本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成＆投稿したものです。4n6 は こちら からご確認いただけます。

FORENSIC ANALYSIS

Belkasoft

• Lagging for the Win: Querying for Negative Evidence in the sms.db

By James McGee, Digital Forensic Examiner, Metadata Forensics, LLC—Specially for Belkasoft Forensics Question: When sent or received iMessage/SMS/MMS messages are permanently deleted from Apple iPhone's native Messages Application, rows of data are removed from the sms.db—the storage database for the application. When these messages have been removed and data is no longer available, even in the sms.db-wal, how can an examiner/investigator identify these messages and where can they look for this ...

David Spreadborough at Amped

• CCTV Acquisition – Search and Trawl

Welcome back to the Amped blog series on CCTV Acquisition. In this week’s post, we are going to look at one of the most important initial stages of any acquisition. That is, identifying the presence of CCTV through Search and Trawl. Contents 1 CCTV Search 2 CCTV Trawl 3 Conclusion For many incidents, it is straightforward and clear. For an assault inside a bar, for instance, there may be many cameras. However, a search will still be necessary to perhaps identify what cameras are required. Half o...

eForensics

• The Lockbit 3 Black Forensics Analysis: Memory Forensics Modern Approach (Part III)

• How to Better Prepare for a Memory Forensics Investigation

• Rooting Androids for Forensics

• iPhone Forensics

• Analyzing Malware Mobile Apps with VirusTotal Enterprise Online and Kali Linux Locally

• Digital Forensics Analysis in DeepFake

• Interview with Paulo Henrique Pereira

• A Technical Analysis of Brazilian Electronic Voting Machines

• Unusual Emails: Investigating

• The Challenges of Collecting Evidence

• Imaging an Android Smartphone Logically

• All You Need to Know About Mobile Forensics

Oleg Afonin at Elcomsoft

• HomePod Forensics I: Pwning the HomePod

March 14th, 2023 by Oleg AfoninCategory: «General» In this article, we will discuss how to access the hidden port of the first-generation HomePod and extract its file system image. Note that this process requires disassembly, voids the HomePod warranty, and requires specific tools, including a custom 3D-printable USB adapter, a set of screws, and a breakout cable. Therefore, this method is not recommended for casual users and should only be used by professionals who have a thorough understanding...

Forensafe

• Investigating Windows BitComit

Investigating Window BitComit 13/03/2023 Monday BitComet is a free BitTorrent client application used for downloading and sharing files over the internet. It operates on the peer-to-peer (P2P) file sharing protocol; allowing users to download large files such as movies, music, and software from other users’ networks. When a user downloads a file using BitComet, the software connects to the network of other users who are also downloading or sharing the same file. The app then downloads the file...

• Investigating Windows imo

Investigating Window imo 10/03/2023 Friday imo is an instant messaging platform similar to WhatsApp and Viber. The app initially gained popularity due to the video calls feature as it was one of the first instant messaging platforms to offer this feature. Nowadays, almost all of the instant messaging platforms allow its users to communicate via text, voice, video messages and calls freely as long as they have an active internet connection. Digital Forensics Value of imo Similar to other instant ...

Emma Sousa at Forgotten Nook

• Magnet Forensics Virtual Summit 2023 CTF  – Windows 11

Magnet Forensics Virtual Summit 2023 CTF – Windows 11AuthorsNameEmmaTwitterMagnet Forensics 2023 Virtual Summit CTF – Windows 11Challenge LinkChallenge Creators: Jessica Hyde, Dylan Navarro, Alayna Cash, Austin Grupposo, Thomas Claflin, A'zariya Daniels, and Lorena C.Image LinkMD5 of Download: 8cf0c007391f4a72ddc12a570a115b46Case Overview: Magnet Forensics hosted this CTF on March 1, 2023, from 11-2 PM EST. This CTF included three images. Below, you will find the steps I took to solve the questi...

John Lukach at 4n6ir

• AArch64 Memory Acquisition for Linux

by John Lukach I have been happy with AVML (Acquire Volatile Memory for Linux) from Microsoft for acquiring memory from x86_64 Linux systems. //github.com/microsoft/avml With most of my workloads running on arm64 now, I was excited to see the return of DumpIt for Linux under the Magnet Forensics banner. //github.com/MagnetForensics/dumpit-linux The provided directions focus on Ubuntu, where my primary server operating system is Amazon Linux, so I wanted to share my notes. Installation yum instal...

Kelvin Ling

• Investigate a Compromised Exchange Server using SIEM and Sysmon

Microsoft Exchange Server is commonly deployed in an enterprise, offering email, contact management, calendar, scheduling services, and more. As Microsoft Exchange Server provides critical services and stores sensitive information such as email messages, attachments, events, contacts, and notes, it is often targeted by a ransomware attack.The TryHackMe Room — Conti allows us to investigate a ransomware attack on an Exchange Server. We are provided with SIEM (Splunk) access, and the task is ident...

Magnet Forensics

• Getting Started With Magnet RESPONSE

Magnet RESPONSE is an evidence collection and preservation tool, targeted towards incident response (IR) cases and the data that is relevant to those investigations. It’s designed to be portable (running from a USB drive), easy to use and fast, with minimal training required to operate the tool, while still targeting a comprehensive set of files and data relevant to IR investigations. We developed this tool with the non-technical stakeholder in mind. Due to hybrid work environments, there might ...

Nicolas Bareil at ‘Just Another Geek’

• Investigation scenario: New SQLServer on an AWS Webserver

ContextChris Sanders proposed on Twitter the following scenario:One of your web servers hosted in the Amazon cloud launched a new process named sqlserver.exe. What do you look for to investigate whether an incident occurred?Credit: //twitter.com/chrissanders88/status/1628050893315899393My investigation pathWhat is this executable?Who dropped that executable?How was this executable dropped?Who is responsible for the execution of this file?Any different of handling with AWS context?What is this ex...

Megan Roddie at SANS

• Google Cloud Log Extraction

Megan Roddie Google Cloud Log Extraction In this blog post, we review the methods through which we can extract logs from Google Cloud. March 13, 2023 In the first blog post in our series on cloud log extraction, we discussed how to extract logs from AWS. Next we are going to look at extracting logs from Google Cloud.Logs in Google Cloud are managed via their Cloud Logging service and routed to their final destination through the use of Log Sinks. By default, the Required and Default sinks are ...

Seth Enoka

• Alternate Data Streams

3 min read Forensics, How-To, Incident Response | Quick writeup on Alternate Data Streams (ADS). ADS is a file attribute used in NTFS that ultimately provides an opportunity for investigators to extract valuable evidence that might otherwise be overlooked. ADS is an additional stream of data that can be attached to a file on Windows systems. It’s a hidden file attached to a visible file (or written alongside a regular file) which isn’t visible in the usual file browsers like Windows Explorer. Th...

Jonathan Johnson at SpecterOps

• Uncovering Windows Events

Threat Intelligence ETWNot all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource.This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the un...