本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
Ahmed Belhadjadji
The Windows forensics methodology passes with 8 phases, we have discussed the first four before. If you are interested in reading about them you can use the following links:1- Gathering Volatile Information: link2- Collecting Non-volatile Information: link3- Memory Analysis: link4- Registry Analysis: linkDefinitionBy examining the cache, cookie, and history recorded in web browsers, investigators can gain valuable insights into a user’s internet activity, which can be used to build a comprehensi...
Belkasoft
Introduction Belkasoft X is a comprehensive platform for digital forensic and cyber incident response investigations. It features powerful tools and modules that help examiners extract, analyze, and report on digital evidence from a wide range of sources. One of the standout features of Belkasoft X is its support for Sigma rules. Sigma is a popular open-source format for describing detection rules for security information and event management (SIEM) systems. Sigma rules are used to identify spec...
By Kevin Stenger The Casey Anthony case generated a significant amount of comment from various digital forensics "experts". Unfortunately, the majority of commentary was lacking in facts regarding the issues and circumstances surrounding the case which they were not aware of. In addition, the majority of both digital forensic and even legal "experts" failed to note two fundamental legal issues which impacted what was observed in and out of court. The first basic concept is Discovery. Multiple co...
Doug Metz at Baker Street Forensics
NSRL Query from the Command Line DFIR, PowerShell, Python In digital forensics, we’re frequently trying to separate the signal from the noise. When examining operating systems – including mobile, it can be helpful to know what files came with the operating system. By filtering those out we can concentrate on what’s new on the device as we start looking for activity. The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles c...
Eric Capuano
blog.ecapuano.comCopy linkTwitterFacebookEmailMounting E01 Forensic Images in LinuxSo you want to mount an E01 forensic image? This guide will help. Eric CapuanoMar 10Share this postMounting E01 Forensic Images in Linuxblog.ecapuano.comCopy linkTwitterFacebookEmailIf you have an Encase Expert Witness Format E01 image, and you’d like to mount it for examination, there is a free library for Linux that will assist.E01 images are compressed, forensically sound containers for disk images acquired dur...
Foxton Forensics
09 March 2023 We recently added support for analysing Safari history from macOS in Browser History Examiner (BHE).There are currently two options for loading macOS browser history into BHE:Load from a forensic imageBHE does not directly support the parsing of forensic image files therefore you will need to mount the forensic image first. For mounting macOS APFS images on Windows you can use Mount Image Pro.Copy the history files over and manually load into BHEBHE currently supports the following...
InfoSec Write-ups
In this article, we will discuss how to perform Windows Forensic Investigation to detect hidden threats along with a checklist of tasks to be performed during the process.Picture Source: InterworksForensic Investigation Is Confusing. Right?Performing a forensic investigation is often a challenging and confusing task for many cybersecurity analysts. With so many different sources of evidence and potential threats to consider, it can be difficult to know where to start and how to proceed. Moreover...
Kelvin Ling
In the “New Hire Old Artifacts” TryHackMe room, we can investigate a cyber incident using SIEM software — Splunk. The logs provided to Splunk were generated by a utility called Sysmon. This article explores the methodology of investigating action performed by malicious binaries on a SIEM platform through Sysmon Event ID and MITRE ATT&CK techniques.TryHackMe Room: //tryhackme.com/room/newhireoldartifactsInvestigate SIEM logs with Sysmon System UtilityPart 1: Look for a Web Browser Password Viewer...
Kevin Pagano at Stark 4N6
Magnet Virtual Summit 2023 CTF - Windows 11 Posted by Kevin Pagano March 06, 2023 Get link Facebook Twitter Pinterest Email Other Apps Previous: Cipher | Windows Server | iOS 16 iPhoneAs conference season ramps up we have more CTF competitions to play! Jessica Hyde and the students from the Champlain DFA group created another one for the Magnet Virtual Summit (and the in-person summit coming up in April 2023). The fun part of these are that we always get something new. This post for instance we ...
Magnet Virtual Summit 2023 CTF - Cipher Posted by Kevin Pagano March 07, 2023 Get link Facebook Twitter Pinterest Email Other Apps Previous: Windows 11 | Windows Server | iOS 16 iPhoneI always enjoy working on the cipher portions of the Magnet CTFs. They don't require any forensic tools and can be done with online tools. I've even seen some people solve them just by using their mobile phone in past years.Tools used:CyberChefDcode.frTime to practice our CW. (5 points)-.- . -.-- ---... .--. .. -. ...
Magnet Virtual Summit 2023 CTF - Windows Server Posted by Kevin Pagano March 08, 2023 Get link Facebook Twitter Pinterest Email Other Apps Previous: Windows 11 | Cipher | iOS 16 iPhone For part three we get yet another nontypical piece of evidence. Here we have a VMDK of a Windows Server environment. While the artifacts are more or less the same as Windows 10, we might find extra things of interest.Tools used:Autopsy v4.20AXIOM v6.11DB Browser for SQLite v3.12.2FTK Imager v4.5.0.3KAPE v1.3.0.2Re...
Magnet Virtual Summit 2023 CTF - iOS 16 iPhone Posted by Kevin Pagano March 09, 2023 Get link Facebook Twitter Pinterest Email Other Apps Previous: Windows 11 | Cipher | Windows Server Like last year's iOS 15 image, we get one of the first full file system "test" images for iOS 16 publicly available. Let's see what we get. Tools used: iLEAPP v1.18.4 Magnet AXIOM v6.11 Evidence: 00008101-0010541A1130001E_files_full-001.zip A few too many (5 points) How many email accounts did the user own? (not c...
Lina Lau at Inversecos
Azure Command Line Forensics - Host Based Artifacts Get link Facebook Twitter Pinterest Email Other Apps March 08, 2023 On most of the on-premises to cloud lateral movement compromises I’ve worked relating to Azure, threat actors typically leverage a bunch of different command-line focused tools. They use these tools to perform enumeration of the victim’s Azure environment, backdooring active directory, various persistence techniques and lateral movement. These are generally a combination or one...
Magnet Forensics
Since the creation of iOS, Apple has used one primary app as the storage center for your communication data—the “Messages” application. It’s responsible for the handling of both your SMS/MMS data as well as the proprietary iMessage transmissions. While the database backing these messages hasn’t moved since its creation, it’s gone through several changes over time as Apple has added new features; not only has the database changed, but other locations where data can be found to support the functio...
Mark Spencer at Arsenal Recon
BitLocker for DFIR – Part I March 11th, 2023 Mark Spencer This article was originally published on October 25th, 2019 and then updated on April 13, 2020 and March 11, 2023.BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.We deal with BitLocker frequentl...
MII Cyber Security
A few months ago, Belkasoft gave an interesting course, SQLite forensics. SQLite is still relevant especially doing mobile app forensics. This course gives so much insight for Digital Forensic investigators on how to treat SQLite for forensic analysis.What I got from this course :- Real practical experience in investigating SQLite using belkasoft tools and DBBrowser SQLite.- Forensic Investigation social media like Whatsapp, Facebook, Viber, and Telegram.- How to carve SQLite file.- How to corre...
Network Forensic — SMUX ProtocolThis topic come from one of the digital forensics category challenges held by Autobahn Security. This time I will discuss the category of network forensics. This challenge completed a few days after the competition is over :(The brief of this challenge is as follows.We captured a lot of suspicious HTTP requests last month on one of our websites which hasn’t been maintained since end of 2022. Unfortunately, the website is no longer accessible at this time. Can you ...
Memory Forensic — Linux Kernel ConfusionMemory forensics is one of the sub-categories of digital forensics that I usually find in ctf competitions. Where it is necessary to analyze the results of a memory dump of an operating system such as windows or linux.I found this topic after joining the Cyberscape ctf yesterday, which was held by autobahn security. I found difficulty in a digital forensic category problem in analyzing forensic memory.Usually in the case of forensic memory, the most common...
MSAB
image that you can use to validate, test, or practice on. MSAB is proud to support Digital Corpora and offer this data set. We've released the decoded XRY file along with XAMN Viewer which will allow users to test and validate the findings with MSAB’s software suite. This image is held in high regard for testing and validation of vendor tools. You can also use it for training, education, or research. Find the extracted files here: //lnkd.in/gSM7a73M Android 13 //digitalcorpora.org 31 2 Comments ...
Usually, the content of a photo, its EXIF information (if available), and/or its timestamp are generally adequate in most inquiries and the process by which any media file came to be on a particular device is self-evident. It could have been sent as a WhatsApp attachment, an MMS, taken by the host device camera, or so on. There are times, however, when a media file is important to a case and the “how it got there” is relevant, but is not obvious and often quite puzzling. Most of us have seen suc...
Nicolas Bareil at ‘Just Another Geek’
ContextChris Sanders proposed on Twitter the following scenario:Proxy logs indicate a host on your network made a few HTTP requests with no User Agent string (field is empty). What do you look for to investigate why this is happening and whether an incident has occurred?Credit: //twitter.com/chrissanders88/status/1630581503506935811One investigation pathIn my experience, HTTP requests without User-Agent are very very frequent on a Corporate network (like more than 20% of the global traffic, YMMV...
