A PowerShell script to collect memory and (triage) disk forensics for incident response investigations There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they […]
We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where […]
Pre-Requisites: 4-port USB hub Flash Drive (Paladin bootable) – https://sumuri.com/make-your-own-paladin-usb-2/ created with unetbootin –https://unetbootin.github.io/ USB hard drive for evidence collection, minimum 1.5x capacity of device being imaged Keyboard Mouse *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth) UEFI Configuration: Make sure the device is fully powered down (not in standby […]
The final challenge (#12) – Part 1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! The first thing I did was open the memdump file in HxD Hex Editor. A quick search found several hits. I considered […]
Challenge 11, Part 1: What is the IPv4 address that myaccount.google.com resolves to? I was able to find this pretty quick going back to last week’s artifacts. In week 10, I used bulk_extractor to carve a PCAP out of the memory image. Opening the same PCAP file I applied a String filter for ‘myaccount’. In […]
This weeks challenge was another round of memory forensics. As with the previous weeks challenge most* of my solves were done using a REMnux VM. REMnux includes both Volatility 2.61 (SSL support deprecated) and the beta of Volatility 3. Challenge 10, Part 1: At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was […]
This weeks challenge was the first of the challenges to deal with Memory forensics. The ‘question’ provided by Aaron Sparling (@OSINTlabworks) was a 7 parter! For most of the challenges so far I’ve been using Magnet Axiom and supplementing with other tools as needed. For this weeks solution you’ll see that all is being done […]
I only managed to get half the solution to last weeks challenge. Finding the first half of the solution was pretty straight-forward. In the File system view (or via your image mounting directory traversal of choice) navigate to \var\log\apt. Here we find the history.log file which keeps track of applications installed via apt. If you […]
Unlike the Fighting Irish, I don’t have a perfect record this year – but I’m still loving the game. I never did get to finish the week 6 challenge, but with week 7, I’m back in it. Challenge 7 (Nov 16-23) Part 1, Domains and Such. What is the IP address of the HDFS primary […]
So for week 5 we started Ali Hadi’s Linux image, (farewell for now Android.) I’ve worked WITH Linux for years as my underlying operating system for forensics, but as the forensics target, not so much. As the Magnet Training team is fond to say, “You don’t know what you don’t know.” That was certainly the […]
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.