There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and …

Frequently overlooked and understudied, this database is rarely fully exploited when doing incident response. Indeed, its correct interpretation is complex: a lot of special cases can occur that have to be taken into account when performing an analysis. However, the information collected by the AmCache is extremely useful and the lack of awareness about this artifact makes it very valuable, …

No two insider threat investigations are ever the same—but a standardized process can help them run more smoothly. When you need to prove whether intellectual property, trade secrets, or other sensitive data were exfiltrated, and whether it was done inadvertently, opportunistically, or maliciously, you need an efficient, repeatable workflow. Magnet’s new white paper describes three steps that can help you …

Over its last few releases, Apple’s iOS—the operating system running on iPhones, iPads, and other mobile devices—has steadily enhanced its offerings designed for both security and user convenience. Each sub-version of both iOS 10 and 11 added or changed small features that have drastically changed the forensic workflow. In this paper, we’ll describe how to: Access more evidentiary data with …

Maxim Suhanov has published his comments on NIST’s “Windows Registry Forensic Tool Specification”. You can find Public Draft 1 of Version 1.0 here.

Lateral movement techniques are widely used in sophisticated cyber-attacks in particular in Advanced Persistent Threats (APTs). The adversary uses these techniques to access other hosts from a compromised system and get access to sensitive resources, such as mailboxes, shared folders, or credentials. These can be used in turn for compromise of additional systems, privilege escalation, or stealing more valuable credentials. …

In a rapidly changing and uncertain world, consumers continue to demand secure devices that protect their data from prying hackers, data thieves, and even, in some cases, governments. Apple still leads the way, but Google’s latest round of security features ensure that even cheap, free smartphones can be encrypted. Download Taking Bytes Out of Android Nougat Forensic Analysis to learn more about: …

Jack Wesley Riley has published a white paper with an overview of tools and techniques used by CARBANAK. According to the paper, the toolsets CARBANAK deployed can be broken down into five basic functionalities: Ingress/Egress/Remote Access Lateral Movement Log Cleanup Credential Harvesting Internal Reconnaissance The correlations between the Linux environment tools and the Windows environment tools are shown below: You …

Rich Infante has published his work in progress on reversing iOS backups. The work contains information not only about old backups (up to iOS 9), but also about the new backup format (iOS 10 +), and may be useful for mobile forensics examiners and analysts.

ERNW has published an interesting white paper on the analysis of EXT4 file system in the context of an incident analysis, here is the abstract: “In incident analysis, especially in the field of postmortem file system analysis, the reconstruction of lost or deleted files plays an important role. The techniques that can be applied to this end strongly depend on …