Some thoughts about smartphones data extraction
In an interesting article, editors by Privacy International examines some aspects of digital forensics on mobile phones, from the acquisition process to the data analysis phase.
Continue…Forensic analysis of Windows 10 compressed memory using Volatility
Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.
Continue…How to retrieve hard disk information and properties with WMIC and lsblk
A couple of very brief tip, useful during a forensic acquisition.
Continue…How to mount a Azure’s VHD disk image on Linux
I just recently to perform a forensic analysis on a compromised Microsoft Azure VM, and I’d like to share a couple of useful tips.
Continue…How to extract forensic artifacts from pagefile.sys?
Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
Permanently delete files in Windows using built-in utilities
A good wiping tool is available in all Windows systems since Windows 2000
Continue…Malware hiding and evasion techniques
Malware authors have always looked for new techniques to stay invisible.
This includes being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis.
USB Devices in Windows Forensic Analysis
Parsing SetupAPI log for fun and profit!
PE-sieve, a command line tool for investigating inline hooks
PE-sieve is a small tool for investigating inline hooks and other in-memory code patches, developed by hasherezade.
Forensic logical acquisition of Android devices using adb backup
In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.
So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.