Digital Forensic Survival Podcast

This week, we’re diving into how to triage for PSEXEC evidence. PSEXEC leaves traces on both the source and target systems, making it essential to identify artifacts on each to determine whether a system was used as an attacker’s tool or was the target of an attack. While PSEXEC has somewhat fallen out of favor due to increased use of PowerShell for similar activities, it remains a commonly abused utility among attackers. In this episode, we’ll break down the key artifacts and methodologies for effective triage.

Understanding how to search for executables is a critical skill in computer forensics. There are major differences in how executables are handled between Windows and Linux systems, so techniques that work on Windows won’t always translate effectively to Linux. In this episode, I’ll break down some triage techniques to help you quickly identify suspicious executables on Linux systems.

Welcome to today’s episode! We’re diving into network triage, focusing specifically on listening ports. While we often look for active connections, identifying suspicious services listening on a port can be equally crucial in your investigation. It’s essential to gather this information for both current, real-time data and historical analysis, providing a more complete view of network activity.

In this episode, we’ll dive into two essential forensic artifacts in Windows: shellbags and the Program Compatibility Assistant (PCA). Shell bags provide valuable evidence of file and folder access, offering insights into user activity and file navigation. We’ll also explore PCA, which can reveal important information about file execution history. Together, these artifacts play a crucial role in uncovering key forensic details during investigations.