forensics – Page 11 – WindowsTechs.com

Identifying the method which an attacker used to harvest important account credentials, while the security logs are deleted

Posted on August 21, 2021 by oolnux

Is there a way to spot the method which an attacker used to do all of the necessary credential dumping, or stealing/forging tickets/using pass-the-hash/ticket techniques, if we don’t have access to the DC security log files, but only from … Continue reading Identifying the method which an attacker used to harvest important account credentials, while the security logs are deleted→

Can voice analysis be used to determine if voice samples converted in two different ways are from the same person?

Posted on August 13, 2021 by desertpureolive

Suppose we have two voice samples, A and B, which are converted from the same person’s voice into different voices respectively by a voice changer. In addition, let us assume that the voice conversion causes severe loss of the original voi… Continue reading Can voice analysis be used to determine if voice samples converted in two different ways are from the same person?→

Dump all ntfs metadata and unallocated space

Posted on August 3, 2021 by 89nkeenZ

I have a large drive and I only want to save unallocated space and metadata. blkls can copy unallocated space and ntfsclone can copy metadata but it omits timestamps and some other data. Is there another program that I can use to accomplis… Continue reading Dump all ntfs metadata and unallocated space→

How to detect crypto mining malware [closed]

Posted on July 24, 2021 by R1W

For forensics purposes, I am looking to find suspicious scripts or patterns that could give me clues to find crypto-mining malware on a Linux server.
I have a copy of suspicious data but it is not possible to run the virtual machine in the… Continue reading How to detect crypto mining malware [closed]→

How do I get a forensic copy of an EC2 server?

Posted on July 13, 2021 by cyberf0rensicsx

Is there a point-and-click way to generate a forensic image of an EC2 system, rather than having to ssh on and dd?

Continue reading How do I get a forensic copy of an EC2 server?→

Memory dump analysis [closed]

Posted on July 7, 2021 by Naomh

I have received a file called memory.dump (1GB) which is a dump file format that I’ve never come across.
I usually use volatility and for most cases. It worked just fine for FDA but in this case, it just doesn’t do anything and just this ‘… Continue reading Memory dump analysis [closed]→

Comparative soil analysis could drastically reduce crime search areas

Posted on July 6, 2021 by Ben Coxworth

We’ve all seen episodes of CSI where the distinctive dirt on a suspect’s shoes or car is only found in one specific location. While that scenario is a bit far-fetched, new research shows that forensic soil analysis could be used to eliminate large geog… Continue reading Comparative soil analysis could drastically reduce crime search areas→

Windows Event Viewer: can’t find user-started programs

Posted on July 6, 2021 by Néstor Llop

My problem is as simple as it may look from the beginning. I want to see what programs have been initialized by using the Windows Event Viewer, but the log everybody tells me to use (Security logs, using Event ID 4688) only shows me inform… Continue reading Windows Event Viewer: can’t find user-started programs→

Create memory image of infected machine without risk

Posted on July 2, 2021 by Rémy Legrand

I am pretty new in the security world and I am writing a procedure on how to create a memory image of an infected machine for forensics.
The problem is that the machine does not have the tools for memory imaging before getting infecting.
W… Continue reading Create memory image of infected machine without risk→

Risks of Evidentiary Software

Posted on June 29, 2021 by Bruce Schneier

Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example).

Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it.

The software engineers proposed a three-part test. First, the court should have access to the “Known Error Log,” which should be part of any professionally developed software project. Next the court should consider whether the evidence being presented could be materially affected by a software error. Ladkin and his co-authors noted that a chain of emails back and forth are unlikely to have such an error, but the …

Continue reading Risks of Evidentiary Software→