When I analysis the incident, usually I am looking the evidence in memory. something like connections or injected processes. But eventually, I need to copy normal file as binary of process(executable,...
Thus, we had the forensic labs of the SACIA (South Africa Counter Intelligence Agency), the world's top authority on certification of photographic data, diamond, mineral and currency authenticity, a somewhat controversial ...
"One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who, what, when, why, and where."
"If anyone needs just a little proof that you are using A/V products to mainly defend against low-skilled attackers, then there it is. I asked that the attack team use skills learned in most Penetration Testing courses. They didn't use anything really advanced, which is one of the reasons many argue that even the "Advanced Persistence Threat" isn't really that advanced. We even made many mistakes during the attack. Even then... nothing was found and nothing was automatically blocked. If this were a real compromise, we could have been on this network for months or years prior to anyone finding us. Just like in the real world."
Using malicious LNK files and malware in a Thumbs.db in order to mount an attack:
"When we examine one of the .lnk files in the folder, we see it calls the Windows Command Prompt to execute the start command. This command is passed the thumbs.db file along with the corresponding image [...] as its parameters. Therefore, when the user double clicks on the .lnk file, they expect an image to appear, and it does, as they are presented with an actual image from a Tibetan protest. However, the thumbs.db binary (detected as Trojan.Dropper) is also executed, which drops multiple files onto the compromised computer."
"This document describes what I [Michael G. Spohn] learned during my analysis of the Gh0st RAT source code. I describe in great detail how the multiple binaries work together, the extensive capabilities of the malware, and the structure of the source code tree. I also explore how the malware compromises a host, its obfuscation and encryption methods, and how it communicates. Finally, I provide some tips on how to identify a host compromised by the RAT and how to defend against it."
I’m sharing another script that is parse to utmp file. • utmp_parser.py (download here) as you know, the utmp file keeps track of the current login state of each user.(but not all of program) even in...
"The most naive analysis you can perform with a kill chain is to map the magnitude of effort the attacker has applied at each stage. If you do this for the mass- malware kill chain, the exploita- tion step clearly stands out. [...] This might indicate a capability gap and creates an op- portunity for defense."
"Digital Forensics XML (DFXML) is an XML language designed to represent a wide range of forensic information and forensic processing results. By matching its abstractions to the needs of forensics tools and analysts, DFXML allows the sharing of structured information between independent tools and organizations. Since the initial work in 2007, DFXML has been used to archive the results of forensic processing steps, reducing the need for re-processing digital evidence, and as an interchange format, allowing labeled forensic information to be shared between research collaborators. DFXML is also the basis of a Python module (dfxml.py) that makes it easy to create sophisticated forensic processing pro- grams (or “scripts”) with little effort."
It's essential that private corporations and government agencies across the globe coordinate on cyber crime, Mueller said, in part because nefarious hackers are already forming alliances. "We must work together to safeguard ...
Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.
How to integrate my topics' content to my website?
Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.
Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.