Santoku is a bootable linux distribution focused on mobile forensics, analysis, and security. It comes with pre-installed platform SDKs, drivers and utilities and allows auto detection and setup of new connected mobile devices. Santoku Linux is a free and open community project sponsored by NowSecure who provide core team members, and some tools for inclusion in the […]
About Volatility i have written a lot of tutorials, now let’s try to use this information in a real context extracting the password hashes from a windows memory dump, in 4 simple steps. 1. Identify the memory profile First, we need to identify the correct profile of the system: root@Lucille:~# volatility imageinfo -f test.elf Volatility […]
On Windows systems, event logs contains a lot of useful information about the system and its users.
Windows registry contains information that are helpful during a forensic analysis Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process. Let’s analyze the main keys… Recent opened Programs/Files/URLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU MRU is the abbreviation for […]
Amcache and Shimcache can provide a timeline of which program was executed and when it was first run and last modified In addition, these artifacts provide program information regarding the file path, size, and hash depending on the OS version.