tomchop
@tomchop.me
Cybersecurity nerd; #DFIR @ Google by day; FOSS, threat intel and malware analysis by night. Investigator, coder, terrible sense of humor.
https://yeti-platform.io and more (github.com/tomchop)
views are my own • he/him • tomchop.me
https://yeti-platform.io and more (github.com/tomchop)
views are my own • he/him • tomchop.me
Reposted by tomchop
Using Timesketch for timeline analysis? We recently added a new feature: LLM summaries of up to 500 events in view. Example below uses Gemini Flash, but you can just as easily use a local Ollama model. Setup guide: timesketch.org/guides/user/...
June 19, 2025 at 6:01 PM
Using Timesketch for timeline analysis? We recently added a new feature: LLM summaries of up to 500 events in view. Example below uses Gemini Flash, but you can just as easily use a local Ollama model. Setup guide: timesketch.org/guides/user/...
Reposted by tomchop
That's not that many cabs.
April 2, 2025 at 10:14 AM
That's not that many cabs.
Well well well, how the turntables...
OpenAI says it has evidence China’s DeepSeek used its model to train competitor
https://www.ft.com/content/a0dfedd1-5255-4fa9-8ccc-1fe01de87ea6
https://www.ft.com/content/a0dfedd1-5255-4fa9-8ccc-1fe01de87ea6
OpenAI says it has evidence China’s DeepSeek used its model to train competitor
White House AI tsar David Sacks raises possibility of alleged intellectual property theft
www.ft.com
January 29, 2025 at 10:04 AM
Well well well, how the turntables...
Reposted by tomchop
I had a look at #OpenRelik last year and wrote a couple workers that might be useful:
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
January 7, 2025 at 6:07 PM
I had a look at #OpenRelik last year and wrote a couple workers that might be useful:
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
January 7, 2025 at 5:18 PM
I had a look at #OpenRelik last year and wrote a couple workers that might be useful:
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
Reposted by tomchop
New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
December 12, 2024 at 11:29 AM
New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
This is also the reason I never talk publicly about my dog, any favorite foods, or the season we were in < 3 months ago
When i see trends that ask me to post about movies that came out the year i was born or photos from the city i was born in or anything asking for information that could be used to crack a password I remember the golden rule:
Don't share any information Ron Swanson wouldn't share
Don't share any information Ron Swanson wouldn't share
a man with a mustache is holding a cup and saying i like saying " no " .
Alt: a man with a mustache is holding a cup and saying i like saying " no " .
media.tenor.com
December 12, 2024 at 9:00 AM
This is also the reason I never talk publicly about my dog, any favorite foods, or the season we were in < 3 months ago
Looks like shit just got real @swiftonsecurity.com
November 27, 2024 at 12:47 PM
Looks like shit just got real @swiftonsecurity.com
Probably the most riveting incident report I've read in a long time. I would've so much liked to be part of this investigation!
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 26, 2024 at 3:19 PM
Probably the most riveting incident report I've read in a long time. I would've so much liked to be part of this investigation!
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
Reposted by tomchop
This incredible investigation is worth the time you’ll spend reading it #dfir
www.volexity.com/blog/2024/11...
www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 23, 2024 at 6:37 PM
This incredible investigation is worth the time you’ll spend reading it #dfir
www.volexity.com/blog/2024/11...
www.volexity.com/blog/2024/11...
Reposted by tomchop
if you have a @github.com profile, can i ask you to update it with your @bsky.app handle? 🙏
👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech
👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech
November 23, 2024 at 1:53 PM
if you have a @github.com profile, can i ask you to update it with your @bsky.app handle? 🙏
👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech
👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech
Shiiiiyet, I'm gonna try to not miss this edition! 🤞🏼🤞🏼🤞🏼
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
two men are standing next to each other with the words " we open it up " on the screen
ALT: two men are standing next to each other with the words " we open it up " on the screen
media.tenor.com
November 19, 2024 at 2:36 PM
Shiiiiyet, I'm gonna try to not miss this edition! 🤞🏼🤞🏼🤞🏼
*cue pokémon battle song*
"plaso I choose you!!"
"plaso I choose you!!"
November 18, 2024 at 3:24 PM
*cue pokémon battle song*
"plaso I choose you!!"
"plaso I choose you!!"
Thinking of coming up with a Bluesky #DFIR Starter Pack with @the4711.org... who should we include?
November 15, 2024 at 11:07 AM
Thinking of coming up with a Bluesky #DFIR Starter Pack with @the4711.org... who should we include?
Reposted by tomchop
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Woah. Backdoor in liblzma targeting ssh servers.
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
March 30, 2024 at 5:13 PM
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
Reposted by tomchop
Today, we published this Field Guide to incident response for civil society and media, which I’ve been working on for the past year or so and which I am pretty excited about internews.org/resource/fie...
November 28, 2023 at 5:39 PM
Today, we published this Field Guide to incident response for civil society and media, which I’ve been working on for the past year or so and which I am pretty excited about internews.org/resource/fie...
This has been years in the making, literally. @Sebdraven and I are happy to announce the release of #Yeti 2.0 (after we promised an EOM release at @hack_lu last month)
Website: yeti-platform.io
Release: github.com/yeti-platform/yeti
mini-🧵👇🏻
#DFIR #infosec #CTI #cybersec
Website: yeti-platform.io
Release: github.com/yeti-platform/yeti
mini-🧵👇🏻
#DFIR #infosec #CTI #cybersec
November 14, 2023 at 11:45 AM
This has been years in the making, literally. @Sebdraven and I are happy to announce the release of #Yeti 2.0 (after we promised an EOM release at @hack_lu last month)
Website: yeti-platform.io
Release: github.com/yeti-platform/yeti
mini-🧵👇🏻
#DFIR #infosec #CTI #cybersec
Website: yeti-platform.io
Release: github.com/yeti-platform/yeti
mini-🧵👇🏻
#DFIR #infosec #CTI #cybersec
The talk I have at @hack_lu about Yeti and our vision of the future of forensics intelligence is online!
We're already getting lots of FRs, which we'll do our best to implement before our official release EOM.
Hope I made @Sebdraven proud 🥹 #dfir #infosec
We're already getting lots of FRs, which we'll do our best to implement before our official release EOM.
Hope I made @Sebdraven proud 🥹 #dfir #infosec
Hack.lu 2023: Yeti: Old Dog, New Tricks - Sébastien Larinier and Thomas Chopitea
www.youtube.com
October 19, 2023 at 9:19 AM
I haven't had time to talk about it, but @sebdraven and I are giving a talk this week at #HackLu about some cool new changes coming to Yeti: pretalx.com/hack-lu-2023...
It's going to be fun to talk about this project that has been on my todo list for 10+ years! 😅 #DFIR #infosec #CTI
It's going to be fun to talk about this project that has been on my todo list for 10+ years! 😅 #DFIR #infosec #CTI
October 16, 2023 at 8:57 AM
I haven't had time to talk about it, but @sebdraven and I are giving a talk this week at #HackLu about some cool new changes coming to Yeti: pretalx.com/hack-lu-2023...
It's going to be fun to talk about this project that has been on my todo list for 10+ years! 😅 #DFIR #infosec #CTI
It's going to be fun to talk about this project that has been on my todo list for 10+ years! 😅 #DFIR #infosec #CTI
My team just released dfiq.org, which is "a collection of Digital Forensics Investigative Questions and the approaches to answering them."
The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec
The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec
Home - DFIQ (Digital Forensics Investigative Questions)
dfiq.org
August 14, 2023 at 11:18 AM
My team just released dfiq.org, which is "a collection of Digital Forensics Investigative Questions and the approaches to answering them."
The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec
The idea came from the will to organize investigative approaches to similar cases to increase consistency across response efforts. #dfir #infosec
VirusTotal announces Yara netloc, to extend Yara's capabilities to VT network sandbox results (domains, IPs, URLs), and not only file bytes. Looks promising! #infosec #cti
https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html
https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html
July 24, 2023 at 12:01 PM
VirusTotal announces Yara netloc, to extend Yara's capabilities to VT network sandbox results (domains, IPs, URLs), and not only file bytes. Looks promising! #infosec #cti
https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html
https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html
Reposted by tomchop
For 25+ yrs police, military, intel agencies and critical infrastructure around the world relied on the TETRA radio standard to secure critical communications. But now Dutch researchers have examined secret algorithms used in TETRA and found something startling - an intentional backdoor, and more
Code Kept Secret for Years Reveals Its Flaw—a Backdoor
A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty.
www.wired.com
July 24, 2023 at 10:17 AM
For 25+ yrs police, military, intel agencies and critical infrastructure around the world relied on the TETRA radio standard to secure critical communications. But now Dutch researchers have examined secret algorithms used in TETRA and found something startling - an intentional backdoor, and more
Reposted by tomchop
Never take file paths for granted in digital forensics. New blog post by Joachim Metz: https://osdfir.blogspot.com/2023/07/whats-in-file-path.html
What’s in a (file) path?
What’s in a (file) path? Background For the experienced reader this might seem a very basic topic, however file paths are things we easily...
osdfir.blogspot.com
July 21, 2023 at 11:45 AM
Never take file paths for granted in digital forensics. New blog post by Joachim Metz: https://osdfir.blogspot.com/2023/07/whats-in-file-path.html