Henrik Johansen has published a post about how to automate memory forensics process as much as possible. He starts from the acquisition, continues with parsing and analysis of a memory dump, and finishes with scaling. Check the post at his Medium.
Yogesh Khatri has started his journey in Apple File System reverse engineering. He has checked APFS documentation and found out that the new timestamp has a nano second resolution, also it is the Unix epoch. Check the post here.
This guide is a supplement to SANS FOR518: Mac Forensic Analysis and SANS FOR585: Advanced Smartphone Forensics, and enhances concepts covered in other courses. It covers some of the core methods to extracting data from SQLite databases. Definitions, sample queries, and SQLite terminology will help you conduct manual extractions from databases of interest found on Macs, Smartphones, and PCs.
Timothy Opsitnick, Joseph Anguilano and Trevor Tucker have published an article titled “Using Computer Forensics to Investigate Employee Data Theft”. In the article they write about six main sources of digital evidence: USB activity Files recently opened Cloud storage usage Files sent to personal email accounts Internet activity Recently printed documents
Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file. In this post, Xiaopeng Zhang explains how the Poison Ivy is downloaded and launched, what techniques are used by this malware, and what it does to the victimâs computer.
During a recent investigation, CrowdStrike Services team identified an adversary attack method, used for lateral movement and persistence. The attack leveraged customized forms â not macros â in Microsoft Outlook that allowed Visual Basic code to execute on a system just by opening or previewing an email message. Read more about it in this blog post.
Cindy Murthy has published a post about her recent case where she and her team transplanted a chip from a damaged mobile phone to a similar model and then perform a physical acquisition.
Andrea Fortuna has posted a very useful article about the most common malware persistence techniques. You will learn about the most common registry keys used by malware (very long and nice list), DLL search order hijacking, shortcut hijacking, bootkits and COM hijacking.
In this blog post Arman Gungor discusses the problem of cloud emails native file format. He gives the definition for “native file format” term, overviews it in the cloud domain, and gives some nice examples, including Gmail, Hosted Exchange/Office 365 and IMAP.
Ahmed Hashad from 701 Labs has published a brief guide on using JTAG acquisition in mobile forensics. In the blog post he presents an overview of the method, gives some tips on when you should use it, and discusses its advantages and disadvantages.
Login
