Quantcast
Channel: System Forensics » Forensic Artifacts | System Forensics
Browsing latest articles
Browse All 14 View Live

Image may be NSFW.
Clik here to view.

The Sleuth Kit Part 3 – fls, mactime and icat

So here we are with Part 3 - fls. After receiving some feedback I have decided to use images that you all can download and follow along with. So, for this example we will use an image from Digital...

View Article



Image may be NSFW.
Clik here to view.

Zeus v2 Malware Analysis – Part I

So i’m new to this whole malware thing, but it’s pretty damn fun. I’ve been reading more and more about it over the past couple months. In either case I want to learn more about malware analysis (in...

View Article

Image may be NSFW.
Clik here to view.

The Sleuth Kit Part 4 – TSK and netcat

So here we are with Part 4 of The Sleuth Kit (TSK) series of posts I am doing. I hope you have learned something so far, as I know I have. This one will be a bit shorter, but it might come in handy for...

View Article

Image may be NSFW.
Clik here to view.

The Sleuth Kit Part 5 – Recover files with tsk_recover and icat

Welcome to Part 5. Here I will quickly go over recovering some files with tsk_recover and icat. So let’s get started. I first needed a “clean” image to work with. I figured that reusing an old USB...

View Article

Image may be NSFW.
Clik here to view.

Zeus v2 Malware Analysis – Part II

Welcome back for Part II. I am going to be taking a look at memory forensics by way of Volatility. Memory Forensics  Let’s kick this section off by running the volatility command, “imageinfo”. The...

View Article


Image may be NSFW.
Clik here to view.

Jump List AppId lookup via Python

So I published a blog post about how I wanted to learn Python awhile back. It was more of a rant/I need/want to do something. Don’t bother going back and reading it. In a nut shell, “I figured the best...

View Article

Do not fumble the lateral movement

I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here:...

View Article

Image may be NSFW.
Clik here to view.

Parsing Landesk Registry Entries FTW

I was on a case the other day and I could see the malware dropped, At jobs created (typical), then I went to work on parsing the job files and noticed two of them were pointing to what appeared to be...

View Article


Image may be NSFW.
Clik here to view.

Automating Data Reduction via Whitelists

In a previous post (Build your own NSRL Server) I showed people how to get a NSRL server setup so they could filter out whitelisted hashes from md5deep output. I found that I didn’t like that method...

View Article


Image may be NSFW.
Clik here to view.

Forensics in the Amazon Cloud – EC2

Businesses of all sizes seem to be moving at least some operations to the cloud. It’s only a matter of time before you get a phone call asking you to conduct some kind of cloud forensics and/or...

View Article
Browsing latest articles
Browse All 14 View Live




Latest Images