In this post BlackBag Training Team explains how to collect information about external USB attached storage devices from a Windows 7 system. You will learn how to determine the volume name, the mount point, and when the device was first connected.
Cyber Crimes are increasing day by day, ranging from confidentiality violation to identity theft and much more. The web activity of the suspect, whether carried out on computer or smart device, is hence of particular interest to the forensics investigator. Browser forensics i.e forensics of suspectâs browser history, saved passwords, cache, recent tabs opened etc. , therefore supply ample amount …
In this video Joshua I. James from Cybercrime Technologies will show you how to use a hash database with your favorite open source digital forensic tool – Autopsy 4. Hash databases can be used to quickly find known-bad or known-good files during an investigations. They can also be used to filter uninteresting files out of the case view.
Byte Atlas has published an interesting post on how to create and configure Windows 7 x64 virtual machine in VitrualBox for malware analysis. This is step by step guide, so you can create the same VM yourself.
In this post Michael Haag describes utilizing Sysmon to perform threat hunting. You will learn how to setup the tools you need, in Michael’s case – Sysmon and Splunk, but you can use other logging platforms as well, for example, Graylog or ELK. After the author describes the process of hunting in Splunk.
BlackBag Training Team has published a fresh post. This time they are speaking about Windows Volume Shadow Copies. You will learn about the difference between Volume Shadow Copies and System Restore Points, how Volume Shadow Copy Service works and how to use these copies in your Windows forensic examinations.
Stephanie Archibald from Cylance has written an article about the execution of multi-stage payloads on Mac OS X (up to Sierra). According to the author, “a common technique for executing multi-stage payloads is to have an initial payload that can then load executables, libraries, or bundles from memory instead of a computerâs hard disk”. You will learn what dyld is, how to …
Matt Aubert from Cisco has published an interesting post about malware analysis. He has chosen incident responders as the target audience and describes both static property and interactive behavior analysis using pestudio, Process Monitor, Wireshark, INetSim, ProcDOT, Windows 7 Service Pack 0 32-bit and REMnux.
Black Bag Training Team continues Windows Forensic Essentials Blog Series with a post about forensic examination of Windows Event Logs. They explain what event logs are, how to parse it with their tool – BlackLightÂź, discuss log-on events and changing the date and time.
If you want to improve your Mac forensics skills, here is a very interesting and useful article by Jonathon Poling. It’s entitled “Mac Dumpster Diving â Identifying Deleted File References in the Trash (.DS_Store) Files” and will teach you how to identify deleted files references using .DS_Store. In the article Jonathon uses, among others, Sebastian Neef”s .DS_Store parser, so don’t forget to …
Login
