Collaborate Disseminate
For forensics purposes, I am looking to find suspicious scripts or patterns that could give me clues to find crypto-mining malware on a Linux server.
I have a copy of suspicious data but it is not possible to run the virtual machine in the… Continue reading How to detect crypto mining malware [closed]
Is there a point-and-click way to generate a forensic image of an EC2 system, rather than having to ssh on and dd?
Continue reading How do I get a forensic copy of an EC2 server?
I have received a file called memory.dump (1GB) which is a dump file format that I’ve never come across.
I usually use volatility and for most cases. It worked just fine for FDA but in this case, it just doesn’t do anything and just this ‘… Continue reading Memory dump analysis [closed]
We’ve all seen episodes of CSI where the distinctive dirt on a suspect’s shoes or car is only found in one specific location. While that scenario is a bit far-fetched, new research shows that forensic soil analysis could be used to eliminate large geog… Continue reading Comparative soil analysis could drastically reduce crime search areas
My problem is as simple as it may look from the beginning. I want to see what programs have been initialized by using the Windows Event Viewer, but the log everybody tells me to use (Security logs, using Event ID 4688) only shows me inform… Continue reading Windows Event Viewer: can’t find user-started programs
I am pretty new in the security world and I am writing a procedure on how to create a memory image of an infected machine for forensics.
The problem is that the machine does not have the tools for memory imaging before getting infecting.
W… Continue reading Create memory image of infected machine without risk
Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example).
Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it.
The software engineers proposed a three-part test. First, the court should have access to the “Known Error Log,” which should be part of any professionally developed software project. Next the court should consider whether the evidence being presented could be materially affected by a software error. Ladkin and his co-authors noted that a chain of emails back and forth are unlikely to have such an error, but the …
I am new to memory forensics. When a process in Windows is ended are all artifacts for the process in memory gone? I ask because my EDR solution gives me the local process ID of a process I am trying to look at. I obtain a full memory a… Continue reading Memory Forensics on exited process
I am making a series of python scripts for data overwriting. My current prototype creates a series of large files and simply fills the memory (using a different system for additional overwrites). Is there an advantage to overwriting the en… Continue reading File based background data eraser
Are memory forensic tools useful for attack detection? Usually they are applied after an attack has happened. You could always constantly scan a machine but this requires lots of resources and depending on how often you scan leaves a windo… Continue reading How useful are memory forensic tools for detecting active attacks (considering current devices)