- Forensics Analysis of
Page andfile File in Physical Memoryhibersys
Pagefile.sys:
Microsoft Windows uses a paging file, called
These files are very useful for digital investigation because
https://www.hackingarticles.in/forensics-analysis-of-pagefile-and-hibersys-file-in-physical-memory/
- How to extract forensic artifacts from
.sys?pagefile
Microsoft Windows uses a paging file, called
This file, stored in
It is possible to read this file by parsing the raw file system, or exact it using tools like
Analysis with YARA rules
you may scan the
you may scan the
https://www.andreafortuna.org/2019/04/17/how-to-extract-forensic-artifacts-from-pagefile-sys/
- Finding malware on memory dumps using Volatility and Yara rules
a brief and simple workflow, useful for a first high-level analysis of memory dumps
During the first phase of a memory dump analysis, could be
The memory analysis with Volatility
Although all Volatility commands can help you find malware, there are a few
One of this is the “
https://www.andreafortuna.org/2018/07/16/finding-malware-on-memory-dumps-using-volatility-and-yara-rules/
- WHAT
SPACE AND WHY DOES IT MATTER?IS UNALLOCATED
Just what is
For example,
https://insights.bit-x-bit.com/computerforensics/what-is-unallocated-space-and-why-does-it-matter/
- Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Custom Content Extraction Enables Efficient Real-Time Insights
Improved Security Posture
• Easily and selectively analyze web traffic for security risks
• Identify data exfiltration, including PII or exposed assets
• Prevent data loss, perform forensics and reduce troubleshooting time
Efficient Real-Time Business Analyses
• Real-time granular insights into key business indicators from web traffic
• Selective on-the-fly visibility into shopping carts, user interactions, etc.
Efficient IT Ops and Applications Visibility
• Monitor web services performance on-the-fly for quick troubleshooting and performance analysis
• Enable real-time custom protocol monitoring
https://www.slideshare.net/Splunk/splunk-app-for-stream-nyc-deck
- FOR500: Windows Forensic Analysis
FOR500.1: Windows Digital Forensics And Advanced Data Triage
Exercises
Install the Windows SIFT Workstation and get an orientation about its operations
Image a hard drive for evidence using a
Undertake advanced triage-based acquisition and imaging - rapid acquisition
Mount
Carve important files from free space
Recover critical user data from the
Recover chat sessions, web-based email, social networking, and private browsing
FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
Exercises
Profile a computer system using evidence found in the Registry
Conduct a detailed profile of user activity using Registry evidence
Examine which programs a user recently executed by examining Registry-based
Determine which files a user recently opened via the
Examine recently opened Office 365 files and determine first/last open times
Find folders recently accessed by a user via the Open/Save keys in the Registry
FOR500.3: Core Windows Forensics Part II: Usb Devices And Shell Items
Exercises
Track USB and BYOD devices that
Determine first and last connected times of USB devices that
Determine last removal time of USB devices that
Use Shortcut (LNK) file analysis to determine first/last times a file
Use
Use a jump list examination to determine when files
Unlock
FOR500.4: Core Windows Forensics Part III: Email, Key Additional Artifacts, and Event Logs
Exercises
Analyze message headers and gauge email authenticity using SPF and DKIM
Understand
Learn the latest on Unified Audit Logs in Office365
Search for
Understand key concepts like email object filtering, de-duplication, and message similarity
Use forensic software to recover deleted objects from email archives
Gain experience with a commercial email forensics and e-discovery tool
Perform data visualization and timeline analysis
Analyze document metadata present in email archives
Analyze the various versions of the Windows Recycle Bin
Analyze Windows
Use the System Resource Usage Monitor (SRUM) to answer questions never
Merge event logs and perform advanced filtering
Profile account usage and determine logon session length
Audit file and folder access
Identify evidence of time manipulation on a system
Supplement registry analysis with BYOD device auditing, including new Windows 10 events
Analyze historical records of wireless network associations and
FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
Exercises
Track a suspect's activity in browser history and cache files and identify local file access
Analyze artifacts found within the Extensible Storage Engine (ESE) database format
Examine which files a suspect downloaded
Determine URLs that suspects typed, clicked on, bookmarked, or merely popped up while they were browsing
Parse automatic crash recovery files to reconstruct previous browser sessions
Leverage Google Analytics cookies to profile user behaviors
Learn
Identify anti-forensics activity and re-construct private browsing sessions
Investigate browser auto-complete data
FOR500.1: Windows Digital Forensics And Advanced Data Triage
Install the Windows SIFT Workstation
Image a hard drive for evidence using a
FOR500.2: Core Windows Forensics Part I: Windows Registry Forensics And Analysis
Registry Explorer
FOR500.5: Core Windows Forensics Part IV: Web Browser Forensics for Firefox, Internet Explorer, and Chrome
Tools Used
ESE
Hindsight
https://www.sans.org/course/windows-forensic-analysis
- Forensic Artifacts: evidences of program execution on Windows systems
Background Activity Moderator (BAM)
BAM is a Windows service that Controls activity of background applications
https://www.andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
- Personal data, also known as personal information,
personally identifying information (PII)
sensitive personal information (SPI)
any information relating to identifying a person
https://en.wikipedia.org/wiki/Personal_data
No comments:
Post a Comment