The Hacker Mind Podcast: Digital Forensics

So you’ve been hit with ransomware and, for whatever reason, you paid the bitcoin but now the decryptor doesn’t work. Who are you going to call for help?

Paula Januszkiewicz, from Cqure, joins The Hacker Mind to discuss her two presentations at SecTor 2021 on digital forensics. She talks about the various ways criminal hackers hide their work, what happens after ransomware hits on a system, how investigators go about looking for recovery information, and what type of skills those practitioners need to succeed.

Vamosi:  Every good mystery begins with a series of clues and criminologists -- even fictional ones like Sherlock Holmes -- will somehow link those clues back to the guilty party. I believe there’s no perfect crime. I like to believe thatx there’s just imperfect crimes waiting to be resolved.

Solving crimes has been improved by forensic science, a discipline that can be traced back to the early 1900s, to one man, Dr. Edmond Locard, who became known as the "Sherlock Holmes of France". He was a French criminologist who pioneered many scientific, repeatable processes that make up modern forensic science. For instance, he formulated the first principle of forensic science: "Every contact leaves a trace" which is perhaps better known as Locard's exchange principle.

Locard’s forensic science works pretty well for blood. For hair. For even skin cells left at a crime scene. But how does something like that map to the digital world? 

Understand that until the mid 1990s interconnectivity via the internet was largely academic. It really didn’t concern commercial organizations until the late 1990s, until the widespread use of the World Wide Web made it possible for organizations to suffer data breaches or denial of service attacks. That’s when there became an urgent need for computer forensics to become a discrete science.

Ihe first suite of digital forensic tools that I became aware of in the early 2000s was The Coroner's Toolkit. It was for UNIX systems and it was created by Dan Farmer and Wheat-say Vene-ma, who then co-authored a book in 2005 called Forensic Discovery. Like Locard’s principle, if you interact with a digital system, chances are very good that you are leaving traces.  Even if you think you’re erasing your tracks.

To be good at digital forensics, to be a digital Sherlock Holmes, you need to understand systems architecture. And, you need to understand how attackers think.  And in a moment I’ll introduce you to someone who’s very good at both.

[Music]

Vamosi: Welcome to The Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living. 

I’m Robert Vamosi, and in this episode I’m talking about what happens after the data breach, what happens after the ransomware is on a system, how investigators go about looking for information, and what type of skills they need as practitioners to succeed. We’ll even talk about one case, in particular, where someone paid the ransom, but the decryptor just didn’t work -- that is until our guest figured it out.

[Music}

Vamosi: So you’re CISO at a major corporation and all of sudden there’s been a ransomware attack in your network, and it’s spreading throughout your infrastructure. Maybe your first concern is to make sure the company is functional. MAybe your second thought is to call in an investigative team. You’ll want someone with years of pen testing experience, some one who knows the operating system like no other. An expert.

Januszkiewicz: Hi my name is Paula Januszkiewicz, and I'm the CEO of Cqure, I'm also a Microsoft Regional Director, it's a very honorable role for someone who is working outside of Microsoft. And my background is pretty straightforward with cyber security for the past 16 years on many different levels. Starting with penetration testing, ending up with incident response and forensics, so pretty much everything that is important for various customers all around the world.

Vamosi: At SecTor, an annual security conference in Toronto, Paua gave not one but two talks this year. Sort of a part one and then a part two around the topic of digital forensics. 

Januszkiewicz: So at sector, I'm going to be having two sessions this time. One is Adventures in Underland. What your system stores on the disk revolves, telling you, and also the second portion of Adventures in the Underland. That is the forensic techniques against hackers, so both of the sessions are related with the forensic and the look at how we're not only able to hide from the hacker perspective the evidence or even destroy it, but how we are able to recover it and get to it from the forensic investigator perspective.

Vamosi: So we might think you already know something about forensics. There’s that TV show,  Crime Scene Investigation or CSI, which perhaps introduced a lot of people around the world to the subject of forensic investigations. But digital forensics has its own history, it’s own methods. And, it’s really nothing at all like that awful spin off, CSI: Cyber -- yeah, I had to bring that up didn’t I?

Januszkiewicz: Forensics it's a very interesting subject that allows you to dig into the dungeons of data that's stored on the disk or in memory. So in general, an operating system that eventually allows you to gain more information about the context within which attack was made.

Vamosi: So to become a digital forensics expert, you really need to understand the systems you are looking to examine. And all the different ways they can be corrupted by an attacker. So what led Paula into forensics?

Januszkiewicz: Forensics, it's a subject that allows us to dig into something, yes?  In my character, I like to research things, so basically I started with penetration testing, and I still do that. So, whenever you perform some attacks. It's always very interesting how on the other side there could be potentially discovered so every hacker has its own mind, and every infrastructure has its own context and money components that are never the same. Therefore every attack is different, and that's why forensics, when we put that into context, gives you the possibility to work every time we have a different situation in a different environment. That's why it's a really good job to do because it's never boring.

Vamosi: Maybe it’s important to understand a little more about what her company, Cqure -- with a C-- does.

Januszkiewicz: So my company's focus is on lots of really bad things around cybersecurity. So we specialize in the custom penetration tests, and we write our own tools to deliver them . And therefore, knowing of course how these things are delivered and so on. We also do and that is a very popular service, especially during the pandemic, something that we call incident response. So when the customer is attacked, they call us and then we come on site, or we help the remote team. 

Vamosi: So Cqure starts before an attack, and is there for its clients during and after an attack.

Januszkiewicz: Right now, only pretty much remotely. In order to not only investigate what happened in the environment, but also to minimize the scope, how the infrastructure could be potentially affected within the attack, it might be that the attack is happening. Yes, so our job is to figure it out and apply appropriate steps of actions in the environment, and also we do deliver education. And that's something that is like a separate branch from what we do, it's called Secure Academy, where we have over 40 Hardcore, I would say trainings that are written by ourselves in house. They are both online and offline, and they are covering various aspects of cybersecurity.

Vamosi: I mentioned that Cqure does pen testing as well, so they probably have an arsenal of their own security tools as well. 

Januszkiewicz: Yeah, so, so we've got it we've got tools that we have grown in house, so some of the tools of course we use that are publicly available, or that are commercial for example, absolutely to automate our tasks but to perform this sometimes sophisticated moves in the infrastructure, we actually write on our own, we have to have over 200 tools that we wrote in house that we are using to support us in penetration testing and our custom version of the mimikatz. Of course it's an edited version of the tool that's written by Benjamin Delby, but we've got definitely much much more tools that we have, like, written from zero, from this crutch in house. These are the tools that are allowing us to be more smooth in projects. So sometimes when there was a need to extract some information from somewhere that could get you some some more fodder, then it's really possible that you're going to find a custom tool in the internet somewhere that's going to do that for you, of course, it's more and more happening like this, but still if you get a certain need is better when you address it by yourself. 

Vamosi: These one-off, specialty tools aren’t just for Cqure, and they’re not just developed by Paula. The tools are open source, and Paula has a team of experts that helps build these tools.

Januszkiewicz: That's why it's really good to work with a team, and our team it's pretty, pretty, it's actually very good. If it's about cooperation with each other, so we understand each other, we know what kind of things someone might want in a project. And eventually, that kind of a team more of that kind of cooperation is something that I was asked to to just move forward and this is what I'm, what I'm always saying, and what I always appreciate in cyber that, however, that sounds of course, sharing is caring and the more information, we're able to share, mainly within our team but also the outside world, that obviously the better.

Vamosi: I should also mention that forensics can be used in other ways, not just for incidents that have already happen but also for events you suspect might be happening in the moment. Like you think an employee might be doing something, but you don’t have the evidence to take them to HR just yet..

Januszkiewicz: Forensics you will bring to the organization. Well, you just want to investigate what has happened so that may for example involve an employee that is in some kind of a way misbehaving, but it's its default role it's of course focusing on the attack. Plus forensics, it's not always something that someone might decide on, it's just enough to recover, it's sometimes just enough to get into simple conclusions, more important for companies sometimes it's to be back to normal operations, and to learn to investigate and so on. That's something that can happen based on   some activity.

[MUSIC]

Vamosi: Paula’s experience as a Microsoft Regional Director comes in handy in her work. In addition to her knowledge of Windows, she’s equally versed in Linux and other operating systems as well.. 

Januszkiewicz: Actually we're talking about both of the systems here, a Linux that Windows another world differently. We are talking here about Windows Linux operating systems and also pretty much any operating system that has been under attack, it's not always possible to do an extensive research depending on the operating system and depending on the data that we have. That's why it's so important to be well prepared for the attack from the monitoring perspective so that later on, we are able to extract the data and  connect more adults in order to learn what was the potential point of entry.

Vamosi: So Windows has this utility, Remote Desktop Protocol, which allows, say, someone from Microsoft Support to remotely take over your computer and diagnose something thats gone wrong. In the hands of someone good, that’s not a problem, and you can invite them and then dismiss them. But in the hands of someone bad, where they access RDP on their own, that’s not good.

Januszkiewicz: RDP itself. It's not wrong. Yes, because it's a way how we are remotely connecting to the server. It has its own advantages like for example you are you loading the full profile settings but then still that could be also restricted and so on so it's better for example, to leverage things like the PowerShell remoting, and so on but regardless the situation for all of these things we need username and password. So the question is, of course, how do we log in as a privileged account in our organization is because we might be logging on with a smart card, and that is also another way to do that so we are here having things like multi factor authentication something we know, so they've been to the smart card, the password event today something that we have so that's the smart gun that we need for that. So eventually, we can figure out better ways of accessing the infrastructure versus just a regular RDP, which is prone to the password spray, like, right.

Vamosi: In the real world, the attacks don’t typically start with some killer zero day exploit, they typically start with something basic, like stolen user credentials, username and password.  Someone sprays the credentials on a system until they get inside, sits on the system, maybe pivoting around the infrastructure, learning the system before exploiting the system.

Januszkiewicz: Absolutely. So, every attack has its stages right so when we think about attacking in a super classic way, then eventually it nowadays the most popular point of entry would be phishing, it's actually in approximately 60% of the attacks. So a user gets a link and an email user clicks on the link and opens an attachment. Yep, so runs a macro. So, these kinds of things, and then a hacker becomes a user. Now question is, what kind of things we can do as a user, user might be connected using VPN to the infrastructure, great, and we are treating user machine as a proxy, where people do what's called VPN before they get so we are going through that user machine to the inside of the infrastructure, and then we search for the low hanging fruit, if the user has access to data, we're getting access to data. If the user stores passwords in a browser, we got that, if the user is the local admin, that's even better. Maybe we are able to perform some Pass the Hash attack, or maybe not because someone is randomizing the local admins password.

Vamosi: The point is once someone gains access to a network, no matter what level of initial access, they can then escalatie the privileges as needed. And often, this is done as a result of internal misconfigurations between different segments of a network. 

Januszkiewicz:  So there are so many points of entry afterwards so once this first wall is kind of us through, then we are able to see all this infrastructure beautiful details that are allowing us to connect the dots again and then maybe move forward, like for example, one of the attacks from zero to hero it's SMB relay and other one is Kerberos thing, being a user, it's totally possible. So, eventually we couldn't really call vulnerabilities that someone could exploit that more mis-configuration and the biggest vulnerability, I think it's actually a mis-configuration.

Vamosi: What’s important here is that these high-profile attacks take time. We see the headlines that X company got breached, or more recently got hit with ransomware, but what we don’t see are the weeks and months before that when the attackers first got onto your network.

Januszkiewicz: So what kind of resources companies use, What are the low hanging fruit, what are the easy targets. What would be valuable from their perspective to encrypt and then ask for the ransom. And so eventually, like that time, that hackers are there, it's quite long. And eventually, when we compare that one with the initial point of entry security log. Then, if we don't realize that hackers managed to get in yesterday then it's already too late. So, putting a little bit of stats on top of that, the former FBI Director James Comey, said that hackers are sitting in infrastructure for approximately 200 days. And when I take that stuff and put it into our project. This is exactly what we see here. Sometimes we see hawkers sitting in infrastructure for three months, sometimes you can see that the first engagement is the first sign that they were there. It's like from half a year ago. And that's scary because then means that these people had, like so much time to investigate what to attack, and then that's why these attacks later are considered to be very precise, but they are like this, because they had time to, to figure it out before.

Vamosi: It seems pretty simple. We know how they get inside, we know that they look around, and then exploit. Why can’t we detect these attacks sooner?

Januszkiewicz: The problem is that the amount of attacks just simply increased, for example, according to the FBI summarizing pandemics. They are saying that the amount of reported attacks has increased by 300% and Interpol sums it up by like 569%. So we definitely see the crazy growth in the attacks. And the thing is that it's not that infrastructures are worse, or something like that. No infrastructures are relatively the same, but the thing is that when someone sees that attacks are working, and at the same time, it is truly lucrative business. Then we just see more of those coming. That's why companies started to rethink their cybersecurity strategy, they started to build up additional solutions, and implement solutions that are allowing us to minimize the risk. That's why we talk about our minds right now but from the needs perspective, nothing has changed for the past like 20 years.

[MUSIC]

Vamosi: One of the fun aspects of Paula’s talks at SecTor is looking at an attack from an attacker’s perspective. If you’re going to do something on another system, how might you do that? You need a point of egress-- how are you going to get in?  Is it a phishing campaign? Is there a vulnerability you can exploit? Then once you are in, how are you going to cover your tracks? 

Januszkiewicz: Yeah, so there are many ways we are able to hide our tracks. First of all, by just eating them yes so eventually we can if we use certain profile we can delete that profile, if we use some most recently used items which we do naturally when we are logged in in an operating system like Windows, then basically we could also delete that we'll get a possibility to play with permission so for example if we want to achieve persistency, to have some therapists, for example, that will be continuously doing something for us, but we don't want anybody to see that service, then by using that as DDL language sort of defined permissions, and we are able to apply the security descriptor so the service for example will not be visible in any of the searches, and so on. 

VAMOSI: Remember Locard’s first principle of forensic science: "Every contact leaves a trace"  By deleting a log or a file, there may still be a reference to it somewhere else. Consider the Lost Library at Alexandria--this was the greatest library ever built in the ancient world. Despite the common belief that it burned, it actually fell to neglect, but the point here is that is contents were destroyed, lost in time, yet we know from other records in other ancient world places what books were lost. Same can be said for computer records on a system -- there are other references, you just have to know how to find them.

Januszkiewicz: That's why it's so important to have an infrastructure well established for monitoring, which you forward you stream out into some central location, and this is where you process it. Yeah, so this is the time we are slipping into, or we already step into it. And when we do forensics, when we do an internal incident response, we lack these kinds of mechanisms. Well, it could make our job a bit better. If you support us in a better way. If we were able to correlate events across workstations, servers and so on, without really getting into every server every machine and verifying what kind of stuff, it's there left.

Vamosi: Yeah, but wait a minute.  I see in the movies how the bad guys just delete logs, delete the log files and then they get away with it.  As an investigator, isn’t deletion something that you look for in the beginning?

Januszkiewicz: Absolutely so so you are able, for example, to make simple queries that are allowing you to ask questions like, show me on what kind of workstations slash servers. This process has been executed or which machine connected to this IP address. So these questions are supernatural and not that they were not asked like 20 years ago, they were completely asked 20 years ago and when we had the same needs in terms of monitoring at that time that we got right now. 

Vamosi: We see a lot of news about ransomware. Ransomware is certainly big topic this year. What about Supply Chains

Januszkiewicz: What I'm seeing, within the supply chain attacks is that we can see more of a trend that a certain customer is ethical through the vendor. So it's more of that. So not necessarily Windows software, which is definitely also the trend, and based on the couple of examples that we got within the world like solar wind and so on. But we also see the trend of attacking the IT company that supports that customer. So there's a large customer enterprise, obviously they got many IT companies that support them. Some of them are supporting their databases, some of them they're supporting their network and so on. Sometimes security's outsource, regardless of the situation, usually privileged access management is not implemented properly for these guys. And therefore, with the hackers they attack the vendors, and through them, they come to that major customer and we see that happening. Of course it's not like a number one trend yet. Number one trend is simply through phishing. Lack of multi factor authentication or some even vulnerable services that are available in the internet that someone could exploit, but that is a very nice way to attack the company because it's quite unexpected.

[MUSIC]

Vamosi: Security is always a double edged sword. Literally. We’ve seen this before where tools developed for good can also be used for bad. Consider a knife. You can cut a loaf of bread--that’s good-- or you can stab someone -- that’s certainly bad. Maybe that’s a bit extreme, but I think you get the idea.

Januszkiewicz: So, eventually, it really depends what kind of things we would like to do, we've got for example, alto runs which is by Sysinternals by Mark Russinovich where we get a possibility to see that persistence, but on the other hand, if you change the permissions, then you were not able to seek up other things like for example from the, from the services perspective, that they are there. So, Every tool has its own cheating mechanism, and eventually it might be not worth even developing it, maybe it's not available in the form of a tool but what's my point is that every solution has its solution against, and eventually Windows what you can also do you can hide logs. 

Vamosi: Right. So Paula and her team has encountered some common ways to do this. 

Januszkiewicz: So, simply every application has its own better or worse mechanism that allows you to log something again, windows, the same Linux the same and so on. So what is the most important thing is to make sure that we are gathering this data somewhere, because what if it gets cleaned locally or in a more innocent scenario, what if it rolls over. So for example you are setting up the log that's going to be only 100 megabytes large or something like this, and this is an application or systems default for some of the cases. And then eventually, for example, for security log in Windows, it's super small. 

VAMOSI: So persistence here is a matter of waiting out the amount of memory allocated to the log file, waiting for it to reset so that records or your activity are overwritten.

So, whenever we get this situation then we can survive on the log, a day or two, or three, depending on how active certain servers would be. So, from the investigators perspective there is literally nothing, taking into consideration that trend that we are dealing with right now, so let's maybe mention that one for the moment to confer with the need of money drink that trend is very simple right now. Hackers are connected to the environment, maybe through fishing, maybe through the passwords for your dog. He doesn't really matter right now but when they are there, then, what they are doing, they are performing their research. 

Vamosi: within the Windows NT file system, the USN Journal or Update Sequence Number Journal, or sometimes even the Change Journal maintains a record of changes made to the volume. It should keep track of any changes made. 

You can for example clean that USN Journal. So that is hiding your traces because, like one of the major points to search for when you are analyzing the drive, we will look into the USN Journal, and when it's not there, it's hard to figure out what kind of files were dropped in that disk that were maybe executed and they are no longer there. 

{music}

Vamosi: Given her work, Paula must have stories to tell. I mean, when I interviewed her she’d just returned to New York from Abu Dabi -- there must be a story there, right?

Januszkiewicz: you know, like, there's so many stories that are happening right now that that we are participating in. And eventually, whenever we are thinking about the whole like pandemic periods, for sure, incident response has been a number one thing that we've been participating in. So long story short, there are many yeah but some of them are just quite simple. Yes, it's not shocking anymore that we are taking part into the incident response within a company that has users being domain. So, there are many stories like this. And, of course, when we discovered that we are like yet another example like this but, but all of these stories are very similar, I would say yes so we've got an attack through phishing and so on and then this attack spreads in a very unwanted way.

Vamosi: Yeah, but I’m thinking there must be one story that rises to the very top.

Januszkiewicz: Absolutely. During the pandemics, we've been participating in a super exciting project, which I would call a project of the year, because there was actually a very big. It's a set of various factories producing goods that are spread across a whole world. 

Vamosi: So this is a large company, with many satellite facilities around the world. The network then is critical. Especially during a worldwide pandemic.

Januszkiewicz: And that was a time where most of the countries were in lockdown so that was a springtime, 2021. And the thing was that even though that travel was banned. We could still have trouble on the various government passes because what happened over there was really critical, not only for the company itself, but also to the economy of a certain country. 

Vamosi: So this is critical infrastructure for a nation. And someone’s deposited ransomware on the network, shutting them down.

Januszkiewicz: So, long story short, when we get inside. What it appeared is that through the vendor. The customer has been attacked so hackers first attacked the vendor possessing the domain admin credentials, took them, log, log to death. Customers repositories stayed there for three weeks, and then started to encrypt their data, so they are in the environment. So the infrastructure was pretty smashed. And that includes their database that was a crucial resource of knowledge for making various decisions in this organization. And unfortunately, for that resource that was quite also surprising, they didn't have a good backup strategy. So even though they would recover from that backup then the data would not be complete. So that was a very unwanted state when they realized that they actually had to pay the ransom.

Vamosi: Despite all the advice to the contrary, sometimes companies find themselves in a position where they have to pay a ransom. But what they get in return, the key, doesn’t always work.

Januszkiewicz: And there was a negotiator company hired for that purpose and they managed to negotiate, to pay half a million euros. So that was quite a huge amount for what they got because in the response, they got the decrypter that simply wasn't working for all the data that was encrypted. So you pay quite a lot of money for something that you cannot really use. 

Vamosi: Not trying to take sides here, but had the situation been different, the decryptor would have worked and released the data. But the encryption process was done on a live database, one that was changing as the encryption was occurring. 

Januszkiewicz:  And the problem was and that was my job within the project that eventually led to decryption, it had a good implementation of the algorithm, allowing me to decrypt the data. But the problem was when that data was encrypted. It was encrypted. Couple of times because of the faulty encrypter so the ransomware was just barely written. So imagine that when you've got a database that is in use, then the ransomware comes in, starts to encrypt it, Then it crashes because the data is in use and then it goes again and again and again. And then this is how the data is encrypted like 345 times. And eventually, it's broken and when you've got a decrypter that only does it in one round in a certain way because there were a couple of other components included, then basically it's simply not working. 

Vamosi: This sounds dire. An incomplete backup combined with a broken decryptor. The customer is still without their database. Fortunately, Paula and her team were able to rebuild the decryptor and eventually release the database.

Januszkiewicz:  So our job was to decompile the decrypter fix it, understand the mechanism, as we're playing a bit of a helpdesk role for the hackers actually, and, and it was working and we managed to actually get access to 100% of the customer's data, But it was a bit of a brainy project because we had to figure out what is behind the cryptography that's used by the by the attackers but luckily it worked out, it was a quite a relief.

Vamosi: So are these roll your own encryptions or were they using something that was standard that they implemented poorly.

Januszkiewicz: So it was actually a very well implemented thing but it's not the implementation, or the order of the components that they were using that matter, it was a matter of how they use it. So, basically, there were, there were a couple of mechanisms that we implemented for example they were encrypting only the first eight megabytes of the file, but each of the megabytes was encrypted differently. And this is what we had to work on so to understand that mechanism yes because to just run through that simple simple encryption or encryption function then it will be easy. Yeah, but eventually what they were doing, they're also adding their own logic on the top of everything, and that this wouldn't matter.

[Music]

Vamosi: What does Paula suggest for someone looking to become a forensics investigator?  Say, the next digital Sherlock Holmes?

Januszkiewicz: So if you want to build your career as a forensics investigator, one thank you for sure has to have great knowledge about operating system internals. So however the operating system works, that's something that could not or shouldn't really surprise you. So any possible place that information could be stored, that's something that should come to you as a default knowledge. Now, whenever we think about some other concepts over here, being penetration tester or having the background of the penetration testing. I think it's always good to know more, yeah and to be a good forensic investigator, you need to know how hackers work, and how these attacks are delivered. So for example, if you're investigating something and you see that there is a certain correlation of activities in logs. And they, for example, represent, let's say pasta tickets attack which is also quite hard to discover, then you know how it works and you know what to search for and you know that identity could be stolen in many different ways. Therefore, you were able to conclude that penetration testing activity, in my opinion, is absolutely important just to avoid stopping forensic investigators, but to be able to more dynamically interpret the situation in the infrastructure.

Vamosi: And should you strive to become a generalist, a jack of all trades or is there still value in specialization? Being that one expert in one particular niche field?

Januszkiewicz: Absolutely. There are many areas of specialization. One is, of course, mobile devices, and the other one is for example a network which is different from the operating system sphere, and we need to know a bit about everything that's for sure. We need to be good at one or more items over here. That's why I'm having that kind of a deep knowledge, it's sometimes even hard to get a one person so when you do the forensics for and that is actually a bigger project then, usually it's not one person doing it but every specializes every person specializes in the, in a certain technology so mobile devices are very specific and network also systems also so at least these things of course might be combined, but to have someone really really good. It's hard to have someone being good at these all of these spheres, yeah

Vamosi: Apart from becoming a pen tester, a digital forensics expert, what does Paula recommend organizations do to improve their security?

Januszkiewicz: Well, if good private access management is the key to success. So that's one thing, monitoring identity has never been as important than right now, so it's more important than ever. So anything that will discover the anomalies of the identity being in some sense misusing the infrastructure that's the way to go. Also multi factor authentication, that is a must. Nowadays, conditional access, understanding where people are logging on and how definitely something to pay attention to, and also one of their I think most important things. It's monitoring and preventing running the code in general that we don't know So, simply speaking, always think implemented, and servers on servers, workstations that are preventing running executables that are there for the first time, and we did not eventually approve.

Vamosi: Perhaps now, like never before, with all the threats, is a good time for companies to get serious with their security policies and establish good habits.

Januszkiewicz: You know what's good for the current times is that cybersecurity it's very understaffed. So there is much much more projects that we are able, on the globe to handle, so it's even better when the customers implement all the good security solutions because it's really good to see that companies can approach, with, with the good maturity to cybersecurity and develop that strategy that from time to time, I mean it's going to, it's going to grow, there's only in time but now, even though the companies start that process, it's still good to see that there are the simple things that we are able to implement like for example, attack surface reduction rules. Yes, so that's free, you're able to implement it on a platform like I see completely no reason why we're not supposed to use this and so on so that that kind of things, minimize the risk and it's all about that risk being minimized so that eventually companies are not seen as as juicy targets for hackers

Vamosi: I’d like to thank Paula for sharing her experience and stories about digital forensics. I like to think that criminals can’t get away with their crime. Like Locard’s exchange principle, there’s always something left behind that a good investigator can find and piece together. Of course that requires a good investigator like Paula and her team.

Let's keep the conversation going. DM me @Robert Vamosi on Twitter or join me on Reddit or discord. The deets are available at The Hacker Mind 

The Hacker Mind is brought to you every two weeks commercial free by ForAllSecure. 

For The Hacker Mind, I remain your digital Arthur Conan Doyle, Robert Vamosi