Continuing our series on Cloud Forensics & Incident Response, we’ve now posted the second video in our series. It’s titled “Cloud Security Fundamentals for Forensics & Incident Response” and you can watch it in YouTube now: What is IaaS vs…? Hows is IR different? What is Shared Responsibility? …

We’ve just posted an introductory video in our series on Cloud DFIR titled: It’s the first in a (long!) series that aims to help spread knowledge about how to respond to cyber attacks in cloud environments like AWS, Azure and GCP. …

This week, we’ve released another free tool. Cado Cloud Collector is a solution to make forensic imaging of AWS EC2 instances a whole lot easier. The setup takes only 5 minutes, and then you can use it to forensically image any instance in your AWS region in just a few clicks. We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Last week we released Cado Live, a free tool to acquire disk images to cloud storage. — This week, we’ve released another free tool. Cado Host collects forensic artefacts from Windows/Linux/OSX systems (MFT, Logs, etc.) and uploads them directly to cloud storage (AWS/Azure/Google Cloud). We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. …

I started the Medium account Forensic Labs some time ago, mostly posting on cloud forensics. At the time I added a little link saying “Sign Up if you’d like to beta-test a cloud forensic tool”. When I posted the articles I was gauging interest. And after a few hundred people…

A large number of server-side exploits have been used over the last year to install crypto-currency mining malware. Below we’ve outlined the typical stages of a mining malware attack against a server, and the steps you may want to take during forensics and incident response. We’ve built a platform to…

A core part of intelligence driven incident response is searching relevant indicators across a compromised network. Yara is a popular choice for scanning the contents of files (as opposed to something like OpenIOC which can be used to quickly search across just meta-data). But there are a number of ways…

Incident response with Azure, like other cloud providers, is a little different. Below we’ve outlined where to look if you’re performing Detection, Triage, Investigation or Acquisition in Azure. You can also download a free playbook we’ve written on how to respond to security incidents in Azure. …

Initial Triage Generally it’s a good idea to switch off or hibernate the infected system, in case you are lucky enough it hasn’t finished encrypting files on disk. If it’s a Virtual Machine, take a snapshot. Many ransomware variants encrypt network shares, or spread within networks. If you choose not…