blueteamsec

496 readers

27 users here now

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

founded 2 years ago

MODERATORS

digicat

raw-disk-parser: A tool to interact with Windows drivers to perform a raw disk read and parse out target files without calling standard Windows file APIs (github.com)

submitted 2 days ago by digicat to c/blueteamsec

1 comments fedilink hide all child comments

top 1 comments

sorted by: hot top controversial new old

[–] Diluvian 2 points 1 day ago

This method uses its own encryption to avoid EDR alerts. It looks like the process can be defeated if the disk is encrypted; without the benefit of the operating system to decrypt the files, it reads the location of the master file table and iterates through looking for specific file signatures. If the disk is encrypted at the file table level or the file level, reading the raw information from the disk will prevent it from correctly identifying the signatures or getting anything useful from the files.