Publications

CCleaner forensics

Mon, 06/20/2022 - 10:57
CSIRT
During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attacker’s action. The following article aims to explore some key features of this tool from a forensic perspective. We will see how to identify the items that have been deleted and how they could be recovered. We focused on the free desktop version v6.00.9727.

Unransomware

Mon, 01/31/2022 - 10:45
CSIRT
During a ransomware incident, CSIRT Synacktiv noticed that the bitlocker mechanism was used to encrypt company and user files. This blogpost does not intend to retrace the whole incident response process. The idea is to illustrate how we managed (or not) to recover encryption keys and save a few workstations from their terrible fate. The incident took place few months ago.

Yet another BEC investigation on M365

Mon, 11/22/2021 - 15:15
CSIRT
Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one of this publication.