The new REMnux MCP server connects AI agents to 200+ malware analysis tools. I was surprised at the depth of investigation it can deliver: https://zeltser.com/ai-malware-analysis-remnux

Most of my time on this project went into capturing how I approach malware analysis and making sure the server provides the right guidance at the right time, so that AI can think and adapt as it creates the workflow. The post includes interactive replays of real analysis sessions.

#malware #malwareanalysis #infosec #cybersecurity #tools #artificialintelligence #AI

Sad news today, another veteran has been taken from us. Ruth Bourne, WWII Bletchley Park Bombe operator has died aged 98.
She started working at BP aged just 18.
Thank you for your service Ruth, we will remember you.

https://news.sky.com/story/wwii-bletchley-park-enigma-codebreaker-ruth-bourne-dies-aged-98-13485185

🚨 Incident Response
===================

Executive summary: The Windows Registry remains a primary source of forensic telemetry. The 2025 cheat sheet compiles core hives and the most commonly useful artifacts for DFIR practitioners, focusing on user activity, USB/device history and account-level data.

Technical details:
• Key hive files documented include NTUSER.DAT (user profile settings and activity), UsrClass.dat (per-user shell mappings), SAM (local account metadata and password hashes), and SYSTEM (system configuration and device history).
• Notable artifacts listed for NTUSER.DAT include UserAssist, RunMRU, OpenSaveMRU, OfficeMRU, LastVisitedMRU, RecentDocs, WordWheelQuery, TypedPaths, ShellBags, MountPoints2, and user-specific autorun entries.
• UsrClass.dat is highlighted for ShellBag and MUICache entries that help validate folder access and GUI program execution.
• SAM is noted for local account details (username, SID, creation/last logon times) and offline password hashes useful in credential recovery scenarios.
• SYSTEM is called out for ShimCache entries, Activity Moderator (BAM/DAM) artifacts, Windows Services configuration, MountedDevices, and Enum\USB\USBSTOR records (Vendor ID, Product ID, serial number, and first/last attach times).

Detection guidance (artifacts to search):
• Inspect UserAssist and RunMRU to reconstruct interactive program execution.
• Parse ShellBags and MountPoints2 for evidence of folder access and mounted media.
• Query Enum\USB\USBSTOR and MountedDevices within the SYSTEM hive for USB device timelines.

Investigation tips (from the source):
• Prioritize user vs. system hives depending on scope of inquiry.
• Correlate registry-derived timestamps with file system and event log timelines for validation.

Limitations:
• Artifact presence and completeness vary by OS version and user behaviour; not all entries prove execution — some indicate existence or access only.

🔹 registry #DFIR #windows #forensics

🔗 Source: https://www.cybertriage.com/blog/windows-registry-forensics-cheat-sheet-2025/