Posts

• May 15, 2025

  Improving AFD Socket Visibility for Windows Forensics & Troubleshooting

• Sep 13, 2024

  Introducing the Restart Manager Artifacts Tool

• Aug 8, 2024

  On System Reliability or Why the (Conceptual) Design of the Blue Screen on Windows Is Good

• Apr 17, 2024

  Reconstructing Executables Part 1: Between Files and Memory

• Apr 20, 2023

  The Definitive Guide to Process Cloning on Windows

• Sep 15, 2022

  Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions

• Aug 10, 2022

  Concealed Code Execution, Part 3: Detection.

• Aug 10, 2022

  Concealed Code Execution, Part 2: Code Injection.

• Aug 10, 2022

  Concealed Code Execution, Part 1: Process Tampering.

• May 23, 2021

  Comparing, Discussing, and Bypassing Techniques for Suspending Processes.

• Feb 26, 2021

  Intercepting Program Startup on Windows and Trying to Not Mess Things Up.

• Jan 28, 2020

  How to Make Any Process Work With Transactional NTFS: My First Step to Writing a Sandbox for Windows.

subscribe via RSS