本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
FORENSIC ANALYSIS
Active Countermeasures
Oleg Afonin at Elcomsoft
December 16th, 2022 by Oleg AfoninCategory: «General» Windows account passwords, or NTLM passwords, are among the easiest to recover due to their relatively low cryptographic strength. At the same time, NTLM passwords can be used to unlock DPAPI-protected data such as the user’s passwords stored in Web browsers, encrypted chats, EFS-protected files and folders, and a lot more. In this article we argue about prioritizing the recovery of NTLM hashes over any other types of encrypted data. What are...
Forensafe
Investigating Windows Google Drive 16/12/2022 Friday Google Drive is a cloud- based file storage service similar to Microsoft OneDrive and Apple iCloud. It enables users to store, access and share files online. The service also enables users to synchronize files across their devices including PCs, smartphones and tablets. Google Drive encompasses other Google apps such as Google Docs, Forms, Sheets and Slides; allowing users to work collectively on the same file from anywhere using the cloud. Di...
Karthikeyan Nagaraj at InfoSec Write-ups
Advent of Cyber 2022 [Day 11] Memory Forensics Not all gifts are nice | Task 16 Answers Write-up and Walkthrough By Karthikeyan NagarajWhat is Memory Forensics?Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on.Computers use dedicated storage devices called Random Access Memory (RAM) to remember what is being performed on the computer at the time. RAM is extremely quick and is the preferred method of storing and accessing data.Let’s Use Volatilit...
Advent of Cyber 2022 [Day 13]-Packet Analysis | Simply having a wonderful pcap time — Simple Write upAdvent of Cyber 2022 [Day 13] Packet Analysis | Simply having a wonderful pcap time | Task 18 Answers Write-up and Walkthrough By Karthikeyan NagarajWhy Does Packet Analysis Still Matter?Network traffic is a pure and rich data source. A Packet Capture (PCAP) of network events provides a rich data source for analysis.Capturing live data can be focused on traffic flow, which only provides statistic...
Joe T. Sylve, Ph.D.
2022 APFS Advent Challenge Day 8 - Object Maps Monday, December 12, 2022 Earlier in this series, we discussed APFS Containers and how they address physical objects via a fixed block size. This was followed up with a discussion on enumerating Checkpoint Maps to locate ephemeral objects. The last remaining kind of objects that we need to know how to find are virtual objects. Today, we will discuss an essential specialization of B-Trees, the Object Map (OMAP), and their critical role in managing th...
2022 APFS Advent Challenge Day 9 - Volume Superblock Objects Tuesday, December 13, 2022 In this blog post, we will explore the Volume Superblock in APFS, a critical data structure containing important information about an individual APFS volume. We will discuss locating the Volume Superblock on disk and describe some fields in the on-disk format. By the end of this post, you should better understand the volume Superblock’s role in the APFS file system and how to parse its on-disk structure. Loca...
2022 APFS Advent Challenge Day 11 - File System Trees Thursday, December 15, 2022 Each APFS volume has a logical file system stored on disk as a collection of File System Objects. Unlike other APFS Objects, File System Objects consist of one or more File System Records, which are stored in the volume’s File System Tree (FS-Tree). Each record stores specific information about a file or directory. Analyzing each record and associating them with other records with the same identifier gives a comple...
2022 APFS Advent Challenge Day 12 - Inode and Directory Records Friday, December 16, 2022 Each APFS file system entry has both an inode and directory record. The inode record stores metadata such as the entry’s timestamps, ownership, type, and permissions (among others). Directory records store information about where the entry is stored within the file system’s hierarchy. A single inode may be referenced by more than one directory record, meaning the same file or folder may be present at multip...
Kevin Pagano at Stark 4N6
Thawing the Ice Age Pt. 2 - Tusky on Android Posted by Kevin Pagano December 13, 2022 Get link Facebook Twitter Pinterest Email Other Apps Another beast has thawed from their ice slumber. Tusky is an alternative client app to the ever-growing and ever popular Mastodon. Similar to my breakdown for Mastodon I'll be going through what we can find in the folder structure via an Android phone dump.The main folder we can find the app at is as follows:data\data\com.keylesspalace.tuskyLike usual, the la...
Matt C. A. Smith
Investigating Explorer's temporary ZIP folders and retrieving files 2022-12-14 Cyber security If I was to describe how often malware is downloaded within ZIP archives, “common” would be a huge understatement. A key artefact in these investigations is the temporary directory Windows creates when a user opens an archive in Explorer, but I recently realised I’d never actually run a proper test to see when the folder is created, when it is not, and when it is deleted. So to clear that up, here’s a q...
Terryn at chocolatecoat4n6
Investigation Framework | Part 4 – Correlation December 13, 2022December 13, 2022 / ChocolateCoat Investigation Framework Incident Scoping Evidence Collection Analysis Correlation Timeline Analysis Intelligence Correlation Reporting Correlation Welcome back, hopefully you’ve had a chance to take a break and refill your caffeine of choice. Findings only provide half the answer when dealing with investigations. As an analyst, your job is not only to discover findings but to also make sense of them...
