Illusive Labs Blog

Technical cybersecurity perspectives focusing on deceptions,
threat trends, incident response, advanced attacks and new technologies

For open source tools published by the Illusive Labs team, visit our GitHub page.

Why and How to Extract Network Connection Timestamps for DFIR Investigations

Posted by Hadar Yudovich on Mar 14, 2018 9:59:12 AM

For as long as I have been doing forensics, or more specifically, live response, there has been a lot of value in reviewing a Windows system’s network connections during an investigation--in fact this is recognized as standard practice. There are many reasons to do so, however, this work is essentially done to find an anomaly, something suspicious.

Read More


Windows Console Command History: Valuable Evidence for Live Response Investigation

Posted by Tom Sela on Jan 11, 2018 8:01:49 AM

Note:  This blog is an updated version of a piece originally published in the March 2017 edition of eForensics Magazine

As a security researcher and part-time Incident Response (IR) analyst, I know that fine details are of paramount importance. The role requires ongoing research to understand an attacker’s actions on compromised machines. A typical research process requires examining hundreds, or even thousands, of artifacts to find the needle in the haystack.

Read More


Stay up to date!