archive
Category: Host Forensics

2014/09/08

Foremost Automator Script

by Destruct_Icon
Categories: Analysis, Coding, Host Forensics, Python
Tags: , ,
Comments: Leave a Comment

Formost Automator Script A small project that we were working on involved using Foremost as an automated triage tool to run in the background as we were performing other analysis during incidents. The Foremost Automator Script was birthed from this project. If you are not familiar with Foremost, please check out our previous post at[…]

2014/06/01

InPrivate Browsing: Not so private anymore!

How private is Internet Explorer’s “InPrivate” browsing mode? InPrivate Browsing is a feature of Internet Explorer that was introduced a handful of years ago. InPrivate Browsing mode was given the name ‘porn mode’ which is designed to allow the user to browse the Internet without the browser storing Internet history and webpage cache information, as[…]

2014/05/24

NTUSER, SOFTWARE or SYSTEM Hive Registry Parser

Registry Parser There has been times where I would like to parse through a NTUSER, SYSTEM, SOFTWARE hive and pull back just the key and sub keys that have been modified between a certain date (which is one of the arguments for the below python script). Thanks to William Ballenthin for showing how this is[…]

2014/05/19

Physical Memory Analysis – Volatility

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: ,
Comments: Leave a Comment

Volatility So far we have gone through two other means of memory analysis; Bulk Extractor and Foremost. We plan to go very deep into Volatility at a later date but, as this run of posts is about basics of phys mem, I want to keep this relatively short and sweet. Volatility is a collection of[…]

2014/04/10

New SIFT Available!

by Destruct_Icon
Categories: Analysis, Host Forensics, News
Tags: ,
Comments: Leave a Comment

Excited to mention that a new SIFT Kit is out! http://digital-forensics.sans.org/community/downloads Thanks SANS for being awesome! Go get your Log2Timeline and Volatility on! Here’s a list of new features per the SANS website. “Key new features of SIFT 3.0 include: Ubuntu LTS 12.04 Base 64 bit base system Better memory utilization Auto-DFIR package update and[…]

2014/03/30

Physical Memory Analysis – Bulk Extractor

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: ,
Comments: Leave a Comment

Bulk Extractor The second tool in our list for Physical Memory Analysis is Bulk Extractor. Bulk extractor is used to list everything out of memory into text files which will then allow you to quickly identify keywords. Let’s get started with the GUI. In order to run BE against a memory dump you will want[…]

2014/03/09

Physical Memory Analysis – Introduction and Foremost

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: No Tags
Comments: Leave a Comment

Physical Memory Analysis You could say in the last few years there has been a boom in physmem(physical memory) analysis. There’s many tools out there to help aid in the analysis process but if you are fresh into forensics like us the question is, “Where do I start?” There’s plenty of good write ups about the tools themselves[…]

2014/02/19

Google Drive Forensics

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: No Tags
Comments: Leave a Comment

Google Drive Forensics Google Drive has some very useful artifacts that help identify not only what a user may have pushed to the cloud, but also what they have pulled and stored on the current system.  The three main files we will be looking at are: System Drive/Users/(Username)/AppData/Local/Google/Drive/snapshot.db System Drive/Users/(Username)/AppData/Local/Google/Drive/sync_config.db System Drive/Users/(Username)/AppData/Local/Google/Drive/sync_log.txt These three files[…]


Today is Tuesday
2018/01/23