Yogesh Khatri has recently posted about forensicating Notes database on macOS. He shows locations of coresponding databases depending on OS version, presents SQL queries to parse the data, and notes that his tool, mac_apt, can parse it automatically.
Sergey Golovanov from Kaspersky Lab has announced a new EVTX parser. One of its great features is different operating systems support, so it doesn’t matter if you use a Windows workstation, a MacBook or a Linux WS – all of them are supported. If you’ve decided to give it a try – go straight to GitHub.
From AccessData website: “Starting February 1, 2018, AccessData will begin charging an administrative fee of $100 for taking the ACE certification tests through the testing system. Costs associated with offering and administering the testing system continues to rise. While we regret having to implement this fee, this is in line with other companies in the field who also charge a …
In this post Harlan Carvey has presented his views on incident response tools. In the post you’ll find both “classics” like RegRipper and Yara, and some freshies like vss_carver and YARP.
A few days ago Dan Gunter has published a post about his tool capable of parsing logs from the Bro Intrusion Detection System. You can easily install ParseBroLogs via pip: pip install parsebrologs If you are interested in the source code – go straight to his GitHub.
Minoru Kobayashi has presented a tool for carving and recreating deleted VSS at at Japan Security Analyst Conference 2018. The script is already available for downloading at his GitHub.
Invoke-LiveResponse is a module for Live Response and Forensic collections over WinRM written by Matthew Green. You can learn more about it reading this LinkedIn post.
Sergey Golovanov and Igor Soumenkov have prepared a New Year present for DFIR community: they have presented their script for APT hunting across the enterprise. They use this script to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers are moving through the network. You can learn more …
page_brute.py is a digital forensic tool purposed to analyze and categorize individual paged memory frames from Windows Page Files by appying YARA-based signatures to fix-sized blocks of pagefile.sys. This tool can be used to: Disambiguate evidence within pagefile.sys by logically grouping blocks/pages into categories based on YARA rulesets of forensic artifacts that follow a pattern/convention. Identify page files that contain remanants …
Sarah Edwards has released the new version of Mac MRU Parser – 1.5. Now the script can gather info from the following sources: Sidebar List plist [10.12-] – /Users/<username>/Library/Preferences/com.apple.sidebarlists.plist Favorite Volumes SFL2 – [10.13+] /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2 Finder Plist – /Users/<username>/Library/Preferences/com.apple.finder.plist Learn more about the release here.
Login
