Friday, January 29, 2016

Twitter account

I plan to do more updates on my Twitter feed  @ nairsaj . When I have more content to write about, I will post it here.
Saturday, September 26, 2015

More artifacts through PowerShell - Part 6

MsiInstaller events. Applications that use Windows Installer logs both installation and removal events; these are available on the '...
Monday, August 3, 2015

More artifacts through PowerShell - Part 5

MS Office Trust Records. When documents are downloaded from untrusted sources, a "trust" prompt is shown to the user when th...
Saturday, July 4, 2015

More artifacts through PowerShell - Part 4

Typed URLs - alternate location. The main script LRUP already contain many IE related artifacts; here is one more that we can add to t...
Sunday, June 28, 2015

More artifacts through PowerShell - Part 3

The main LRUP code lists many event logs that are useful in an incident response scenario. In this section, let's look some additional...
Sunday, June 21, 2015

More artifacts through PowerShell - Part 2

Quickly identify a login event.     Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | ft -auto -wrap Quickly iden...
Saturday, June 20, 2015

More artifacts through PowerShell - Part 1

Identify currently logged in user. If the requirement is to get only the logged in user along with the time of login then use " w...
Sunday, June 7, 2015

PowerShell updates

Have received many questions offline on the use of PowerShell and how we can get the desired artifacts from Windows system. While I have re...
Monday, September 30, 2013

Howto - Creating a ZIP file of LRUP outputs

One of the requests I got was to combine the output of all the text files and compress it so that a single file can be sent by the user fro...
Friday, August 30, 2013

LRUP Code published

Code used in the paper is now available from the CodePlex site. https://infosecnirvana.codeplex.com/ This is a version 2.0, which is o...