In this blog post guys from NVISO Labs answer Harlan Carvey’s question: “Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number?”, – he asked under their previous post.
Usama Salama has published an article about Internet of Things (IoT) forensics. According to the author, sources of evidence on IoT can be categorized into three groups: All evidence collected from smart devices and sensors; All evidence collected from hardware and software that provide a communication between smart devices and the external world (e.g., computers, mobile, IPS, IDS and firewalls), which …
Howard Oakley at The Eclectic Light Company has answered a simple question – how long does macOS Sierra retain entries in its new log? But the answer isnât as simple as the question, you can find it here.
Travis Smith has published a post about fileless malware on The State of Security. He notes that this type of malware isn’t really fileless. According to the author, the malware from Ars Technica article created a service for persistence. The following registry keys were written to: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp It means that the malware was not actually fileless. Learn more about this fact in the …
Sarah Edwards has published a blog post about iOS ADDataStore.sqlite. This database is located at /private/var/mobile/Library/AggregateDictionary/ and contains some interesting information about the device’s passcode (and more). Learn more about this artifact at Sarah’s blog.
James Habben has published a post about CCM_RecentlyUsedApps – valuable execution artifacts, especially if Windows Prefetch is disabled for one reason or another. You will learn about both the data source and tools for parsing these artifacts.
Jesse Kornblum has published a short post about using SHA-3 for forensics. The author notes that there are four variants, SHA-3-224, SHA-3-256, SHA-3-384, and SHA-3-512. To decide which variant should be used by default in “sha3deep”, he asks his readers to suggest it. So feel free to comment, tweet or send him an email.
Here is a paper by Aron Warren from SANS Institute Reading Room site about Tor browser artifacts in Windows 10. The Tor network is a popular, encrypted, worldwide, anonymizing virtual network in existence since 2002 and is used by all facets of society such as privacy advocates, journalists, governments, and criminals. This paper will provide a forensic analysis of the Tor Browser …
James Fritz has published the Beginnerâs Guide to Open Source Incident Response Tools and Resources. He starts from the overview of the three A’s of IR – ammunition, attribution and awareness. Then he continues with the OODA (Observe, Orient, Decide, and Act) loop and open source tools you need in each stage of it (ammunition), tools for identifying ownership on the …
Alexandre Dulaunoy has written an article on how to to use SquashFS as an evidence container. In the article he discusses interesting forensic properties of SquashFS and shows how to use it in practical forensics.
Login
