Portable, Reusable Containers. I enjoy creating a bunch of containers for various uses. The best part is I can create a container to fit my workflow. So my tool stack become malleable and manageable. I can create, rebuild, and destroy containers as my needs require. Granted disk space and time are always a concern. But I resolve that by being intentional with my tool stack. Day to Day Toolbox Container I use Fedora Linux as my workstation OS on a daily basis. Read more...

The Art of Note Taking I was talking about building the habit of taking notes to a junior analyst the other day. I was sharing with them the importance of simply writing things down and then converting them to notes. Basically build the habit of note taking. Later I realized I forgot to teach them The Real Note Taking Hack. This hack is simple and summed up in one word: introspection. Read more...

BSIDES RGV 2025 Quick, Easy, Malware Investigations and Threat Hunting About Me Hi! I’m Eduardo Robles I work for County of Hidalgo IT dept as a Cybersecurity Analyst IV Founder of South Texas Linux Users Group. You can check out my skills on my blog or LinkedIn. Agenda Learn the basics of Malware Analysis Learn some Threat Hunting skills Small look into Digital Forensics Disclaimer Everything in this talk is my own research and opinion. Read more...

Local LLMs In Your Homelab Why experiment with LLM technology in the first place? Well simple because it’s everywhere and huge tech companies will shove it our faces every chance they get! In all seriousness, it’s actually never been easier to experiment with these Models even on low end hardware. Yes, you can experiment with LLMs by running them on a single CPU and decent RAM. Let me show you how I did it. Read more...

What is Cyberchef? Cyberchef is a tool I learned about toward the end of 2024. Since then I began using it more and more. CyberChef was developed by GCHQ and is the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis. In the end it proved to extremely useful for Forensic Analysis and Incident Response investigations. You can use the free version online but if you want to run it in your environment you can. Read more...

Bsides Austin 2024 This is my talk for BSIDES Austin 2024 Malware Investigations Why do internal malware analysis? Existing tools Virustotal, JoeSandbox, etc. Protect sensitive information from 3rd parties. Freedom from reliance on one tool or platform. Malware is scary and dangerous, put in a box (container). Malware is scary. Malware is dangerous. So it’s best to analyze in a “contained” environment. Virtual Machines Containers (Docker, Podman, etc) Working with Malware Samples Safely moving malware around to later analyze can be daunting. Read more...

Phishing Email Analysis ClamAV ClamAV is great to scan for malware but also can scan eml files including email attachments. Use the --debug flag for more info on the scan. clamscan sample.eml Continued You can also use ClamAV to scan any suspicious file. clamscan sample.zip Investigating a malicious link To investigate a link I use a REMnux container which offers so many awesome tools. I will cover THUG and Automater. Read more...

The basics MFA is basically putting an extra step, an extra barrier to login into an app or website. This extra step is what creates security. It does not prevent attacks or stop attacks. But what it does do is simple: it makes it harder for someone to hack you. The struggle Doing extra work is never fun. No one likes to do the extra work. I don’t like doing extra work. Read more...

Is it DevSecOp, SecDevOps, OpsSecDev? The infosec field is full of buzzword now more so with the explosion of automation and AI. Luckily, I am not easily fooled by the buzzword and look for the real meat and bones. So when I was tasked with automating some tasks at work I jumped into an interesting technology called Ansible. Ansible is a tool for automation that is cross platform. It relies on setting up a secure connection to an endpoint and then Ansible handle executing tasks on the system. Read more...

Learning to Authenticate WinRM has 2 componets: Communication and Authentication. Like with SSH, you establish a connection then you authenticate on the endpoint. In the previous post I wrote about setting up WinRM Listener over HTTPS. Now we have to setup Authentication luckily Windows offers serveral options for Authentication. But keep in mind not all are secure nor are supported with the type of account you would like to use. In other words if you want to authenticate with Kerberos forget about using a Local Account. Read more...