As a follow up to my SANS webcast, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push button forensics", once you get KAPE up and running, it really is only a matter of a couple of clicks and you are off to the races.
In iOS 12, Apple went with a different way of storing a user's notifications than I was previously used to. In the past, it wasn't that difficult to track a user's notifications that were still hanging around on the device. It's not impossible right now, but boy is it painful. At least until a friend helped to make it easier for us.
Introducing a Python 3 script that looks for the UserNotifications folder in iOS 12 full file system extractions and parses the iOS notifications to easily triage their content. The script detailed below is a technical application of the research done at d204n6.com by my friend Christopher Vance that he kindly shared with me before making it public. Check out his blog on the topic at:
Read more https://abrignoni.blogspot.com/2019/08/ios-12-notifications-triage-parser.html
When you start analyzing a Linux memory dump using volatility, the first problem you may need to face is choosing the correct memory profile.
In previous posts, we’ve looked at how malware persists on macOS , taken a practical tour of macOS malware hunting techniques and also discussed techniques for reversing macOS malware. One area that we haven’t discussed so far, and which we’ll offer an introduction to in this and subsequent posts, is macOS post-breach or post-infection incident response. We’ll get started today, in Part 1, by explaining how to quickly gather up vital data about file events, system configuration and the machine’s current environment. In later posts in this mini-series on macOS incident response, we’ll look at discovering user activity, retrieving things like browser history, email messages, notifications, and application usage, among other things.
Binwalk is a simple Linux tool used for analysis of binary image files. Analyzing binary image files may include; reverse engineering, extracting firmware images, file systems, embedded files or executable codes from the binary images. These binary images could be from firmware of routers, IOT devices or any digital device.
Read more https://lifs.hallym.ac.kr/blog/2019/08/19/File-System-Analysis-of-LG-Forensic-Image-with-Binwalk.html
Testing software, researching forensic analysis, teaching forensics, and learning how to use forensic tools all require one common thing: test images .
There are so many forensic test images scattered across the Internet, that finding something that you need takes time. So…I have curated into categories all that I have found and add new sources as I find them or informed of them.
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the benefit of the lessons more quickly than spending months of being bombarded with ‘training’ every day..recruits have no clue of the value of most lessons that they experience on a daily basis until years after graduating boot camp. You can probably get it the first day at this stage of working in DFIR, because you know the problems that need to be solved already. You just need a gentle push to the solutions.
How do you know if you improved your skill and knowledge base over the past years, or even over the past week? Did you even improve anything from yesterday? And if you did, how do you know? Are you better working the DFIR today than yesterday? There is something you can do to check.
We are our own worst enemy in many facets of life. We are the most critical of ourselves compared to anyone, even compared against the most overprotective parents or the strictest music teacher you’ve ever had or seen. We are tough on ourselves. Let’s take that toughness and use it for a benefit!
To see how much you have grown and developed in DFIR skills, block out a day to c
I am able to shed a little more light on this attribute of the files resident in the MFT. Along the way, in the search for the information I needed, I went to the Harlan Carvey Blog , ( http://windowsir.blogspot.com ), which has mentioned this feature several times , in several of his articles. Specifically, one of those articles by Harlan, published on November 13, 2013 , led me to another article, written by Hal Pomeranz , under the title of " Resident $ DATA Residue in NTFS MFT Entries". And this has been my starting point.
In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file.
Following my first post on this topic, an interesting comment was shared that I thought would really benefit the discussion, as well as benefit from a further look.
To paraphrase, the comment was along the lines of,"...how do you justify the additional cost of a second (or third) look when the results are coming out the same?"
In my experience, that hasn't been an issue.
Over the years, different means have been used to discuss the DFIR analysis process, and one of those has been artifact categories. This is where categories are created and artifacts placed in the various columns, as they relate to those categories. One such example is the SANS IR poster , which provides a great visual reminder for folks looking to employ this approach. Honestly, it is a good way to approach analysis...looking at even a single system image, artifacts have grown over the years as the versions of Windows have progressed from XP to Win7, through to Win10, and as such, it benefits a large portion of the community to have a repeatable approach to analysis.
Presentation is here . Will post a link to the video when it’s available.
Always a good time and love seeing friends every year. Still one of my favorite conferences! It was a nice surprise winning a couple of Forensic 4cast awards too! Thank for your votes! ☺️