本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成＆投稿したものです。4n6 は こちら からご確認いただけます。

FORENSIC ANALYSIS

Cado Security

• Investigating AWS EC2 Compromise CTF by Cado Security

• Scaling Log Forensics in the Cloud with cloudgrep

CyberJunnkie

• Pre5 Forensics (CyberHackathon 23 Online Qualifiers)

Pre5 Forensics (CyberHackathon 23 Online Qualifiers)CyberJunnkie·Follow4 min read·1 day ago--ListenShareWe are provided with event logs and registry hives as artifactsI started with using evtxecmd for parsing event logs and REcmd for registry. This will create provide us the data in timeline format.Lets Start analysingQuestion 1: What was the name of the script that ran on the machine?To find the script name lets open the csv containing event logs timeline. The first event shows a powershell scr...

Digital Daniela

• Using Zeek Signatures!

11/5/2023 0 Comments Hi everyone!​This post will be about using signatures in a tool called Zeek. Zeek is a tool used for monitoring network traffic. The signatures are used to find certain types of activities on a network. Here is the link to the TryHackMe assignment - ​//tryhackme.com/room/zeekbro 1. Creating an HTTP SignatureHere I first navigated to the correct directory, the HTTP directory since that is where the files for this task are stored. Then I issued this command zeek -C -r cap. The...

Shanna Daly at Fancy Forensics

• Leveraging SRUM for Incident Response

• Hunting webshells

Forensafe

• Solving Cellebrite’s September 2023 CTF (Abe’s iPhone device) Using ArtiFast

Solving Cellebrite's September 2023 CTF (Abe's iPhone device) Using ArtiFast 10/11/2023 Friday Cellebrite held their yearly CTF last month and this year the challenge featured 4 devices, belonging to 4 different suspects. In this blog, We will use ArtiFast to answer the questions associated with one of the suspects devices (Abe Rudder's Apple iPhone X). The Scenario: Terror attacks were planned for Southport, NC in June of 2023. Russell, the primary suspect, lives locally in that area and seems ...

Gaurav Gogia

• WSL2 Forensics: Detection, Analysis & Revirtualization

Report this article Gaurav Gogia Gaurav Gogia Research Scholar @NFSU | Over-engineering my way through Forensics Published Nov 5, 2023 + Follow This paper discusses detection, acquisition, and post-mortem analysis of WSL2 instances. The paper explores how WSL2 forensics integrates into existing forensic investigation processes and which tools can be used to extract & analyse WSL2 images.BackgroundWindows ships Linux kernel along with Windows NT kernel. Windows uses HyperV to virtualize WSL2 inst...

Josh Lemon

• File Timestamps for Apple APFS

Josh Lemon·Follow3 min read·Nov 5--ListenShareFor a while now, I’ve been meaning to create a series of blog posts related to file system timestamps that look at the conditions under which they are updated/changed. This post is one of a few in the series I’ll post over the next few weeks, the exact number will depend on how much time I get and how many different file systems and operating systems I can think of – and get access to.This is intended for Incident Response or Digital Forensics people...

Krzysztof Miodoński

• Collaboration between KAPE and Microsoft Defender for Endpoint at the service of the SOC

Report this article Krzysztof Miodoński Krzysztof Miodoński SOC Analyst in ISS Published Nov 8, 2023 + Follow Intro During SANS FOR508 I was introduced to a software called KAPE. On this course it is used on a mounted disk image. I know that there is also an option there to collect artefacts remotely. During day-to-day work as a SOC analyst, creating a disk image is way too time-consuming. Analysis of complex incidents sometimes requires the collection of selected artifacts and it is not always ...

N00b_H@ck3r

• LetsDefend: Ransomware Attack

Posted bylightkunyagami November 7, 2023 2 Comments on LetsDefend: Ransomware Attack Scenario: An end-user device was infected by ransomware. A memory dump was captured from the compromised machine, and it is our task as digital forensics investigators to find the evidence of the attack. The memory capture file that was provided to us is in .mans format which is a Mandiant Analysis File. This should give away the tool that we will be using to conduct the investigation, the Redline tool. Difficul...

Igor Rodrigues at Open Source DFIR

• Turbinia’s API Evolves: A Comprehensive Overview of the Latest Enhancements

Skip to main content Open Source DFIR A security blog for the digital forensics community on how to perform digital forensic incident response with open source tools. Turbinia's API Evolves: A Comprehensive Overview of the Latest Enhancements Get link Facebook Twitter Pinterest Email Other Apps By Juan Leaniz November 10, 2023 Turbinia's API Evolves: A Comprehensive Overview of the Latest EnhancementsAuthored by Igor Rodrigues, copied with permission.IntroductionTurbinia is an open-source framew...

Phill Moore at ThinkDFIR

• How can I be of WebAssist(ance)?

November 9, 2023 Phill MooreLeave a comment There’s a new (newish?) database in Microsoft Edge that is worth exploring a bit further. This blogpost is partially an intro, partially a placeholder, because I saw some conversation on a listserv about the database but almost nothing else online about it. There’s limited research, so let me know what you find and I can update the post! Microsoft Edge (Chromium) has another sqlite database, WebAssistDatabase, that can contain Internet History. The dat...