Testlab
Ventoy
Kali
SIFT with REMnux
CAINE
SquashFS
DFIR tools
Mobile tools
RE tools
Notes
Introduction
What?
Why?
How?
General
Forensic choreographies
First responder
Audit trails
Task management
Chain of custody (CoC)
Data acquisition
Live acquisition
Mobile
Post-mortem acquisition
Write blocking
Data imaging and hashing
Volatile evidence
Collecting RAM
Making a working copy
File recovery and data carving
Recovery
Carving
Parsers
Analysis in general
Mobile forensics
Network forensics
Primary purposes of network forensics
Network forensics use cases
Advantages of network forensics
Challenges of network forensics
Investigated data types in network forensics
Sources of evidence
Preparing for acquisition
Image sizes and disk space requirements
Hardware
Subject drive
Disk capabilities and features
Hidden sectors
DCO
HPA
System area
Security features
Passwords
SED
Encrypted flash thumb drives
Removable media
Optical media drives
Magnetic tape drives
Memory cards
Other storage devices
Apple
NVME drives
Devices with block or character access
iOS
Android
Resources
Image acquisition
dd tools
Standard dd
dcfldd
dc3dd
Forensic formats
ewfacquire
ftkimager
SquashFS forensic evidence container
Cryptographic hashing
Signing images
Timestamping
Android acquisition
Extraction methods
Android partitions
Android logical data extraction
Connecting device to a workstation
USB debugging
Use ADB
Stay awake
Increase screen timeout
Screen lock bypassing techniques
Delete gesture.key
Modified recovery mode
Flashing a new recovery partition
Using automated tools
Using device manager
Using the Forgot Password/Forgot Pattern option
Bypassing third-party lock screens
Rooting
Resources
iOS acquisition
Extraction methods
Direct acquisition
Logical or backup acquisition
iTunes backups & trust certificates
Physical acquisition
Or?
Resources
Accessing images
Filesystem
Mounting
Drives
Forensically acquired image files
Loop devices
Device mapping
Forensic format images
xmount
VM images
QEMU QCOW2
VirtualBox VDI
VMWare VMDK
Microsoft VHD
Encrypted filesystems
Microsoft BitLocker
Apple FileVault
Linux LUKS
TrueCrypt and VeraCrypt
Resources
Windows analysis
OS queries
Domain
OS
Hardware
Time
Updates
Account queries
Enumerating
Logging out
Changing passwords
Disabling
Device accounts
Service queries
Enumerating
Responses
Network queries
TCP connections
Established connections
UDP connections
Kill a connection
Check Hosts file
DNS Cache
IPv6
BITS
Remoting queries
Enumerating
RDP settings
Firewall queries
Enumerating
Firewall rules
Isolate endpoint
SMB queries
Enumerating
Response
Process queries
Enumerating
Hunting
Response
Recurring task queries
Scheduled tasks
Programs running at startup
Programs at login
Programs at PowerShell
Stolen links
Jobs
WMI Persistence
Run Keys
Other malicious run locations
Query Group Policy
Query GPO Scripts
File queries
Enumerating
Alternate data streams
File types
File manipulation
Grep in Powershell
Registry queries
Enumerating
Useful registry keys
Response
Driver queries
Printer drivers
System drivers
Other Drivers
Drivers by Registry
Drivers by time
DLL queries
Enumerating
AV queries
Defender scan
Check if Defender has been manipulated
Responses
Log queries
Enumerating
Response
Powershell
WhatIf
Clip
Stop truncation
Transcripts
Resources
Linux analysis
Filesystem hierarchy
Shells
Shell history
Enumerating
Special devices
Files
Enumerating
Files and dates
Compare files
Processes
Networks
Persistence
Cron jobs
Services
Bash
Evidence of execution
Log files
Resources
macOS analysis
Configuration files
Downloads
Install history
Location tracking
Most recently used
Audit logs
Evidence of execution
Persistence
start up / login items
scripts
cronjobs
system extensions
Daemons
Query built-in security mechanisms
Resources
Mobile analysis
Basic static analysis of samples
Related labs
Resources
iOS analysis
iOS File systems
Time
SQLite databases
Property lists
HomeDomain plist files
RootDomain plist files
WirelessDomain plist files
SystemPreferencesDomain plist files
Cookies
Keyboard cache
Photos
Thumbnails
Wallpaper
Recordings
Downloaded applications
Resources
Android analysis
Filesystem hierarchy
Filesystem
File system types
Application data storage
Analysing an image using Autopsy
Resources
Resources
Challenges in digital forensics
Civil society response
Organisations
Best practices
Technology advances
Reliability and accuracy of tools
Artifacts
TryHackMe rooms
Introduction
What?
Why?
How?
A Windows server
Organisation X desktop
Standard Collector Analysis (Redline)
Questions
Resources
IOC Search Collector (Redline)
Resources
IOC Search Collector Analysis (Redline)
Questions
Resources
Endpoint investigation (Redline)
Questions
Resources
Leaking private company data (again) (Autopsy)
Resources
Windows 10 disk image (Autopsy)
Questions
Acceptable Use Policy violation (KAPE)
Questions
BOB! THIS ISN’T A HORSE! (Volatility)
That Kind of Hurt my Feelings (Volatility)
Resources
Hunt for a nightmare (Volatility)
Questions
Android malware analysis (Pithus and jadx)
First steps (Pithus)
Getting into the APK
Hunting
Search (Pithus)
First steps (jadx)
Signing certificate
Requested permissions
Frosting
FinSpy
Resources
iOS forensics (SQLiteDB)
CyberDefenders challenges
Introduction
What?
Why?
How?
RedLine
Scenario
Tools
Questions
Sysinternals
Scenario
Tools used
Questions
Root-me challenges
Introduction
What?
Why?
How?
Command & Control level 2
Docker layers
Log analysis web attack
Command & Control level 5
Find the cat
Ugly duckling
Command & Control level 3
Open my vault
Command & Control level 4
Job interview
Command & Control level 6
Second job interview
More practice
DFRWS Forensic challenges
HN/P challenges
Malware traffic analysis exercises
Geoguessr (Geolocation game)
Digital forensics and incident response (DFIR)
Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact
Index