本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
FORENSIC ANALYSIS
CyberJunnkie
In this writeup we will be analyzing a email to determine whether it was a phishing attempt or not. We will only use a mail client(You can use any you like) and avail Threat intel platforms like virustotal and cisco talos intelligenceScenarioYour email address has been leaked and you receive an email from Paypal in German. Try to analyze the suspicious email.AnalysisUnzipping the challenge package, we have an eml file which is an electronic message protocol and is commonly extensions of mail fil...
Joseph Moronwi at Digital Investigator
Joseph Moronwi December 05, 2022 1 s Due to continuous growth in malware attacks, memory forensics has become very crucial as it contains many forensic artifacts that digital forensic investigators cannot get through the traditional disk forensics. Forensic Analysis of a memory dump of victim's machine provides a detailed analysis of malware, checking traces of malware that have been created while running in the machine. Moreover, recent malware techniques also use stealthy methods to go undetec...
Forensafe
Investigating Android Sygic 09/12/2022 Friday Sygic is a GPS navigation app. which provides voice-guided navigation in over 220 countries with offline maps. The app also a feature that allows users to download offline maps that can be used without internet connection, as well as live traffic information and safety camera alerts. The app is available on iOS, Android and is compatible with Apple Watch, Google Wear OS, and Android Wear devices. Sygic provides drivers with information about the rout...
Fallen sky at InfoSec Write-ups
Open in appSign upSign InWriteSign upSign InPublished inInfoSec Write-upsFallen skyFollowDec 8·4 min readSaveEmail analysis : avoid phishing attacksTHM advent of cyber- day6 wrapped 👽In this article , we’ll see how to analyze emails and look at various parts an email consists of.email analysis is the process of extracting email header information to expose the email file details. The email header is the protagonist here and provides enough info to decide to filter/quarantine/deliver the particul...
Joe T. Sylve, Ph.D.
2022 APFS Advent Challenge Day 3 - Containers Monday, December 5, 2022 APFS is a pooled storage, transactional, copy-on-write file system. Its design relies on a core management layer known as the Container. APFS containers consist of a collection of several specialized components: The Space Manager, the Checkpoint Areas, and the Reaper. In today’s post, we will give an overview of APFS containers and these components. History Prior to the introduction of APFS, Apple’s primary file system of cho...
2022 APFS Advent Challenge Day 4 - NX Superblock Objects Tuesday, December 6, 2022 The NX Superblock Object is a crucial component of APFS. It stores key information about the Container, such as the block size, total number of blocks, supported features, and the object IDs of various trees and other structures used to track and maintain other objects. The on-disk nx_superblock_t structure is used as the root source of information to locate all other objects in the checkpoint. In this post, we wi...
2022 APFS Advent Challenge Day 5 - Checkpoint Maps and Ephemeral Objects Wednesday, December 7, 2022 In our last post, we discussed NX Superblock Objects and how they can be used to locate the Checkpoint Descriptor Area in which they are stored. Today, we will discuss the other type of objects that are stored in the descriptor area, Checkpoint Maps, and how they can be used to find persistent, ephemeral objects on disk. On-Disk Structures Each Checkpoint Mapping structure gives information about...
2022 APFS Advent Challenge Day 6 - B-Trees (Part 1) Thursday, December 8, 2022 In yesterday’s post, we discussed Checkpoint Maps, the simple linear-time data structures that APFS uses to manage persistent, ephemeral objects. Today, we will give a general overview of B-Trees and detail the layout and on-disk structures of B-Tree Nodes. Background A B-Tree is a self-balancing tree data structure that maintains sorted data and allows for fast search, insertion, and deletion operations. B-Trees are ...
2022 APFS Advent Challenge Day 7 - B-Trees (Part 2) Friday, December 9, 2022 Mastering the skill of B-Tree traversal is essential in parsing information from APFS. Our last post gave an overview of APFS B-Trees, their layout, and on-disk node structures. Today, we will discuss applying that knowledge to perform enumeration and fast lookups of referenced objects. Overview Traversal of APFS B-Trees always starts at the root node, which can be identified by having the BTNODE_ROOT bit-flag set in th...
Josh Brunty
Joshua Hickman at ‘The Binary Hick’
Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs. Binary Hick Android, Apple, iOS, Mobile 2022-12-062022-12-08 6 Minutes This is the second time this song has appeared on the blog. 🙂 I love getting questions from people. There are many times when I am not completely sure of the answer and other times when I have no idea. Regardless, getting questions will always cause me to go dig for the answer. I was recently asked a question that was a result of someone taking FOR585: what was the last...
Binary Hick Android, Mobile 2022-12-072022-12-08 2 Minutes After a very long data generation period I am happy to announce an Android 13 image with documentation is now publicly available for download. This image contains 67 third party apps, all with varying levels (none to a lot) of data generated within. All of the hits are there, along with some additions: Whoop, Session, Slack, Mastodon, Gettr, BeReal, and Truth Social. A complete listing is in the documentation, which is available here. Ad...
Kevin Pagano at Stark 4N6
Thawing the Ice Age - Mastodon on Android Posted by Kevin Pagano December 07, 2022 Get link Facebook Twitter Pinterest Email Other Apps With the mass migration away from the "bird site" it was time to dig into the new hotness that is Mastodon. Extinct no more (or should I say a bit more populated these days), Mastodon is a federated social network where instances are run independently of each other. I won't bore you with how it works (come join the infosec.exchange instance, it's run by an alpac...
Kristian Lars Larsen at Data Narro
Home Attorney News As Digital Forensics Investigators, Can We Recover Deleted Text Messages? By Kristian Lars Larsen Attorney News Digital Forensics E-Discovery News December 9, 2022 Mobile phones are the hub of our modern lives—nearly all our daily communication takes place on our phones, from email and voice calls to text messaging. We think nothing of accessing our banking information, medical records, and other sensitive information directly from our mobile devices. This makes our phones a p...
Matt C. A. Smith
2022-12-03 Cyber security, Programming Faced with a day at home recovering from my most recent COVID-19 booster vaccine, I realised I hadn’t written anything more than a few lines of PowerShell in a while and decided to spend some time working on something interesting. The idea occurred to me to try to correlate Windows login sessions from the Security event log, and the Windows Logon Session EVTX Parser script is the result. Contents 1. Introduction a. Testing and limitations 2. Configuration a...
Megi Pramesti at MII Cyber Security
Published inMII Cyber Security Consulting ServicesMegi PramestiFollowDec 7·3 min readDissect — Open-Source Incident Response Framework by Fox-ITINTRODUCTIONDissect is a collection of Python libraries and tools to facilitate enterprise-scale incident response and forensics. It supports you, the analyst, from the moment of acquisition of artifacts, to normalization and processing.With Dissect, beginner and intermediate analysts get direct access to a large collection of artefact parsers and plugin...
NixIntel
Scott Koenig at ‘The Forensic Scooter’
Part B Filling a device internal storage for Optimize iPhone Storage Research Posted byScott_koenigDecember 3, 2022December 3, 2022Posted iniOS Settings, Photos.SqliteTags:Full Storage, iCloud Photos, iOS, Optimize iPhone Storage, Photos.Sqlite, ZINTERNALRESOURCE Part B Filling a device internal storage for Optimize iPhone Storage testing If you are reading this portion of the write-up about iCloud Photos and Optimize iPhone Storage, congratulations you have fell headfirst into the rabbit hole!!...
Photos.sqlite ZINTERNALRESOURCE Table Reference Guide Posted byScott_koenigDecember 3, 2022December 6, 2022Posted inPhotos.SqliteTags:5003.JPG, 5005.JPG, iCloud Photos, iOS, Optimize iPhone Storage, Photos.Sqlite, Thumbnail This reference guide was built as a part of some research and testing I performed looking into the Photos.sqlite ZINTERNALRESOURCE table. During the research, I was able to interpret most of the values I encountered, but I was not able to decode everything. Additional researc...
Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? Posted byScott_koenigDecember 5, 2022December 6, 2022Posted iniOS Settings, Photo Library, Photos.Sqlite, UncategorizedTags:#DFIR, iCloud Photos, iOS Settings, Optimize iPhone Storage, Photos.Sqlite, ZINTERNALRESOURCE Hello everyone! During previous research, I’ve mentioned a few times that my test devices were using the Apple Photos application setting Optimize iPhone Storage in lieu of Download and ...
We are OSINTCurio.us
For the past years, we have seen a growth in OSINT investigations and they have played a pivotal role in raising accountability and showing journalists, human rights investigators and government officials, among others, on the potential of using open source information in their activities. However, as the community grows and more and more people are conducting OSINT investigations, it is natural that more mistakes are made. As na OSINT Curious person, what kind of biases should you be aware and ...
