Blog Posts Tagged with "Forensics"

E85787adcaf7bca10e799cfd1cfd08f1

How Can you Expose Targeted Attacks and Combat APTs?

October 10, 2013 Added by:Michelle Drolet

Cybercriminals are employing more sophisticated techniques all the time and far too many companies and organizations still don’t have the protection they really need to safeguard their systems. The prevalence of targeted attacks and advanced persistent threats (APTs) is disturbing.

Comments  (0)

3e35900ae6facc6c146a85c435c71d82

Malware Forensics Field Guide for Windows Systems: Digital Forensics

January 22, 2013 Added by:Ben Rothke

The book is not meant as an introductory text, rather as a reference for experienced professionals. For such a reader, they will likely find the Malware Forensics Field Guide for Windows Systems to be an invaluable reference...

Comments  (0)

E85787adcaf7bca10e799cfd1cfd08f1

Mobile Devices get means for Tamper-Evident Forensic Auditing

December 13, 2012 Added by:Michelle Drolet

In order to detect security breaches and guarantee compliance, tamper “proofing” has not been sufficient. When it comes time for a forensic audit, the ability to detect unauthorized changes to digital files becomes invaluable in an investigation...

Comments  (0)

B64e021126c832bb29ec9fa988155eaf

Windows 8 Forensics: USB Activity

December 03, 2012 Added by:Dan Dieterle

When I started working on Windows 8 USB drive forensics, I assumed it would be similar to Windows 7. I created a fresh Windows 8 VM and plugged a thumb drive into my local system. The VM recognized it as it should. I shut the VM down and opened it in EnCase to examine what happened...

Comments  (0)

B64e021126c832bb29ec9fa988155eaf

Windows 8 Forensics: Recycle Bin

November 27, 2012 Added by:Dan Dieterle

The purpose of this project is to determine key differences between the Windows 7 and Windows 8 operating system from a forensic standpoint in order to determine if there are any significant changes that will be either beneficial or detrimental to the forensic investigation process...

Comments  (0)

3e35900ae6facc6c146a85c435c71d82

Digital Forensics for Handheld Devices

November 05, 2012 Added by:Ben Rothke

An iPhone 5 with 64 GB of storage and the Apple A6 system-on-a-chip processor has more raw computing power entire data centers had some years ago. With billions of handheld devices in use , it is imperative that forensics investigators know how to ensure that the data in them can be preserved...

Comments  (0)

Bdcd1324539ec513ff7c10014b9668b6

Investigating In-Memory Network Data with Volatility

September 25, 2012 Added by:Andrew Case

This post will discuss Volatility’s new Linux features for recovering network information including enumerating sockets, network connections, and packet contents, and will discuss each plugin along with implementation, how to use it, output, and which forensics scenarios apply...

Comments  (0)

Fd7e078e5bfb68a4be33cbfac76f4f70

Analyzing Desktops, Heaps, and Ransomware with Volatility

September 24, 2012 Added by:Michael Ligh

This post discusses the undocumented windows kernel data structures for desktop objects and desktop heaps. You'll see how to use memory forensics to detect recent malware including the ACCDFISA ransomware and Tigger variants...

Comments  (0)

B64e021126c832bb29ec9fa988155eaf

Windows 8 Forensics: Reset and Refresh Artifacts

September 24, 2012 Added by:Dan Dieterle

Everything about the machine pre-refresh can be recovered, and is placed into a folder named windows.old. Information in regards to the migration process, old vs. new mappings, and the date and time of the refresh can be found by in the $SysReset folder and the specific log...

Comments  (0)

Bdcd1324539ec513ff7c10014b9668b6

Analyzing Jynx and LD_PRELOAD Based Rootkits

September 23, 2012 Added by:Andrew Case

In order to have samples to test against, I used the sample provided by SecondLook on their Linux memory images page, and I also loaded the Jynx2 rootkit against a running netcat process in my Debian virtual machine that was running the 2.6.32-5-686 32-bit kernel...

Comments  (0)

Fd7e078e5bfb68a4be33cbfac76f4f70

Detecting Window Stations and Clipboard Monitoring Malware with Volatility

September 19, 2012 Added by:Michael Ligh

Explore undocumented windows kernel data structures related to window station objects and the clipboard. Detect clipboard-snooping malware using Volatility - an advanced memory forensics framework...

Comments  (0)

Bdcd1324539ec513ff7c10014b9668b6

Analyzing the KBeast Rootkit and Detecting Hidden Modules with Volatility

September 18, 2012 Added by:Andrew Case

KBeast is a rootkit that loads as a kernel module. It also has a userland component that provides remote access. This backdoor is hidden from other userland applications by the kernel module. KBeast also hides files, directories, and processes that start with a user defined prefix...

Comments  (0)

Fd7e078e5bfb68a4be33cbfac76f4f70

Recovering Login Sessions, Loaded Drivers, and Command History with Volatility

September 18, 2012 Added by:Michael Ligh

Learn about the undocumented windows kernel data structures related to RDP logon sessions, alternate process listings, and loaded drivers. See how Volatility can help you forensically reconstruct attacker command histories and full input/output console buffers...

Comments  (0)

Bdcd1324539ec513ff7c10014b9668b6

Analyzing the Average Coder Rootkit, Bash History, and Elevated Processes with Volatility

September 16, 2012 Added by:Andrew Case

This post showcases some of Volatility’s new Linux features by analyzing a popular Linux kernel rootkit named “Average Coder” and includes recovering .bash_history, finding userland processes elevated to root, and discovering overwritten file operation structure pointers...

Comments  (0)

54a9b7b662bfb0f0445d1661d7ed180b

Network Forensics -Tracking Hackers Through Cyberspace

September 04, 2012 Added by:Jayson Wylie

I highly recommend this book for seasoned network security professionals and those responsible for forensics to help set a foundation of proper approach, reporting and evidence collection for identifying an incident and being able to show proof and record...

Comments  (0)

Bdcd1324539ec513ff7c10014b9668b6

Recovering tmpfs from Linux and Android Memory Captures with Volatility

August 14, 2012 Added by:Andrew Case

Tmpfs is interesting from a forensics perspective for a few reasons. The first is that, in a traditional forensics scenario, the investigator expects that he can shut a computer off, images its disk(s), and get back the filesystem at the time of when the computer was running. With tmpfs, this is obviously not true...

Comments  (3)

Page « < 1 - 2 - 3 - 4 > »