Dfir | So Long, and Thanks for All the Fish

How to read Windows Hibernation file (hiberfil.sys) to extract forensic data?

Posted on May 15, 2019May 8, 2019 by Andrea Fortuna

The #hibernation file (hiberfil.sys) is the file used by default by #Microsoft #Windows to save the machine’s state as part of the hibernation process. #dfir #cybersecurity #volatility

How to mount a Azure’s VHD disk image on Linux

Posted on April 24, 2019March 8, 2019 by Andrea Fortuna

I just recently to perform a forensic analysis on a compromised Microsoft Azure VM, and I’d like to share a couple of useful tips. Hits: 119

How to extract forensic artifacts from pagefile.sys?

Posted on April 17, 2019May 7, 2019 by Andrea Fortuna

Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory. This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator. Hits: 3084

Permanently delete files in Windows using built-in utilities

Posted on April 10, 2019February 18, 2019 by Andrea Fortuna

A good wiping tool is available in all Windows systems since Windows 2000 Hits: 192

How to analyze a VMware memory image with Volatility

Posted on April 3, 2019February 13, 2019 by Andrea Fortuna

A very brief post, just a reminder about a very useful volatility feature. Hits: 521

Older posts →