Volatilty, Linux, Hashing, OSINT, forensic images

I had a need to examine a memory dump a while back and I used Volatility https://www.volatilityfoundation.org/

 Normally I use both versions 2.6 and 3. Depending on the memory sample and what you are looking for, you might prefer one to the other. There are many great sites out there on how to use Volatility, but I wanted to mention a very useful site, https://unminioncurioso.blogspot.com/2019/03/dfir-first-steps-with-volatility.html from Marcos (@_N4rr34n6) because it reinforces a need to understand what you are looking for and he shared his thoughts with a number of good examples on how to get there – using grep and egrep.

You can not be a modern day forensicator with out knowledge of the basic Linux commands. Another useful tool is Bulk Extractor, which also is often overlooked: https://fwhibbit.es/en/who-is-mr-x-lets-find-out-it-with-bulkextractor-egrep-patterns-we-are-what-we-browser

Another essential item in the documentation process is hashing your evidence. Recently, at the SANS OSINT Feb 2020 Steven Harris @nixintel presented “Hash Or It Didn’t Happen” which can be found here https://www.sans.org/cyber-security-summit/archives/security-awareness  (Yes you need to have a SANS account) This is an excellent presentation showing Locards principle in action.

Nixintel.info is an excellent osint resource site as well : https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list

Finally, one great source of forensics images – DigitalCorpora, has been moved over to AWS: https://digitalcorpora.org/news / and the files are here: https://downloads.digitalcorpora.org/corpora/

Comments

Post a Comment

Popular posts from this blog

 Update for 2022 Merry Christmas and a Happy New Year to everyone. Special shout out to those safeguarding civilization in all the many forms this takes. Being on call is not for everyone, is it ?  My last update was a while back and I am clearly overdue for an update we go into 2023. So lets cover some of my observations and personal highlights of 2022: The continued success and growth of EnergiCERT ( https://energicert.dk/ ) is certainly strengthening and benefiting the cyber security of  Danish critical infrastructure. Wonderful team of people, well managed and motivated. Yeah, I am biased ;) Engarde Security continues to grow and be noticed; now has expanded and with an ics range ( https://www.engardesecurity.com/icsrange )  Highly skilled people and the ics range is very well done. Enjoyed an excellent ICS Security conference in Copenhagen in November:  (https://insightevents.dk/isc-cph/ ) But I still miss CS3 (https://cs3sthlm.se/ ) for many non technical...
Read more
In the beginning... The first computer incident I was involved in was the ILOVEYOU virus in May 2000 and that directly lead me into forensics, with my first investigation being in 2004.  I started out with a script from a book called “Windows Forensics and Incident Recovery” written by Harlan Carvey (@keydet89) https://windowsir.blogspot.com/   Thank you Harlan for all the books since and creating RegRipper https://github.com/keydet89/RegRipper3.0 While I started out with a humble script, the modern forensicator/Incident Responder has a huge variety of FOSS tools to choose from. The need for Windows deadbox forensics still exists, but the focus has shifted to incident response (IR), with the need for speedy accurate triage, to stop Ransomware. Given the rise in ransomware, data breaches and malware attacks, the need for IR is only increasing. The good news is the basics for Forensics and IR fields (DFIR) are basically the same – paraphrasing the experts...
Read more

Alls well that ends well...

 After the shock of loosing my job in June, I was fortunate to discover I had a very supportive network of friends, former colleagues and people I met over the years who provided much needed moral support who helped me move on. Eventually to a rather unique and special job at sektorcert helping protect Danish critical infrastructure.  Thanks to all of you who reached out with offers, coffee meetings and advice while I was on garden leave. Your comments significantly helped during this challenging time. I feel truly fortunate and grateful to be working where I am now, with a most excellent group of  colleagues. The combination of our mission and the fact we are a non profit organization that directly supports our members is a welcome change from the usual commercial aspects of every other company I have worked for over the past 30 + years, with the exception of Unicef. So I wish the readers a very Merry Christmas and a reasonably decent 2024; which is optimistic as hell; b...
Read more