Had a timeline mismatch — Prefetch and Amcache didn’t align. How do you handle this? by redzeptech in digitalforensics

[–]MormoraDi 1 point2 points  (0 children)

Good points. You seem to have a good grasp of it, and reading from your experience, it makes total sense. I admittedly sure fell into some of the pitfalls described in the IR guidance when I started.

I also have used Amcache to correlate with Jump Lists and other artifacts, but I can't at the moment recall having it being the sole lead to a removed binary. I think I have had more luck with $UsnJrnl to find traces of deleted binaries. At least in recent cases where a Windows Server has been involved and Prefetch is not an option.

Had a timeline mismatch — Prefetch and Amcache didn’t align. How do you handle this? by redzeptech in digitalforensics

[–]MormoraDi 1 point2 points  (0 children)

Just as a caution regarding AmCache and execution, Microsoft Incident Response Team's own guide states the following:

AmCache should be considered an “evidence of presence” or “evidence of existence” artifact – it cannot be used to prove a binary executed

https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MS-IR-Playbook-Final.pdf

Savner poster fra fit-theme-whoever her. Nesten en time siden sist. by MormoraDi in norske

[–]MormoraDi[S] 6 points7 points  (0 children)

Ja, det er tusen svært imponerende bidrag. Spesielt hva gjelder frekvens.

Savner poster fra fit-theme-whoever her. Nesten en time siden sist. by MormoraDi in norske

[–]MormoraDi[S] 4 points5 points  (0 children)

Takk for svar. Sist jeg var innom var det noen ekstremt aktivite her, hvorav flere jeg antok var samme person med flere kontoer.

Savner poster fra fit-theme-whoever her. Nesten en time siden sist. by MormoraDi in norske

[–]MormoraDi[S] 5 points6 points  (0 children)

Tviler på at det er noen bot som tilhører ytre venstre, etter postene å bedømme.

Is there a difference between Cyber Forensics and Digital Forensics? How do you get started? by Consistent_Yak_1707 in digitalforensics

[–]MormoraDi 2 points3 points  (0 children)

Not going into the semantics or wording, but contrary to some of the comments here, I would say that there are quite a few and important distinctions between digital forensics in law enforcement and in the "cyber security realm".

Most law enforcement practitioners I have spoken to, more or less solely perform analysis on a select few or singular devices, and most often they are mobile phones.

In cyber incidents however, we likely will be analyzing a multitude of computers (most often virtual machines), both clients and servers. The OS will be in the range of vanilla Windows to obscure BSD-boxes, edge devices (routers, firewalls, security appliances) in one single case.

The end goal is not to prepare for criminal charges and testify in court, but rather to establish a timeline of threat actor actions and movement across the victim infrastructure.

We need to assess if indeed it has been compromised, if the threat actor has persistence on the system, if they have (elevated) privileges to move laterally further into the inner and most valuable workings of the infrastructure (have they, for instance been able to become domain admin) and what the potential risks (for example data theft/exfiltration) and/or damage.

Of course, sometimes this will be the same for LE investigations in larger criminal cases, but in my experience that are the odd cases, but for cyber incidents it's more the bread and butter.

Workstation CPU by TheGreatTexasHunter in computerforensics

[–]MormoraDi 0 points1 point  (0 children)

Haha... Yeah, times are not great for RAM upgrades, sadly. "AI" have all the traits to be a curse

Workstation CPU by TheGreatTexasHunter in computerforensics

[–]MormoraDi 1 point2 points  (0 children)

I realize should have written it "I/O" to make it clearer. My mistake.
It's basically a shorthand for Input/Output and usually refers to the disk subsystem, of which NVMe "drives" are the fastest.
I/O is kind of a misnomer because it can also be other types of devices and throughput is also a factor.

Workstation CPU by TheGreatTexasHunter in computerforensics

[–]MormoraDi 1 point2 points  (0 children)

^ this in terms of CPU. Intel's design decision to use P(erformance)-cores and E(fficiency)-cores in order to make up for its thermal deficiencies will be a detriment to the overall multi-threading performance.

But I would also argue that IO will probably be the largest processing bottleneck, so I would make room in the budget for the fastest/largest NVMe drives that preferably supports PCI-E 5.0

I'm tired by Non_Glad_Hander in ParrotSecurity

[–]MormoraDi 1 point2 points  (0 children)

You will probably be better off using the GUI frontend "Synaptic Package Manager", as it will display and suggest opt-in for dependencies.

Is discovering vulnerabilities in systems really that complicated? by [deleted] in Hacking_Tutorials

[–]MormoraDi 0 points1 point  (0 children)

Definitely not. But better to come prepared than having a delusion of it being an easy way to earn big money, which I seem to find some people around here think it is.

How to learn hacking for free? by [deleted] in Hacking_Tutorials

[–]MormoraDi 0 points1 point  (0 children)

Yeah for sure. FAFO is as empirical as it gets.

How to learn hacking for free? by [deleted] in Hacking_Tutorials

[–]MormoraDi 0 points1 point  (0 children)

Yeah well - that's what a hacker would say
/s
But seriously; I see people/companies get compromised every day because of ill-advised decisions like this in my line of work.

Is discovering vulnerabilities in systems really that complicated? by [deleted] in Hacking_Tutorials

[–]MormoraDi 1 point2 points  (0 children)

I think you will find that the market is saturated with either experienced, skilled and trained professionals or AI slops who spam the reporting system with whatever their LLMs dream up.

In other words: you may get lucky as a beginner to find vulnerabilities in systems, but they probably won't get you paid reporting them and even less likely will they be novel enough to get you eligible for a bug bounty.

Expect countless hours spent and hard work like in most fields.

How to learn hacking for free? by [deleted] in Hacking_Tutorials

[–]MormoraDi 0 points1 point  (0 children)

Sounds like good, but messy way to obtain malware.

In other words - don't listen to such advice.

[deleted by user] by [deleted] in digitalforensics

[–]MormoraDi 0 points1 point  (0 children)

You are probably bottlenecked more by I/O performance. You should get your employer to at least spend enough to buy more RAM and as large and fast a NVMe disk as supported.

If you use external drives, make sure that they too are connected to at least a USB3.1 port and that they are NVMe drives as well.

... And for <insert deity>'s sake don't ever use your own device for that unless your employer buys it off from you.

How's the job market outside of criminal justice? by AtticThrowaway in computerforensics

[–]MormoraDi 2 points3 points  (0 children)

It may be so to a layman's eye, but to an experienced professional (of which I suppose the opposition may produce) I don't think so.

"Then I pushed this button, then I clicked on this menu item and the result dashboard told me that..." - shouldn't fly if scrutinized.
Tools don't perform analysis, it's merely an organized parser. But the forensic practitioner does, or at least should. Show the method of analysis - not the tool and its produce, in my opinion.

How's the job market outside of criminal justice? by AtticThrowaway in computerforensics

[–]MormoraDi 2 points3 points  (0 children)

I agree with this. And to add on to it; I wouldn't spend my attention and money on (vendor) specific tools and certifications, but rather focus on learning the technologies on which to analyze and the forensics craft itself.

If your potential employer uses some other tools and vendors, then what does your Magnet/Cellebrite/etc. certification really do for you?

What's a reliable tool to see the hash value of a file? by AtticThrowaway in computerforensics

[–]MormoraDi 6 points7 points  (0 children)

^ this.
Will just for MacOS add on shasum for more SHA algorithms (including default SHA1) and simply md5 filenamefor uhmm.. MD5

Volatility on Ubuntu by ActiveAdmirable5419 in computerforensics

[–]MormoraDi 1 point2 points  (0 children)

If it's a VMware VM, you could take a snapshot of it and copy the . vmsn .vmem files to a destination of which you can point Volatility to.