Blue Team Labs

Investigate a trojanized game installer by analyzing browser history, logs, registry hives, and filesystem artifacts to map the full attack chain and extract IOCs.

Reconstruct multi-stage APT attack chain by correlating email, browser, Sysmon logs, and registry artifacts to identify persistence mechanisms and data exfiltration techniques.

Reconstruct a multi-stage attack by analyzing Windows memory dumps using Volatility 3, identifying malicious processes, command lines, and correlating findings with threat intelligence.

Analyze a memory dump using Volatility to identify malicious processes, persistence mechanisms, defense evasion techniques, and map them to MITRE ATT&CK.

Analyze a memory dump using Volatility to identify a malicious process, extract network IOCs, file hash, and compilation timestamp, correlating with external threat intelligence.

Utilize ALEAPP to analyze Android device artifacts, reconstructing a victim's financial details, movements, and communication patterns.

Analyze a spearphishing email to identify social engineering techniques and extract indicators of compromise from its headers and malicious attachment.

Employ Volatility to analyze a memory dump, identifying suspicious processes, network IOCs, memory protections, and attacker's command-and-control infrastructure.

Analyze Linux disk image artifacts, including logs and Bash history, using FTK Imager to investigate insider threat activities and reconstruct user actions.

Synthesize forensic artifacts and Python source code from a disk image to reconstruct a credential theft attack, identifying persistence methods and C2 communications.

Correlate Android and Windows forensic artifacts, including logs and malware analysis, to reconstruct a multi-stage BYOD breach from initial access to persistence.

Analyze PowerShell and Sysmon logs to investigate macro-based malware, identify persistence via scheduled tasks, and extract C2 indicators and keylogger behavior using FTK Imager and olevba.

Reconstruct an attack timeline by analyzing forensic artifacts to identify a UAC bypass, WMI persistence, and backdoor user creation techniques.

Analyze forensic artifacts to trace an attacker's progression from initial social engineering and remote access to a "Sticky Keys" privilege escalation.

Analyze browser, filesystem, and event artifacts to reconstruct the attack chain, identify the malicious download source, extract second-stage and C2 indicators, and determine persistence, account creation, and lateral movement.

Reconstruct the Fog ransomware attack chain by analyzing browser, registry, event logs, and MFT artifacts to identify initial access, persistence, BYOVD privilege escalation, and IOCs.

Reconstruct a multi-stage attack by analyzing Sysmon, WMI, and Prefetch logs to identify initial infection, advanced persistence, and C2 communications.

Analyze a forensic image to extract communication artifacts, identify malware behavior, and decrypt encrypted files using FTK Imager, string analysis, and PowerShell scripting.