Jake Williams · Jan 8, 2017 · 10:20 AM UTC

Jake Williams @MalwareJake

8 Jan 2017

New post by @shadowbrokerss seems to imply capability to edit event logs (EventLogEdit) - huge #DFIR implications if true!

105

Hal Pomeranz · Jan 8, 2017 · 12:38 PM UTC

Hal Pomeranz · Jan 8, 2017 · 12:38 PM UTC

Hal Pomeranz @hal_pomeranz

8 Jan 2017

Capability != Results. We know from the history of Unix log editing that many operators fail to do it well or completely.

Jan 8, 2017 · 12:38 PM UTC

Jake Williams · Jan 8, 2017 · 12:41 PM UTC

Jake Williams @MalwareJake

8 Jan 2017

isn't that the truth - and sometimes the absence of certain logs is by itself suspicious.