forensic_os

Agentic AI challenges in IDE: Forensic and extraction of traces PART 3

21 December 2025 - Posted in Incident Response by Jok3r

Background: In our latest research related to forensic traces left by IDEs, let's look into the Cursor AI IDE. Traces: As in our previous research, we saw that some of its components rely on VS Code. [...] Read more

Agentic AI challenges in IDE: Forensic and extraction of traces PART 2

14 December 2025 - Posted in Incident Response by Jok3r

Background: As we continue our research around agentic IDEs which can leave traces, because at some IR stages you need to deal with such things—especially when an engineer's machine was involved in [...] Read more

Agentic AI challenges in IDE: Forensic and extraction of traces PART 1

07 December 2025 - Posted in Incident Response by Jok3r

Background: With the rise of AI companions and agentic features in popular IDEs, these tools can now execute commands with user consent. This presents new challenges for digital forensic specialists, [...] Read more

Hunting for Threats in the Dark: Leverage AI Technology to Support Your Investigation

23 November 2025 - Posted in Incident Response by Jok3r

Background: Threat actors have been leveraging AI in their attacks for some time now. Through searching for answers on how we as IR specialists can stand against this threat, I have come to a simple [...] Read more

Cross-Linux Distro Forensic Data Collection Techniques for IR

01 November 2025 - Posted in Incident Response by Jok3r

Background: One of the IR stages is the "collection" stage, which occurs between containment and analysis. We sometimes need to collect evidence from Kubernetes pods or Docker containers, which can [...] Read more

Evidence Collection on Linux Without External Toolkits

29 October 2025 - Posted in Incident Response by Jok3r

Background: During incident response, time constraints can make it difficult to fully understand the scope of an incident. This challenge becomes even greater when our existing toolset does not [...] Read more

Part5: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them (Lockdown Mode)

18 October 2025 - Posted in Hardenings by Jok3r

Background: The Linux kernel lockdown mode was introduced in Linux kernel version 5.4. Its purpose is to help protect the kernel from actions that could compromise the confidentiality or integrity of [...] Read more

Part4: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them (SLUB)

12 October 2025 - Posted in Hardenings by Jok3r

Background: As we continue our journey into the mechanisms of kernel protection toolsets and monitoring, let's focus on our next candidate: SLUB. In simple terms, SLUB (the Unqueued Slab Allocator) [...] Read more

Part3: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them (Kernel address space layout randomization)

04 October 2025 - Posted in Hardenings by Jok3r

Background: As we continue our discovery of Linux kernel protection mechanisms, we should also look at the built-in capability called Kernel Address Space Layout Randomization (KASLR). KASLR’s [...] Read more

Part2: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them

28 September 2025 - Posted in Hardenings by Jok3r

Background: In our previous article, I described one method to prevent or monitor harmful activities that can be carried out against the Linux kernel, focusing on the research of SELinux [...] Read more