本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
0xdf hacks stuff
forensics sherlock-noted dfir ctf hackthebox notepad++ sherlock-cat-dfir Jun 13, 2024 HTB Sherlock: Noted Noted is a quick Sherlock analysing the AppData directory associated with Notepad++. I’ll use the artifacts to recover the contents of two files, including a Java script used to collect files from the host for exfil. I’ll get the password for the pastes site containing the attacker information and some idea of the timeline over which the activity occurred. Challenge Info Name Noted Play on H...
Atola Technology
Report this article Atola Technology Atola Technology Fast forensic imaging. Even with bad drives. Published Jun 10, 2024 + Follow Hi there!Welcome back to Plug, Image, Repeat, the monthly newsletter where we share practical tips and tricks to improve your experience in digital forensics. We’re glad you’re here.🤗Finding hidden or deleted evidence files can rapidly change the trajectory of an investigation. Crucial documents, photos, or even fragments of files that contain vital information can b...
Campaign and public sector information security
[…] LikeLike Reply Leave a comment Cancel reply Δ Previous Post How are people tricked into downloading malicious software? Search Recent posts June 11, 2024 Sysmon-Help an investigator out! April 16, 2024 How are people tricked into downloading malicious software? April 7, 2024 USPS Package notification (or how to check bad links) Quote of the week “Do or do not. There is no try.” -Yoda Campaign and public sector information security PROVIDING: Useful information for public sector and political...
Craig Ball at ‘Ball in your Court’
- TQT Group Doug Austin said: June 13, 2024 at 10:39 AM Thanks for the mention, Craig, and the excellent post! I did notice the “w/s” (I had encountered it before in search term requests in a project or two I managed) and had to push back as dtSearch (the search engine behind our tool and many others) doesn’t support it. The rumors of the demise of search terms are greatly exaggerated and lawyers still need to understand them. Many think they do, but they don’t. If the defendants had known more,...
Cyber 5W
Cyber 5W in Disk-Forensics EVENT LOGS OVERVIEW Windows operating systems maintain event logs that capture extensive information about the system, users, activities, and applications. These logs primarily help to inform administrators and users, categorized into five levels: information, warning, error, critical, and success/failure audit. For forensic analysis, event logs are an invaluable resource for reconstructing the sequence of events on a system. These logs can provide valuable information...
Dhiren Bhardwaj at Digital Forensic Forest
Posted on 09/06/202409/06/2024 by Dhiren BhardwajSpread The Knowledge 😌 Post Views: 14 Hi everyone, today I want to discuss a data exfiltration scenario I recently encountered during an investigation. As a security researcher, it’s crucial to identify and understand how attackers are stealing data.Unusual Network TrafficThe initial red flag was unusual network traffic patterns, which often indicate potential data exfiltration. This triggered our incident response team to investigate further. Pre...
Posted on 11/06/202411/06/2024 by Dhiren BhardwajSpread The Knowledge 😌 Post Views: 20 When working in digital forensics, Python scripts are often essential for parsing digital artifacts. However, these scripts typically rely on multiple external modules, which can make them difficult to transport and execute across different environments. As an Incident Responder, having portable executables or batch files that can be run anywhere is crucial for efficient initial triage, data parsing, and other...
Emi Polito at Amped
Emi Polito June 12, 2024 Reading time: 8 min Run a motion analysis, select a region of interest or set a motion threshold. Find out how easy it is to find suspect movement in Amped Replay! Hello folks and welcome to a dedicated article on Motion Detection, the newest feature of Amped Replay. When we first came up with the idea of developing this software, we wanted to first and foremost assist law enforcement officers with speeding up their video investigations. We appreciate how long and tediou...
Forensafe
Browser 14/06/2024 Friday One of the key applications on iOS devices is Safari. Safari is the default web browser in iOS and macOS. This blog will explore the forensic value of Safari artifacts, including their locations and data structures. It will provide insights into how this information can be used in digital investigations and how we can analyze those artifacts using ArtiFast. Digital Forensics Value of iOS Safari Browser Artifacts One of the major sources of evidence in digital forensics ...
Hideaki Ihara at port139
I will think of some example prompts for asking ChatGPT to learn about NTFS. I receive some answers that raise questions, but they generally seem to be correct.Since I am asking in Japanese, I might get even better results if I ask in English. Can you explain the historical background of NTFS development? Who were the designers of NTFS? What key aspects of NTFS should be known from a digital forensics perspective? What important details should be understood about the structure of the Master File...
I will also ask ChatGPT about FAT and exFAT, similar to how I did with NTFS. Since some of the responses are somewhat unclear, it seems necessary to either ask more detailed questions to verify ChatGPT's answers or verify the information myself.And I thought that reading Brian Carrier's "File System Forensic Analysis" might be easier and more understandable than asking ChatGPT. List the key items to know about FAT from a digital forensics perspective. Provide a detailed explanation of the direct...
@port139 Blog 読者になる @port139 Blog 基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。 2024-06-13 Let's visualize an EVTX file using ChatGPT. I asked ChatGPT to visualize the File header of an EVTX file, but it seems it hasn't been visualized correctly. Can you parse it correctly on your end?I had to refer to the following URL for the header definition and adjust the given HEX accordingly when communicating with ChatGPT. //github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%2...
@port139 Blog 読者になる @port139 Blog 基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。 2024-06-13 Let's visualize NTFS FILE records with ChatGPT. Q.The following HEX represents the data of an MFT FILE record. Please list the attributes contained within this FILE record. ### Listing Attributes in the MFT FILE Record The provided HEX data represents an MFT (Master File Table) FILE record. To identify the attributes within this record, we need to parse the HEX data and identify the attribut...
I tried a prompt to learn about $i30, but I couldn't construct it using the procedure I had initially planned. Everything went smoothly until the visualization of the Index Root, where challenges arose. Personally, I feel that approaching it by teaching ChatGPT the visualization method, rather than asking, yields better results. Of course, incorrect answers do come up, so it helps me learn to verify things on my own. Q.I will learn about $i30 in NTFS. Please explain the procedure for creating a ...
@port139 Blog 読者になる @port139 Blog 基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。 2024-06-15 Let's come up with a prompt to learn about NTFSMFT FILE records using ChatGPT. I am trying to interactively parse the contents of NTFS FILE records by providing them to ChatGPT. I believe there might be issues with the way I'm asking the questions, as the interpretation of the timestamps often results in incorrect answers. Ultimately, I need to verify the results with my own eyes, so this is...
I will try to parse the timestamps using ChatGPT, utilizing the timestamps of the files I have been using for verification since the other day. The timestamps for the SIA within the FILE record are as follows. The 8-byte timestamp for the initial creation date is as follows. D9DC898E8BA3DA01 2024-05-11 10:11:14.8032217 Z Q. This is hexadecimal data in Windows FILETIME format. Display it in a format understandable by humans, showing up to 3 decimal places for the fractions of a second.D9DC898E8BA...
Memory Forensic
HoxedJun 13, 2024Jun 13, 2024 Credit This Memory Forensic CTF Challenge is made by 13Cubed. What is CTF (Capture The Flag)? If you are not familiar with the term, do not worry. A Capture the Flag (CTF) competition is a popular type of cybersecurity contest that involves participants solving various security-related challenges to earn points. These competitions are designed to test and enhance the participants’ skills in different areas of cybersecurity (such as memory forensics). It has differen...
HoxedJun 15, 2024Jun 15, 2024 Credit This lab is made by HackTheBox. Lab Scenario “You’ve been a SOC analyst for the last 4 years but you’ve been honing your incident response skills! It’s about time you bite the bullet and go for your dream job as an Incident Responder as that’s the path you’d like your career to follow. Currently you are going through the interview process for a medium size incident response internal team and the cocky interviewing responder has given you a tough technical cha...
lightkunyagami
CyberDefenders: Ramnit (Memory Forensic Analysis) Posted bylightkunyagami June 10, 2024June 10, 2024 2 Comments on CyberDefenders: Ramnit (Memory Forensic Analysis) It’s been a while since my last blog entry here. I’ve finally been able to catch up with life after returning from deployment. I would also like to take this opportunity to thank all the men and women I got to rub shoulders with, sacrificing their time to serve their country and their fellowmen. You know who you are; our shared memor...
Stephanie Honore at Paraben Corporation
Plainbit
리눅스용 DFIR 수집 도구 - bitCollector 이승형(SeungHyeong Lee) and other authors 2024년 06월 14일 14 분 소요 1. 새로운 도구의 필요성침해사고 대응에서 시간은 매우 중요한 요소이다. 신속한 대응은 사고의 파급 효과를 최소화하고, 잠재적인 피해를 줄일 수 있다. 이러한 맥락에서 수집 도구는 다양한 아티팩트 및 로그를 수집해야 한다. 기존의 상용 수집 도구는 종종 사용자의 요구에 따라 수집 경로를 변경하거나 추가하는 것이 어려웠다. 또한, 오픈소스 도구들은 YAML과 같은 별도의 설정 파일 형식을 이해하고 사용해야 하며, 특정 프로그래밍 언어(Python, Go 등)로 개발되어 운영체제 간 종속성 문제가 있다.이런 문제는 특히 레거시 운영체제에서 더욱 도드라지며, 많은 레거시 시스템들은 Python3 및 Go와 같은 프로그래밍 언어를 지원하지 않는다. 또한, 레거시 시스템을 현재까지 운영하는 경우 망이 분리된 특수한 환경에서 구동되...
