Smartphones and tablets are widely used in everyday life and in various technological processes. For this reason, they often become a part of forensics investigations in informational security cases. This article analyzes the efficiency of the forensic suits used to study such devices. Introduction There are three main problems in the mobile forensics: The first one – mobile devices data …
The checkm8 exploit for iOS devices emerged in September 2019. It opened new doors for digital forensics researchers and investigators, who are always looking to extract and analyze data from devices. Can I extract data from a blocked or damaged iPhone? Can I find the PIN code of a blocked device? You will find the answers to these questions and …
David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunday’s challenge was to look at Microsoft Teams from a forensic or DFIR perspective, so here we go. The first question, where are the artifacts? It looks like the artifacts are located under C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams: A folder with Microsoft Teams data So, we can see …
For some reason, there are not so many posts on forensic examination of hosts infected with different malware families. We decided to change this tendency and start a new series – Forensic Walkthrough. Today’s guest is QBot (QakBot). It was first discovered in 2009 and mainly targeted browsing data related to banking websites. Its worm-like capabilities allow it to spread …
Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifacts in SQM data. Let’s start from what SQM is. First of all, it’s an acronym for Software Quality Metrics. It used to be named Service Quality Monitoring and became an operating system component since Windows Vista. It is used to collect and send …
Ransomware is still one of the most common types of malware deployed during cyberattacks. Some hackers use it to extort ransom from their victims, while others — the more sophisticated ones — use it to cover their traces in the networks they compromise for very different purposes. Although in most cases such attacks are relatively straightforward, even big companies regularly …
Igor Mikhailov is a digital forensic analyst of the digital forensic laboratory at Group-IB and the picture below shows how one of his business cards looked like. These are hardware keys of forensic tools that the digital forensic analyst used conducting forensic examinations. The cost only of these products exceeds tens of thousands of dollars and there are other free …
Researchers became aware of the activities of the RTM group in December 2015. Since then, phishing emails distributing the trojan have been sent to potential victims with admirable persistence. From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns …
As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another persistence mechanism that isn’t so common in-the-wild. It’s Image File Execution Options (or IFEO) injection, persistence technique with ID T1183. So, what are IFEO? These options enable a developer to attach a debugger to an application. What is more, IFEO …
First of all, I would like to thank all of those who liked and retweeted the previous article from this series, BITS Jobs (T1197). I’m planning to continue working on this series and publish a post a week. This week I’m going to write about a persistence mechanism that became quite popular recently – WMI Event Subscription (T1084). I think …
Login
