Discrete Recovery

Volatilty, Linux, Hashing, OSINT, forensic images I had a need to examine a memory dump a while back and I used Volatility https://www.volatilityfoundation.org/  Normally I use both versions 2.6 and 3. Depending on the memory sample and what you are looking for, you might prefer one to the other. There are many great sites out there on how to use Volatility, but I wanted to mention a very useful site, https://unminioncurioso.blogspot.com/2019/03/dfir-first-steps-with-volatility.htm l from Marcos (@_N4rr34n6) because it reinforces a need to understand what you are looking for and he shared his thoughts with a number of good examples on how to get there – using grep and egrep. You can not be a modern day forensicator with out knowledge of the basic Linux commands. Another useful tool is Bulk Extractor, which also is often overlooked: https://fwhibbit.es/en/who-is-mr-x-lets-find-out-it-with-bulkextractor-egrep-patterns-we-are-what-we-browser Another essential item i

In the beginning... The first computer incident I was involved in was the ILOVEYOU virus in May 2000 and that directly lead me into forensics, with my first investigation being in 2004.  I started out with a script from a book called “Windows Forensics and Incident Recovery” written by Harlan Carvey (@keydet89) https://windowsir.blogspot.com/   Thank you Harlan for all the books since and creating RegRipper https://github.com/keydet89/RegRipper3.0 While I started out with a humble script, the modern forensicator/Incident Responder has a huge variety of FOSS tools to choose from. The need for Windows deadbox forensics still exists, but the focus has shifted to incident response (IR), with the need for speedy accurate triage, to stop Ransomware. Given the rise in ransomware, data breaches and malware attacks, the need for IR is only increasing. The good news is the basics for Forensics and IR fields (DFIR) are basically the same – paraphrasing the experts: 1) criti