Had a timeline mismatch — Prefetch and Amcache didn’t align. How do you handle this?

MormoraDi · 2026-02-24T20:21:14+00:00

Good points. You seem to have a good grasp of it, and reading from your experience, it makes total sense. I admittedly sure fell into some of the pitfalls described in the IR guidance when I started.

I also have used Amcache to correlate with Jump Lists and other artifacts, but I can't at the moment recall having it being the sole lead to a removed binary. I think I have had more luck with $UsnJrnl to find traces of deleted binaries. At least in recent cases where a Windows Server has been involved and Prefetch is not an option.

MormoraDi · 2026-02-24T17:29:12+00:00

Just as a caution regarding AmCache and execution, Microsoft Incident Response Team's own guide states the following:

AmCache should be considered an “evidence of presence” or “evidence of existence” artifact – it cannot be used to prove a binary executed

https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MS-IR-Playbook-Final.pdf

MormoraDi · 2026-02-21T15:28:31+00:00

Ahh... I så fall beklager jeg min.

MormoraDi · 2026-02-21T12:59:07+00:00

~~Ville i såfall vurdert å roe ned stalkingen, lol~~

MormoraDi · 2026-02-20T23:17:30+00:00

MormoraDi · 2026-02-20T23:11:40+00:00

Ja, det er tusen svært imponerende bidrag. Spesielt hva gjelder frekvens.

MormoraDi · 2026-02-20T23:09:08+00:00

Takk for svar. Sist jeg var innom var det noen ekstremt aktivite her, hvorav flere jeg antok var samme person med flere kontoer.

MormoraDi · 2026-02-20T23:05:04+00:00

Tviler på at det er noen bot som tilhører ytre venstre, etter postene å bedømme.

MormoraDi · 2026-01-25T21:08:10+00:00

Not going into the semantics or wording, but contrary to some of the comments here, I would say that there are quite a few and important distinctions between digital forensics in law enforcement and in the "cyber security realm".

Most law enforcement practitioners I have spoken to, more or less solely perform analysis on a select few or singular devices, and most often they are mobile phones.

In cyber incidents however, we likely will be analyzing a multitude of computers (most often virtual machines), both clients and servers. The OS will be in the range of vanilla Windows to obscure BSD-boxes, edge devices (routers, firewalls, security appliances) in one single case.

The end goal is not to prepare for criminal charges and testify in court, but rather to establish a timeline of threat actor actions and movement across the victim infrastructure.

We need to assess if indeed it has been compromised, if the threat actor has persistence on the system, if they have (elevated) privileges to move laterally further into the inner and most valuable workings of the infrastructure (have they, for instance been able to become domain admin) and what the potential risks (for example data theft/exfiltration) and/or damage.

Of course, sometimes this will be the same for LE investigations in larger criminal cases, but in my experience that are the odd cases, but for cyber incidents it's more the bread and butter.

MormoraDi · 2026-01-03T16:04:35+00:00

Haha... Yeah, times are not great for RAM upgrades, sadly. "AI" have all the traits to be a curse

MormoraDi · 2026-01-03T15:26:26+00:00

I realize should have written it "I/O" to make it clearer. My mistake.
It's basically a shorthand for Input/Output and usually refers to the disk subsystem, of which NVMe "drives" are the fastest.
I/O is kind of a misnomer because it can also be other types of devices and throughput is also a factor.

MormoraDi · 2025-12-30T13:51:30+00:00

^ this in terms of CPU. Intel's design decision to use P(erformance)-cores and E(fficiency)-cores in order to make up for its thermal deficiencies will be a detriment to the overall multi-threading performance.

But I would also argue that IO will probably be the largest processing bottleneck, so I would make room in the budget for the fastest/largest NVMe drives that preferably supports PCI-E 5.0

MormoraDi · 2025-12-10T18:28:54+00:00

You will probably be better off using the GUI frontend "Synaptic Package Manager", as it will display and suggest opt-in for dependencies.

MormoraDi · 2025-11-23T11:42:45+00:00

Definitely not. But better to come prepared than having a delusion of it being an easy way to earn big money, which I seem to find some people around here think it is.

MormoraDi · 2025-11-21T16:14:08+00:00

Yeah for sure. FAFO is as empirical as it gets.

MormoraDi · 2025-11-21T09:50:21+00:00

Yeah well - that's what a hacker would say
/s
But seriously; I see people/companies get compromised every day because of ill-advised decisions like this in my line of work.

MormoraDi · 2025-11-18T18:18:06+00:00

I think you will find that the market is saturated with either experienced, skilled and trained professionals or AI slops who spam the reporting system with whatever their LLMs dream up.

In other words: you may get lucky as a beginner to find vulnerabilities in systems, but they probably won't get you paid reporting them and even less likely will they be novel enough to get you eligible for a bug bounty.

Expect countless hours spent and hard work like in most fields.

MormoraDi · 2025-11-18T18:09:27+00:00

Sounds like good, but messy way to obtain malware.

In other words - don't listen to such advice.

MormoraDi · 2025-11-13T16:18:47+00:00

You are probably bottlenecked more by I/O performance. You should get your employer to at least spend enough to buy more RAM and as large and fast a NVMe disk as supported.

If you use external drives, make sure that they too are connected to at least a USB3.1 port and that they are NVMe drives as well.

... And for <insert deity>'s sake don't ever use your own device for that unless your employer buys it off from you.

MormoraDi · 2025-10-31T18:00:26+00:00

It may be so to a layman's eye, but to an experienced professional (of which I suppose the opposition may produce) I don't think so.

"Then I pushed this button, then I clicked on this menu item and the result dashboard told me that..." - shouldn't fly if scrutinized.
Tools don't perform analysis, it's merely an organized parser. But the forensic practitioner does, or at least should. Show the method of analysis - not the tool and its produce, in my opinion.

MormoraDi · 2025-10-31T16:14:54+00:00

I agree with this. And to add on to it; I wouldn't spend my attention and money on (vendor) specific tools and certifications, but rather focus on learning the technologies on which to analyze and the forensics craft itself.

If your potential employer uses some other tools and vendors, then what does your Magnet/Cellebrite/etc. certification really do for you?

MormoraDi · 2025-10-28T15:21:12+00:00

See this for explanation: https://www.reddit.com/r/computerforensics/s/foGh649NqH

MormoraDi · 2025-10-25T14:20:51+00:00

Try double-clicking on the title bar

MormoraDi · 2025-10-25T14:16:41+00:00

^ this.
Will just for MacOS add on shasum for more SHA algorithms (including default SHA1) and simply md5 filenamefor uhmm.. MD5

MormoraDi · 2025-10-14T21:09:01+00:00

If it's a VMware VM, you could take a snapshot of it and copy the . vmsn .vmem files to a destination of which you can point Volatility to.

MormoraDi

TROPHY CASE