archive
Category: Host Forensics

2016/10/25

The Importance of Dual Tool Verification

Those of us working in the Digital Forensics and Incident Response realm rely on tools to harvest data for analysis, not to mention to perform the actual analysis. Let’s be honest: Without tools, we would have a dickens of a time doing our jobs. Unfortunately, this had led to examiners having an inherent high level[…]

2016/10/10

Most Recent Used (MRU) Peek-A-Book

In this post, we will cover some cool ways to review the Most Recent Used (MRU) keys from the Windows registry. The goal of the article is to show how these keys can be useful, explain how to review them using RegRipper, and provide a means to review these keys directly from a memory image[…]

2016/07/12

Time for an Autopsy!

Autopsy Introduction Greetings! Destruct_Icon here with a look into a forensics tool named Autopsy. Autopsy is a GUI into a suite of tools known as The Sleuth Kit and can be found here. In this article, we want to introduce you to the interface itself as well as describe some of the capabilities. First off, we have a[…]

2015/04/07

IOC: Indicators and Artifacts

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: No Tags
Comments: Leave a Comment

:IOC: Indicators and Artifacts: When building an IOC, or indicator of compromise, there are a few questions you should ask yourself. What exactly am I looking for? How specific do I have to be? How will this help me for the future? Now if you have been a frequent visitor of MalWerewolf, you may have[…]

2015/02/03

A Peek Into The Windows 10 Registry and File System

by DFIRninja
Categories: Analysis, Host Forensics, News
Tags: , ,
Comments: Leave a Comment

:Windows 10 Registry and the File System: Here is a little peek into the Windows 10 Registry and Filesystem utilizing the Windows 10 Pro Technical Preview. The Technical preview can be downloaded from the below link: http://windows.microsoft.com/en-gb/windows/preview-iso Windows 10 so far seems to be a split between Windows 7 and Windows 8. Microsoft went back[…]

2015/01/21

Bit-Level Forensics: Partitions and VBRs

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , , ,
Comments: Leave a Comment

:Partitions and VBRs: Partitioning is an important part of hard drives. Partitioning is the dividing of the hard disk into multiple sections. The primary partition is used by the OS, and then you can also have extended partitions. There are 16 bytes that make up a partition entry and are made up of a combination[…]

2014/12/09

IOCs; How to Create, Manage, and Understand -The Manifesto-

by InterDimensional_Shambler
Categories: Analysis, Host Forensics, Network Forensics
Tags: No Tags
Comments: Leave a Comment

How to Create, Manage, and Understand IOCs -The Manifesto- [OpenIOC Background] What are they and how does it pertain to IOCs? OpenIOC is a framework developed by mandiant to take CUSTOM Indicators of Compromise and put them into an extensible XML schema for the intention of scanning host(s) with. This type of approach is a[…]

2014/11/24

MACtime Forensics

:MACtime Forensics: Timestamps are a critical part of forensics. It takes a skilled forensicator to examine all pertinent data available to them in order to find key evidence and provide an accurate timeline of events. The timestamps we will be discussing are the MACB timestamps. M – Modified Time A – Accessed Time C –[…]

2014/11/10

PLASO – Google and Timelines

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: , , , , ,
Comments: Leave a Comment

PLASO – When Google Met Timelines Many moons ago (ok, not that many moons ago) log2timeline was the go to source for easily building a timeline from a forensics image. Log2timeline is an amazing application that builds out a timeline perspective of an image using any timestamps it can identify. This is done through a[…]

2014/09/24

Memory Forensics: Mandiant Redline

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , ,
Comments: 1 Comment

Mandiant Redline Why perform memory forensics? There are a plethora of reasons. What do you do when something happens on a computer and nothing is written to the disk? That is the biggest reason why you want to analyze a computer’s memory. Memory is like a snapshot in time for a computer and can provide[…]


Today is Monday
2017/10/23