
Since we are going to cover Yara rules in Part 2, we will need to install some dependencies:
Yara rules are important and they help you automate half the analysis. There are hundreds of these rules available on Github, so you can download and use them each time you analyze the dump. While these rules can find a lot of things, there is always a chance that malware can fly under the radar, as attackers change tactics and rewrite payloads.
Now we are ready to work with Volatility 3.
Plugins
Volatility comes with multiple plugins. To list all the available plugins do this:
bash$ > vol -h
Each of these plugins has a separate help menu with a description of what it does.
Memory Analysis Cheat Sheet
Image Information
Imagine you’re an analyst investigating a hacked computer. You start with image information because it tells you basics like the OS version and architecture. This helps Volatility pick the right settings to read the memory dump correctly. Without it, your analysis could go wrong. For example, if a company got hit by ransomware, knowing the exact Windows version from the dump lets you spot if the malware targeted a specific weakness.
In Volatility 2, ‘imageinfo‘ scans for profiles, and ‘kdbgscan‘ digs deeper for kernel debug info if needed. Volatility 3’s ‘windows.info‘ combines this, showing 32/64-bit, OS versions, and kernel details all in one and it’s quicker.
bash$ > vol -f Windows.vmem windows.info
Here’s what the output looks like, showing key system details to guide your next steps.
Process Information
As a beginner analyst, you’d run process commands to list what’s running on the system, like spotting a fake “explorer.exe” that might be malware stealing data. Say you’re checking a bank employee’s machine after a phishing attack, these commands can tell you if suspicious programs are active, and help you trace the breach.
‘pslist‘ shows active processes via kernel structures. ‘psscan‘ scans memory for hidden ones (good for rootkits). ‘pstree‘ displays parent-child relationships like a family tree. ‘psxview‘ in Vol 2 compares lists to find hidden processes.
Note that Volatility 2 wants you to specify the profile. You can find out the profile while gathering the image info.
This output lists processes with PIDs, names, and start times. Great for spotting outliers.
bash$ > vol -f Windows.vmem windows.psscan
Here, you’ll see a broader scan that might catch processes trying to hide.
bash$ > vol -f Windows7.vmem windows.pstree
This tree view helps trace how processes relate, like if a browser spawned something shady.
Displaying the entire process tree will look messy, so we recommend a more targeted approach with –pid
Process Dump
You’d use process dump when you spot a suspicious process and want to extract its executable for closer inspection, like with antivirus tools. For instance, if you’re analyzing a system after a data leak, dumping a weird process could reveal it is spyware sending info to hackers.
Vol 2’s ‘procdump‘ pulls the exe for a PID. Vol 3’s ‘dumpfiles‘ grabs the exe plus related DLLs, giving more context.
After the dump, check the output and analyze it further.
Memdump
Memdump is key for pulling the full memory of a process, which might hold passwords or code snippets. Imagine investigating insider theft, dumping memory from an email app could show unsent drafts with stolen data.
Vol 2’s ‘memdump’extracts raw memory for a PID. Vol 3’s ‘memmap’with –dump maps and dumps regions, useful for detailed forensics.
Here you see all loaded DLLs of this process. You already know how to dump processes with their DLLs for a more thorough analysis.
Handles
Handles show what a process is accessing, like files or keys crucial for seeing if malware is tampering with system parts. In a ransomware case, handles might reveal encrypted files being held open or encryption keys used to encrypt data.
Both commands list handles for a PID. Similar outputs, but Vol 3 is streamlined.
Services scan lists background programs, helping find persistent malware disguised as services. If you’re probing a server breach, this could uncover a backdoor service.
Use | more to page through long lists. Outputs are similar, showing service names and states.
Volatility 2:
vol -f “/path/to/file” ‑‑profile <profile> svcscan | more
Volatility 3:
vol -f “/path/to/file” windows.svcscan | more
Since this technique is often abused, a lot can be discovered here:
bash$ > vol -f Windows7.vmem windows.svcscan
Give it a closer look and spend enough time here. It’s good to familiarize yourself with native services and their locations
Summary
We’ve covered the essentials of memory analysis with Volatility, from why it’s vital to key commands for processes, dumps, DLLs, handles, and services. Apart from the commands, now you know how to approach memory forensics and what actions you should take. As we progress, more articles will be coming where we practice with different cases. We already have a memory dump of a machine that suffered a ransomware attack, which we analyzed with you recently. In part two, you will build on this knowledge by exploring network info, registry, files, and advanced scans like malfind and Yara rules. And for those who finish part two, some handy bonuses await to speed up your work even more. Stay tuned!
Welcome back, aspiring forensic and incident response investigators.
Today we are going to learn more about a branch of digital forensics that focuses on networks, which is Network Forensics. This field often contains a wealth of valuable evidence. Even though skilled attackers may evade endpoint controls, active network captures are harder to hide. Many of the attacker’s actions generate traffic that is recorded. Intrusion detection and prevention systems (IDS/IPS) can also surface malicious activity quickly, although not every organization deploys them. In this exercise you will see what can be extracted from IDS/IPS logs and a packet capture during a network forensic analysis.
The incident we will investigate today involved a credential-stuffing attempt followed by exploitation of CVE-2022-25237. The attacker abused an API to run commands and establish persistence. Below are the details and later a timeline of the attack.
Intro
Our subject is a fast-growing startup that uses a business management platform. Documentation for that platform is limited, and the startup administrators have not followed strong security practices. For this exercise we act as the security team. Our objective is to confirm the compromise using network packet captures (PCAP) and exported security logs.
We obtained an archive containing the artifacts needed for the investigation. It includes a .pcap network traffic file and a .json file with security events. Wireshark will be our primary analysis tool.
Analysis
Defining Key IP Addresses
The company suspects its management platform was breached. To identify which platform and which hosts are involved, we start with the pcap file. In Wireshark, view the TCP endpoints from the Statistics menu and sort by packet count to see which IP addresses dominate the capture.
This quickly highlights the IP address 172.31.6.44 as a major recipient of traffic. The traffic to that host uses ports 37022, 8080, 61254, 61255, and 22. Common service associations for these ports are: 8080 for HTTP, 22 for SSH, and 37022 as an arbitrary TCP data port that the environment is using.
When you identify heavy talkers in a capture, export their connection lists and timestamps immediately. That gives you a focused subset to work from and preserves the context of later findings.
Analyzing HTTP Traffic
The port usage suggests the management platform is web-based. Filter HTTP traffic in Wireshark with http.request to inspect client requests. The first notable entry is a GET request whose URL and headers match Bonitasoft’s platform, showing the company uses Bonitasoft for business management.
Below that GET request you can see a series of authentication attempts (POST requests) originating from 156.146.62.213. The login attempts include usernames that reveal the attacker has done corporate OSINT and enumerated staff names.
The credentials used for the attack are not generic wordlist guesses, instead the attacker tries a focused set of credentials. That behavior is consistent with credential stuffing: the attacker uses previously leaked username/password pairs (often from other breaches) and tries them against this service, typically automated and sometimes distributed via a botnet to blend with normal traffic.
A credential-stuffing event alone does not prove a successful compromise. The next step is to check whether any of the login attempts produced a successful authentication. Before doing that, we review the IDS/IPS alerts.
Finding the CVE
To inspect the JSON alert file in a shell environment, format it with jq and then see what’s inside. Here is how you can make the json output easier to read:
bash$ > cat alerts.json | jq .
Obviously, the file will be too big, so we will narrow it down to indicators such as CVE:
bash$ > cat alerts.json | jq .
Security tools often map detected signatures to known CVE identifiers. In our case, alert data and correlation with the observed HTTP requests point to repeated attempts to exploit CVE-2022-25237, a vulnerability affecting Bonita Web 2021.2. The exploit abuses insufficient validation in the RestAPIAuthorizationFilter (or related i18n translation logic). By appending crafted data to a URL, an attacker can reach privileged API endpoints, potentially enabling remote code execution or privilege escalation.
Now we verify whether exploitation actually succeeded.
Exploitation
To find successful authentications, filter responses with:
http.response.code >= 200 and http.response.code < 300 and ip.addr == 172.31.6.44
Among the successful responses, HTTP 204 entries stand out because they are less common than HTTP 200. If we follow the HTTP stream for a 204 response, the request stream shows valid credentials followed immediately by a 204 response and cookie assignment. That means he successfully logged in. This is the point where the attacker moves from probing to interacting with privileged endpoints.
After authenticating, the attacker targets the API to exploit the vulnerability. In the traffic we can see an upload of rce_api_extension.zip, which enables remote code execution. Later this zip file will be deleted to remove unnecessary traces.
Following the upload, we can observe commands executed on the server. The attacker reads /etc/passwd and runs whoami. In the output we see access to sensitive system information.
During a forensic investigation you should extract the uploaded files from the capture or request the original file from the source system (if available). Analyzing the uploaded code is essential to understand the artifact of compromise and to find indicators of lateral movement or backdoors
Persistence
After initial control, attackers typically establish persistence. In this incident, all attacker activity is over HTTP, so we follow subsequent HTTP requests to find persistence mechanisms.
The attacker downloads a script hosted on a paste service (pastes.io), named bx6gcr0et8, which then retrieves another snippet hffgra4unv, appending its output to /home/ubuntu/.ssh/authorized_keys when executed. The attacker restarts SSH to apply the new key.
A few lines below we can see that the first script was executed via bash, completing the persistence setup.
Appending keys to authorized_keys allows SSH access for the attacker’s key pair and doesn’t require a password. It’s a stealthy persistence technique that avoids adding new files that antivirus might flag. In this case the attacker relied on built-in Linux mechanisms rather than installing malware.
When you find modifications to authorized_keys, pull the exact key material from the capture and compare it with known attacker keys or with subsequent SSH connection fingerprints. That helps attribute later logins to this initial persistence action.
Post-Exploitation
Further examination of the pcap shows the server reaching out to Ubuntu repositories to download a .deb package that contains Nmap.
Shortly after SSH access is obtained, we see traffic from a second IP address, 95.181.232.30, connecting over port 22. Correlating timestamps shows the command to download the .deb package was issued from that SSH session. Once Nmap is present, the attacker performs a port scan of 34.207.150.13.
This sequence, adding an SSH key, then using SSH to install reconnaissance tools and scan other hosts fits a common post-exploitation pattern. Hackers establish persistent access, stage tools, and then enumerate the network for lateral movement opportunities.
During forensic investigations, save the sequence of timestamps that link file downloads, package installation, and scanning activity. Those correlations are important for incident timelines and for identifying which sessions performed which actions.
Timeline
At the start, the attacker attempted credential stuffing against the management server. Successful login occurred with the credentials seb.broom / g0vernm3nt. After authentication, the attacker exploited CVE-2022-25237 in Bonita Web 2021.2 to reach privileged API endpoints and uploaded rce_api_extension.zip. They then executed commands such as whoami and cat /etc/passwd to confirm privileges and enumerate users.
The attacker removed rce_api_extension.zip from the web server to reduce obvious traces. Using pastes.io from IP 138.199.59.221, the attacker executed a bash script that appended data to /home/ubuntu/.ssh/authorized_keys, enabling SSH persistence (MITRE ATT&CK: SSH Authorized Keys, T1098.004). Shortly after persistence was established, an SSH connection from 95.181.232.30 issued commands to download a .deb package containing Nmap. The attacker used Nmap to scan 34.207.150.13 and then terminated the SSH session.
Conclusion
During our network forensics exercise we saw how packet captures and IDS/IPS logs can reveal the flow of a compromise, from credential stuffing, through exploitation of a web-application vulnerability, to command execution and persistence via SSH keys. We practiced using Wireshark to trace HTTP streams, observed credential stuffing in action, and followed the attacker’s persistence mechanism.
Although our class focused on analysis, in real incidents you should always preserve originals and record every artifact with exact timestamps. Create cryptographic hashes of artifacts, maintain a chain of custody, and work only on copies. These steps protect the integrity of evidence and are essential if the incident leads to legal action.
For those of you interested in deepening your digital forensics skills, we will be running a practical SCADA forensics course soon in November. This intensive, hands-on course teaches forensic techniques specific to Industrial Control Systems and SCADA environments showing you how to collect and preserve evidence from PLCs, RTUs, HMIs and engineering workstations, reconstruct attack chains, and identify indicators of compromise in OT networks. Its focus on real-world labs and breach simulations will make your CV stand out. Practical OT/SCADA skills are rare and highly valued, so completing a course like this is definitely going to make your CV stand out.
We also offer digital forensics services for organizations and individuals. Contact us to discuss your case and which services suit your needs.
Login
