Profile

Cover photo
Patrick Olsen
Lives in Seoul, South Korea
167 followers|1,299,491 views
AboutPostsPhotosVideos

Stream

Patrick Olsen

Shared publicly  - 
 
Wrote a new blog post over the weekend: Forensics in the Amazon Cloud – EC2 https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html #Cloud   #EC2   #Forensics   #Malware   #InfoSec   #DFIR  
sysforensics | Amazon EC2, Digital Forensics, Forensic Artifacts, Incident Response, log2timeline, Malware Analysis, mmls, sans investigative forensic toolkit, SIFT, SIFT Kit, The Sleuth Kit, Timeline analysis. Businesses of all sizes seem to be moving at least some operations to the cloud.
4
1
Erik Musick's profile photo
Add a comment...

Patrick Olsen

Shared publicly  - 
 
I got a new blog post up called, Know your Windows processes or Die Trying. http://sysforensics.org/2014/01/know-your-windows-processes.html
I have been talking with quite a few people lately tasked with “security” inside their organizations and couldn't help but notice their lack of understanding when it came to Windows process information. I figured if the people I have talked with don't understand then there are probably a lot ...
6
1
Erik Musick's profile photo
 
Nice baseline information and a template for build management of other standard processes.
Add a comment...

Patrick Olsen

Shared publicly  - 
 
 
CyFor: Free online forensic learning environment. Please share. 
NYU-Poly & the ISIS Lab have developed CyFor, a free online forensic learning environment. Our target audience is High School students from around the country, but we encourage everyone to partici...
View original post
1
1
Ken Pryor's profile photo
Add a comment...

Patrick Olsen

Discussion  - 
 
Hello Everyone. I'm new to this community. I figured I would share a recent series of blog posts I did and hope to get some professional feedback on how things could have been done different, or others ways to perform the same actions better. Maybe I forgot some artifacts, etc.

As some of the other bloggers will tell you, people do not provide very good feedback or discussion points. "Great post!" is about as good as it gets most of the time.

http://www.sysforensics.org/2012/11/aptish-attack-via-metasploit-part-one.html
http://www.sysforensics.org/2012/11/aptish-attack-via-metasploit-part-two.html
http://www.sysforensics.org/2012/11/aptish-attack-via-metasploit-part-iii.html
http://www.sysforensics.org/2012/12/aptish-attack-via-metasploit-part-iv.html
5
Brian Lockrey's profile photoHarlan Carvey's profile photoLesley Carhart's profile photo
3 comments
 
The irony is that a lot of APT-type attacks aren't particularly 'advanced' at all. You're not necessarily looking at the sophisticated and financially-centered engineering background of the RBN; many attacks targeted at intellectual property and corporate or government data will use the minimum technical level required to perform an attack and exfiltration. This means, finding the systems vulnerable to last year's java exploit, or the employees uneducated enough to click on a phishing message. We all want to be the analyst who discovers the holy grail APT attack, with the super duper new zero day, but most of us are just going to find the person who didn't patch Adobe Reader, over and over again. Lateral movement can be somewhat more interesting.
Add a comment...

Patrick Olsen

Shared publicly  - 
 
I released a new tool called Browser Artifact Recovery Forensic Framework - BARFF today. Hopefully it's useful for you. It's free...
Hello all, I wanted to take a few minuets and let you know that I am releasing some code I have been working on over the past couple weeks. I blogged awhile back about how I wanted to learn more about...
3
2
Minjeong Kim's profile photoJustin R. Andrusk's profile photoKen Pryor's profile photo
 
Woohoo~~^^ I hope you keep doing well! And Of course you can do it..!
Add a comment...

Patrick Olsen

Shared publicly  - 
 
Part III of the APTish Attack via metasploit. I cover memory analysis here.
INTRO: Some of you might be familiar with GrrCon [1]. I wasn't until this year. I found out about them after reading a post by the Volatility guys/gals [2]. In the post they discuss how they used ...
5
1
Patrick Olsen's profile photoKen Pryor's profile photoMinjeong Kim's profile photoJamie Levy's profile photo
4 comments
 
Wonderful!
Add a comment...

Patrick Olsen

Shared publicly  - 
 
I put up a new post where I walk through an APTish style attack using Metasploit and I will use the artifacts left behind in future forensics posts. Part II, III, and IV will cover the forensics portion of it.
5
2
Cory Altheide's profile photoKen Pryor's profile photo
Add a comment...
Have him in circles
167 people
Yesh V's profile photo
Wendell Moon's profile photo
Michael Chavira's profile photo
Belle Scheef's profile photo
Naomi Takatani's profile photo
Johan Berggren's profile photo
Annie Crimmins's profile photo
Chris Crowley's profile photo
J Wolfgang Goerlich's profile photo

Patrick Olsen

Shared publicly  - 
 
I posted a new blog post, Do not fumble the lateral movement. http://sysforensics.org/2014/01/lateral-movement.html In the post I talk about common lateral movement indicators advanced actors and malware use.
I posted a blog post about Windows Processes and how knowing what's “normal” can be used to spot malicious processes. You can find the post here: http://sysforensics.org/2014/01/know-your-windows-processes.html. I got quite a bit of positive feedback on that post so I figured I would write a ...
3
Nik Roby's profile photo
 
Nice post! You have detailed some really great ways to look for an attacker who is using native tools to move laterally. Keep up the awesome blog
Add a comment...

Patrick Olsen

Shared publicly  - 
 
Long time coming. I posted a new blog post on how to build your own NSRL hash checking server. - http://sysforensics.org/2013/12/build-your-own-nsrl-server.html
It's been a long time since I wrote a blog post. I moved to Singapore and started a new job and I simply lost track of time. I couldn't let the year end without getting at least a few posts up. I promise 2014 will be better as I actually missed blogging this year.
3
1
Ken Pryor's profile photo
Add a comment...

Patrick Olsen

Shared publicly  - 
 
Writing to files without modifying LastWriteTime and LastAccessTimes via Powershell, but then getting pwned by the MFT
1
Add a comment...

Patrick Olsen

Shared publicly  - 
 
Really Korea? I saw this while walking down the street today. I would expect to see this in America (and maybe it's there and I just don't know yet), but living in Korea I miss out on some of those advertisements from back home.

I'm pretty sure that's cheese, bacon and mayo between two fried chicken breasts.
3
Cory Altheide's profile photoKen Pryor's profile photoJ C's profile photoPatrick Olsen's profile photo
5 comments
 
nah man, never... that's sick.
Add a comment...

Patrick Olsen

Shared publicly  - 
 
This is Part II of the APTish Attack via Metasploit. I use SplunkStorm to analyze windows event logs.
5
1
Patrick Olsen's profile photoMinjeong Kim's profile photoJason McCord's profile photoKen Pryor's profile photo
4 comments
 
Nice logs!
Add a comment...
People
Have him in circles
167 people
Yesh V's profile photo
Wendell Moon's profile photo
Michael Chavira's profile photo
Belle Scheef's profile photo
Naomi Takatani's profile photo
Johan Berggren's profile photo
Annie Crimmins's profile photo
Chris Crowley's profile photo
J Wolfgang Goerlich's profile photo
Work
Occupation
Information Security Analyst
Basic Information
Gender
Male
Story
Introduction
Hello, i'm Patrick. I enjoy reading books, roasting/drinking coffee, digital forensics and playing Magic the Gathering. Pretty much a nerd.
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Seoul, South Korea
Previously
Seoul
Links
Other profiles
Contributor to