Digital Forensic Tools

Memory Analysis Using Volatility Framework To Identify Malware Activities In The Windows Systems

by Adalberto Batista da Silva, Enizaldo Severino da Silva Filho, Paulo Henrique Pereira, Regis Proença Picanço, Rodrigo Ferreira Marques 

This article presents the memory analysis of a case of a company attacked by ransomware, presenting the process enumeration combined with YARA rules for the identification of malware activities. The results found were: the process used by the ransomware, the execution of hidden processes in the system and the identification of the files created by the artifact.

Introducing FTK Central: Helping to transform digital forensics at West Midlands Police

by Jon Cook 

Forensics toolkits have come a long way in a relatively short period. At the turn of the millennium, we were still navigating the early days of Windows, where small computer hard drives of around 150 megabytes were the norm. Back then, law enforcement digital forensics was in its infancy. Forensic toolkits were used to support the recovery of deleted files, but a lot was still done manually and relied heavily on the knowledge of examiners.

How to Start in Digital Forensics

by Kharim.h Mchatta 

In this article, we discuss the forensics processes, mainly focusing on the forensics tools used under each process. This is going to equip the reader with knowledge of not only the available tools that forensics experts use but also an understanding of where in the forensics process the tools are being used. Most of the tools discussed in this article are focused mainly on computer forensics, but you will see different tools also mentioned in this article.

Reverse Engineering : Static Analysis Using Rabin2 & DnSpy

by Tahaa Farooq 

Reverse engineering is the analysis of a device or program to determine its function or structure, often with the intent of re-creating or modifying it. Malware analysis is the art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it. In this article Tahaa Farooq will be explaining and demonstrating how malware reverse engineering is done with one technique in play, namely: Static Analysis.

Memory Acquisition on Windows and Linux

by Ricardo Alves da Silva

Following the incident response lifecycle defined by NIST 800–61r2, the evidence collection and treatment process begins in the “Containment, Eradication, and Recovery” phase. This is a crucial phase, as it is necessary to measure the actual and potential impacts of a particular incident and, above all, to understand its root cause, so that it is possible to carry out the necessary containment effectively and definitively eradicate the environment. This article will discuss how to perform memory collection procedures in Windows and Linux operating systems.

Processing iOS Devices for Digital Forensics

by Amber Schroader 

The imaging process for most iOS devices is logical imaging. Physical imaging of these devices is only available once a device has gone through the Jailbreak process. That process will unlock the limitations of the file system from access, and standard forensic tools can then image the device physically. For this workflow, the logical process and evaluation will be reviewed with common issues that can cause pitfalls to get a proper logical image. In this article, you will read how to start with this matters.

SOCMINT WITH SHERLOCK

by Gabriel Sousa Carvalhaes 

Social Media Intelligence (SOCMINT) is a type of Open-Source Intelligence (OSINT) focused on finding publicly available information on social websites. In other words, SOCMINT techniques can track the data that travels through social media. Therefore, it is important to understand that one of the best ways to gather information on social media is to keep track of accounts, and it is possible to do that through searching of usernames.

Tracking Usernames Across the Internet with Maigret

by Amber SchroaderJeff Minakata 

Do you need to find different sites that use a particular username? I have the perfect tool for you to use. In situations such as this, one of the programs that I turn to is Maigret. A fork of the popular tool Sherlock, Maigret has proven to be a valuable time saver that has helped me on several occasions when performing OSINT searches (also very useful for pentesting). In this article, I will be detailing how to install Maigret onto a Linux (CSI Linux) system (Debian, Mint, Tracelabs Linux, Kali Linux, etc., will all install the same way) and also show an example of scanning a username along with verifying the results.

XProCheck: When Necessity is the Mother of Reinvention

by Israel Torres 

XProCheck is currently in its infancy and, in my opinion, headed in the right direction and really beating Apple to the punch, of where only the future may tell. It is a new tool named XProCheck that gets better with each version and is being actively worked on, and rapidly. The awesome part about this tool is that it encapsulates another tool named Apple XProtect Remediator (formerly XProtect) that is embedded in the macOS system and pretty much undocumented by most standards to the public. You learn what XProCheck is and how it benefits a macOS user forensically to identify malware activity on their local systems.

Catching Phish with Splunk Stream

by Thomas Mitchell

This article provides an overview of what is required to deploy, configure, and manage Splunk Stream in a distributed environment. A deployment can consist of many Splunk Universal Forwarders running on endpoints throughout the environment. When the first Splunk Stream Technology Add-On (TA) is first installed from the central deployment server, the SS configuration is pulled from the central Splunk Stream server. You can run two Splunk roles on the same host - Deployment Server and Splunk Stream Server. Splunk Stream enables the capture, filtering, indexing, and analysis of streams of network event data.