In my last blogpost I wrote about the data flow of DNS data exfiltration. This blogpost is about detection and prevention. Even if the specific prevention is not so simple. But also for this blogpost, a certain know-how is assumed. Also this time I will not go into detail about how DNS works. But don’t worry, there are already many good articles on the internet. As always, I have linked all the pages that I found helpful.

A few weeks ago, I received a file with recorded network traffic from a teacher, with the hint that a password was hidden in this file. As it turned out, the password was sent via the DNS protocol (decoded). Even though I had already heard about DNS exfiltration, I was not able to find the password. That was very annoying. So that this does hopefully not happen to me again, I started to look deeper into the topic DNS exfiltration.

Today I want to write about timestomping in NTFS and how to find manipulated files with MFT Explorer.