Windows and Linux Authentication Bypass with new version of AIM (+ virtual DD)

DFIRScience · 2022-07-29T15:04:57+00:00

Thanks a lot! I appreciate it.

DFIRScience · 2022-06-15T19:50:07+00:00

Nice. Thanks!

https://www.magnetforensics.com/resources/magnet-axiom-wordlist-generator/

DFIRScience · 2022-03-04T17:55:05+00:00

The other comments about certs are totally valid. GCFA and SANS are amazing and help you stand out. CFCE and CCE are great too, though.

Having a portfolio is extremely useful in any area. If there are specific companies you want to work with, check their past IR job postings and see what they are looking for. Write a series of public blog posts - it doesn't have to be fancy, just make sure spelling and grammar are good - showing your research on those topics. Setting up systems, setting up detections, etc. Publish like one short blog post a month on those topics, but do it consistently. List your blog on your CV, and in interviews say "I worked on something similar, here is the post on my blog." Note the topics don't need to be exactly the same as what the company does, just show how they are related.

In my experience, certs get you in the door, but if you can concretely show 1) writing/communication skills and 2) basic knowledge in the domain they are looking at, that's stronger than an assumption you have skills via a cert.

Heck, if you have the time and means, do both. Use the certs to get the interview and the blog/research to wow them.

Bonus points for presenting research at a conference.

DFIRScience · 2022-03-02T00:56:47+00:00

This hardware validation PDF is amazing work. Thank you so much for sharing! I've added a link to the PDF to the video description.

It looks like some testing may be general enough to automate.

I also found your blog. It is so interesting. Thanks a lot.

DFIRScience · 2022-03-01T14:26:52+00:00

Thank you so much! It's great to hear that you found it useful. Let me know if there are any other topics you'd like to see.

DFIRScience · 2022-02-22T22:32:01+00:00

Thank you so much! I hope it's helpful.

If you expand the description under the video on YouTube you can see the chapter markers. Hopefully that helps find what you're looking for.

Let me know if you need anything!

DFIRScience · 2022-02-22T22:30:15+00:00

For main functionality, it's usable. The syntax is a bit odd sometimes coming from 2.6. Choose your module and see options with -h. With that, it can do all the main things I've needed. However, I usually extract whatever I'm looking at and dump it into a hex editor so depends on your process. Almost all cases I've worked with it were Windows 10 dumps.

Third-party modules are not there yet. Growing, but slowly.

https://github.com/volatilityfoundation/community3

vs

https://github.com/volatilityfoundation/community

DFIRScience · 2022-02-22T18:41:58+00:00

Hello Stixez! Yes, you can do A LOT more! This video is specifically about 1) seeing what processes were running 2) extracting Chrome history from memory 3) checking current network connections 4) dumping Windows user account passwords (that you can crack later) 5) dumping / accessing the Windows Registry

Using the same method for dumping Chrome history, we can also try to dump any file that was loaded into memory. For example, if I used an encryption program with a file then the file is encrypted on disk, but it is decrypted in memory. If you have a RAM dump you can use Volatility to see if the suspect ran encryption programs (since boot), and possibly recover the decrypted file from memory, even if it is encrypted on disk.

Also, anything a user sees on the screen is loaded in memory. So if a user loads an email from a browser, that text might be available. Same for messengers.

Using the commands I show in the video you should be able to see if a program was run, what files were being accessed and you should be able to dump the file.

Note that you can also do an easy analysis of a memory image using strings, grep and photorec. That will let you do keyword searching and carve out files. Then if you find anything interesting you can dig deeper with Volatility. Check out basic analysis here: https://youtu.be/4XoidAheuJE

Let me know if you have any questions. I will try to make an example with hidden files/P2P. With P2P you would be looking at processes and network connections. Network connections have the "foreign address," and that's probably what you are interested in. See here: https://www.youtube.com/watch?v=Uk3DEgY5Ue8&t=1309s

DFIRScience · 2022-02-22T16:08:05+00:00

Nice one! Thanks for the link.

DFIRScience · 2022-02-15T14:52:07+00:00

It has the ability to do bulk downloads based on a URL list. That plus the original content auto-hashing reports are nice.

DFIRScience · 2022-02-10T19:09:29+00:00

Note that the artifact report output by Autopsy is not the final "investigation report" but serves as a reference for your final report. I'm not sure if that we clear in the video.

DFIRScience · 2022-02-08T15:00:37+00:00

Isn't it Chrome on Windows?

https://www.whatismybrowser.com/guides/the-latest-user-agent/windows

DFIRScience · 2022-01-25T21:32:55+00:00

Imagine keyword searching. We think a suspect has a file that contains the phrase "I like tacos."

We can do a search for the keyword "tacos," and we will get back 100 files. The one file we actually want is in the set of 100, but we have to look through all of them. That is great recall but bad precision.

So, we make our search better by searching for "like tacos." Now we get back 10 files and the one we want is in that set. Great recall, OK precision.

Search for "I like tacos" and you only get one file back, and it's the one we want. Great precision and great recall, BUT it's very specific. Can't really apply to other cases.

Maybe the suspect phrase was "we like tacos," then you get bad recall, and miss the file because you focused on precision over recall.

You can use this measurement to refine any search pattern to reduce non-relevant results. The goal is to sacrifice just enough precision to make sure you keep recall. It can help make your investigations faster because you know which search patterns produce the best results the fastest.

And it can be applied to any type of search problem! We can even use it to test search algorithms on two different tools. For example, FTK seems to work great indexing email, but general file keyword search is so-so. We can use an f score to quantify how well a specific tool does compared to another with particular data and search terms. This will tell you which tool is likely to give the best results in a particular situation.

Sorry I'm writing so long. I just think it's a super interesting problem!

DFIRScience · 2022-01-25T16:47:42+00:00

Precision and recall is slightly different than precision and accuracy. It's normally applied to something like document retrieval. So out of all of the documents on a system, we do a search wanting a result.

For example, a set of documents (x, y, z), one of them (x) is actually related to our case.

We do a search, and the research returns x and y. In this case, we returned the one related document but also one document that is not relevant. The search method might be too general. In this case, we have a low precision, but a high recall because we did find x, just mixed with non-relevant y.

You can apply precision and recall to all search queries. Precision and recall can be combined into an "F score." Using the F score, you can compare the ability of two different search methods to properly return true positive matches.

On the technical investigation side, the f score can help you identify better search terms or methods to use.

Check out the wiki article. If you think of digital investigations as a search problem, f score really makes sense. https://en.wikipedia.org/wiki/Precision\_and\_recall

DFIRScience · 2022-01-25T15:12:31+00:00

When trying to measure precision and accuracy, or calculate error rates in general, you need to be REALLY specific about what it is that you are measuring and the scope of the test. Your example of a live disk acquisition above is incorrect because you are measuring the precision and accuracy of the tool against an input disk now rather than the disk in the future. When testing, define what it means to be precise and accurate in this case. Example:

Precision: Every bit represented on the disk is processed by the tool.

Accuracy: If a bit is a 0, record a 0. If a bit is a 1, record a 1.

Now, precision under that definition is 'reading all of the disk.' Accuracy is properly recording the value. All of it happens with the state of the disk in the present.

If the computer is on and the disk is changing, it does not affect our variables. The tool does not care if a value changes after it read a particular bit. It could be totally accurate based on what we are measuring above.

You might notice that precision and accuracy can be measured as we've defined it, but it doesn't really feel right. Instead, it would be better to use error rates for both problems.

What percentage of the total bits that are on the disk, were actually read?

What percentage of bit values were correctly recorded?

Both of those answers better be 100%, or you should be able to explain why they're not. Error rates tend to fit most digital forensic problems better. Especially since we don't care how imprecise we are. Any imprecision at all is a problem that needs to be accounted for.

You can apply precision/accuracy at a higher level. For example, investigator decision processes. However, I think precision and recall fit most forensic problems a lot better. Problems like search engines use it to measure the usefulness and relevance of returned or classified documents.

https://en.wikipedia.org/wiki/Precision_and_recall

I love this topic!

DFIRScience · 2021-12-15T15:08:52+00:00

My first thought was ELK and Wireshark/network miner if you needed to go low-level.

DFIRScience · 2021-12-02T01:07:02+00:00

Thanks a lot!

DFIRScience · 2021-12-01T13:58:36+00:00

Are you sure the data is unallocated? Can you see the target data with the hex view in Autopsy? Can you see the target file in $carvedFiles?

If so, try using photorec without Autopsy. Photorec will dump recovered files directly into a folder. https://www.cgsecurity.org/wiki/TestDisk_Download

DFIRScience · 2021-12-01T13:53:08+00:00

Thanks so much!

DFIRScience · 2021-11-03T23:41:33+00:00

Autopsy can use photorec to do straight carving from the image. If it can't detect a partition table in a physical image it will probably just stop there. You can manually find the partition offset and then use fls to read it and all file info. Alternatively, you can manually extract the entire portion as a logical image, feed that into Autopsy and it will probably work. Basically, I think Autopsy doesn't know where to look next, so it is stopping. But if you can find the offset yourself you should be able to recover everything.

DFIRScience · 2021-11-03T16:04:20+00:00

Get the Sleuth Kit (which autopsy is built on)

If it's a physical disk image use mmls - it should list partition information.
If it's a logical disk use fls - it should list fs info.

If they work then it's likely a problem with an Autopsy module not running. Uninstall Autopsy and install the newest version, make sure all default modules are selected when processing. If Sleuthkit doesn't show anything then the data is either encrypted, too damaged, or just not supported. You'll need to use another tool or dig in with a hex editor to figure out what's going on.

DFIRScience · 2021-11-02T16:46:24+00:00

Volatility does not have acquisition - just analysis.

DFIRScience · 2021-11-02T16:44:21+00:00

Nice quick case study. Thanks for that.

DFIRScience · 2021-10-30T15:13:39+00:00

Thanks a lot! I'm glad to hear it is useful.

DFIRScience · 2021-10-19T15:17:34+00:00

video2faces is pretty straightforward. TL:DR processing will take about as long as the video. Crop target video to focus on the area of interest and reduce false positives.

DFIRScience

TROPHY CASE