One of our favorite forensicators – David Cowen, – has published a very interesting post in Hacking Exposed Computer Forensics blog. In the post he notes, that now Windows on its own and without user request is removing unused device entries from the registry on a regular basis driven by Task Scheduler. These artifacts might be extremely useful for your cases, …
Brenton Morris has published an interesting blog post about using r2pipe for automatic malware unpacking. In the post he creates a Python script and uses it to unpack notorious Locky. This is another good example why we all should learn Python.
Preston Miller has published a cheat-sheet on tracking web-account activity. According to the post, “these can alert the user to suspicious activity and provide the investigator a built-in audit log to review”.
Here is a nice cheat sheet by Forensic Proof, showing USB device tracking artifacts on Linux and Mac OS X:
In this blog post guys from NVISO Labs answer Harlan Carvey’s question: “Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number?”, – he asked under their previous post.
Usama Salama has published an article about Internet of Things (IoT) forensics. According to the author, sources of evidence on IoT can be categorized into three groups: All evidence collected from smart devices and sensors; All evidence collected from hardware and software that provide a communication between smart devices and the external world (e.g., computers, mobile, IPS, IDS and firewalls), which …
Howard Oakley at The Eclectic Light Company has answered a simple question – how long does macOS Sierra retain entries in its new log? But the answer isnât as simple as the question, you can find it here.
Travis Smith has published a post about fileless malware on The State of Security. He notes that this type of malware isn’t really fileless. According to the author, the malware from Ars Technica article created a service for persistence. The following registry keys were written to: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp It means that the malware was not actually fileless. Learn more about this fact in the …
Sarah Edwards has published a blog post about iOS ADDataStore.sqlite. This database is located at /private/var/mobile/Library/AggregateDictionary/ and contains some interesting information about the device’s passcode (and more). Learn more about this artifact at Sarah’s blog.
James Habben has published a post about CCM_RecentlyUsedApps – valuable execution artifacts, especially if Windows Prefetch is disabled for one reason or another. You will learn about both the data source and tools for parsing these artifacts.
Login
