Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix’s Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin …
After yesterday’s webcast Matt Bromiley released his Office365 Log Analysis Framework or OLAF to the public. You can learn more about the framework and download it here. Also, make sure you have checked this webcast.
LiMEaide is a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. This will simplify Linux digital forensics in a remote environment. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite …
Memtriage allows you to quickly query a live Windows machine for RAM artifacts. This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis. Learn more about it here.
afro can parse APFS images. It not only extracts the latest data but also older versions of the files. Learn more about the tool here.
Epochalypse utility by Pasquale Stirparo has been updated. Now it supports APFS timestamps. You can download this Python script at Pasquale’s GitHub.
Darwin-Collector.sh is a script designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations. You can learn more about the tool and download it here.
This project helps a forensics analyst explore offline Docker filesystems. Docker uses layered backend filesystems like AuFS or OverlayFS. Each layer is actually stored on the host’s filesystem as multiple folders, and some JSON files are used by Docker to know what is what.
New versions of most popular open source DFIR tools, Autopsy and TSK, have been released. Here are the lists of new features: Autopsy A graph visualization was added to the Communications tool to make it easier to find messages and relationships. A new “Application” content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs). New …
If you are doing macOS memory forensics often enough, we have great news for you – 44 new OS X profiles have been just added to Volatility. You can find all of them at GitHub.
Login
