If you don’t know what to do on a Sunday evening, there is a bunch of nice digital forensics and incident response challenges for you. CyDefe Labs have prepared memory forensics, incident response and some other challenges, find them here.
Starting with Autopsy 4.5.0, you can now determine when a file or phone number (or other artifact) was seen in a previous case. You can also be alerted when an artifact was found that was previously marked as âbadâ. These features are possible because of new infrastructure called the Central Repository. In this blog, weâll talk about enabling the Central …
Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations “, therefore the focus here is on Autoruns. In the last weeks couple of security researches (Kyle – @KyleHanslovan, Chris – @ChrisBisnett, HASHEREZADE @hasherezade) have discovered that it’s …
A JA3 hash represents the fingerprint of an SSL/TLS client application as detected via a network sensor or device, such as Bro or Suricata. This allows for simple and effective detection of client applications such as Chrome running on OSX (JA3=94c485bca29d5392be53f2b8cf7f4304) or the Dyre malware family running on Windows (JA3=b386946a5a44d1ddcc843bc75336dfce) or Metasploitâs Meterpreter running on Linux (JA3=5d65ea3fb1d4aa7d826733d2f2cbbb1d). JA3 allows analysts …
Alex Maestretti has published an interesting post about userland memory acquisition and targeted analysis of memory at process granularity. You can find the post titled “Memory Forensics in Clouds and Containers” at his LinkedIn.
Henrik Johansen has published a post about how to automate memory forensics process as much as possible. He starts from the acquisition, continues with parsing and analysis of a memory dump, and finishes with scaling. Check the post at his Medium.
Yogesh Khatri has started his journey in Apple File System reverse engineering. He has checked APFS documentation and found out that the new timestamp has a nano second resolution, also it is the Unix epoch. Check the post here.
This guide is a supplement to SANS FOR518: Mac Forensic Analysis and SANS FOR585: Advanced Smartphone Forensics, and enhances concepts covered in other courses. It covers some of the core methods to extracting data from SQLite databases. Definitions, sample queries, and SQLite terminology will help you conduct manual extractions from databases of interest found on Macs, Smartphones, and PCs.
Timothy Opsitnick, Joseph Anguilano and Trevor Tucker have published an article titled “Using Computer Forensics to Investigate Employee Data Theft”. In the article they write about six main sources of digital evidence: USB activity Files recently opened Cloud storage usage Files sent to personal email accounts Internet activity Recently printed documents
Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file. In this post, Xiaopeng Zhang explains how the Poison Ivy is downloaded and launched, what techniques are used by this malware, and what it does to the victimâs computer.
Login
