Monday, April 29, 2024

Digital Forensics:Guidance for Incident Responders

Guidance for Incident Responders

Digital Forensics:Guidance for Incident Responders

 It includes the following topics:
  • AmCache’s contribution to forensic investigations: The AmCache registry hive’s role in storing information about executed and installed applications is crucial, yet it’s often mistakenly believed to capture every execution event. This misunderstanding can lead to significant gaps in forensic narratives, particularly where malware employs evasion techniques. Moreover, the lack of execution timestamp specificity in AmCache data further complicates accurate timeline reconstruction.
AmCache’s contribution to forensic investigations:
  • Browser forensics: Uncovering digital behaviors: The comprehensive analysis of browser artifacts is fraught with challenges, particularly regarding the interpretation of local file access records. The misconception that browsers do not track local file access can lead to significant oversight in understanding user behavior, underscoring the need for thorough and nuanced analysis of browser data.
  • The role of Link files and Jump Lists in forensics: Link, or LNK, files and Jump Lists are pivotal for documenting user behaviors. However, investigators sometimes neglect the fact that they’re prone to manipulation or deletion by users or malware. This oversight can lead to flawed conclusions. Furthermore, Windows’ automatic maintenance tasks, which can alter or delete these artifacts, add another layer of complexity to their analysis.
The role of Link files and Jump Lists in forensics

  • Prefetch files and program execution: Prefetch files’ role in improving application launch times and their forensic value in tracking application usage is well-documented. However, the common error of conflating the prefetch file’s creation date with the last execution date of an application leads to mistaken conclusions about usage patterns. Also, overlooking the aggregation of data from multiple prefetch files can result in a fragmented understanding of application interactions over time.
Prefetch files and program execution

  • ShellBags forensic analysis: ShellBags, with their ability to record user interactions with the File Explorer environment, offer a rich source of information. Yet not all investigators recognize that ShellBags track deleted and moved folders, in addition to current ones. This oversight can lead to incomplete reconstructions of user activities.
  • Shimcache’s forensic evolution: The Shimcache has long served as a source of forensic information, particularly as evidence of program execution. However, the changes in Windows 10 and later have significantly impacted the forensic meaning of Shimcache artifacts: indicating file presence, and not indicating execution. This misunderstanding can mislead investigators, especially since Shimcache logs the last modification timestamp, not execution time, and data is only committed to disk upon shutdown or reboot.
  • Forensic insights with SRUM: SRUM’s tracking of application execution, network activity, and resource consumption is a boon for forensic analysts. However, the wealth of data can also be overwhelming, leading to crucial details being missed or misinterpreted. For instance, the temporal discrepancies between the SRUM database and system logs can confuse investigators, making it challenging to align activities accurately. Additionally, the finite storage of SRUM data means older information can be overwritten without notice, a fact that’s often overlooked, resulting in gaps in data analysis.

Forensic insights with SRUM

  • The importance of User Access Logging (UAL): UAL’s tracking of user activities based on roles and access origins is essential for security analysis, especially since this feature is designed for Windows Server operating systems (specifically 2012 and later). Its vast data volume can be daunting, leading to potential oversight of unusual access patterns or lateral movements. Additionally, the annual archiving system of UAL data can cause confusion regarding the longevity and accessibility of logs, impacting long-term forensic investigations.
  • Decoding UserAssist for forensic evidenceThe UserAssist feature’s tracking of GUI-based program interactions is often misunderstood, with analysts mistakenly prioritizing run counts over focus time. This misstep can lead to inaccurate assumptions about application usage, as focus time—a more reliable indicator of execution—gets overlooked.
Decoding UserAssist for forensic evidence

Reference Microsoft Incident Response guide

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 

Friday, April 5, 2024

Digital Forensics - Unlocking the Secrets

Digital Forensics - Unlocking the Secrets

Digital Forensics - Unlocking the Secrets

เมื่อ Cyber Threats คุกคาม และ Cyber Awareness อาจไม่เพียงพออีกต่อไป Digital Forensics (นิติวิทยาศาสตร์ทางดิจิทัล) จึงเป็นอีกหนึ่งทักษะความรู้ที่ทุกคนควรทราบ เพื่อให้เข้าใจเทคนิคและแนวทางปฏิบัติในการสืบสวนเพื่อหาหลักฐานนิติวิทยาศาสตร์ทางดิจิทัล ตลอดจนสามารถเข้าใจ จัดการ และจัดเก็บหลักฐานทางดิจิทัล (Digital Evidence) ที่สำคัญและมีความสมบูรณ์เพื่อให้สามารถนำไปใช้ในกระบวนการกฎหมายต่อไป

Digital Forensics - Unlocking the Secrets

วัตถุประสงค์:

  • เพื่อให้ผู้เรียนได้รับรู้และเข้าใจถึง Cyber Threats หรือ ภัยคุกคามทางไซเบอร์
  • เพื่อให้ผู้เรียนมีความรู้ความเข้าใจ Digital Forensics (นิติวิทยาศาสตร์ทางดิจิทัล) คืออะไร มีเทคนิค วิธีการ และแนวทางปฏิบัติในการสืบสวนเพื่อหาหลักฐานนิติวิทยาศาสตร์ทางดิจิทัลได้อย่างไร (Digital Forensics)
  • เพื่อให้ผู้เรียนเข้าใจว่าอะไรคือหลักฐานทางดิจิทัล (Digital Evidence) ประเภทของหลักฐานทางดิจิทัล และแนวทางการรวบรวมหลักฐานดิจิทัลที่ถูกต้องและสมบูรณ์เพื่อให้สามารถนำไปใช้ในกระบวนการกฎหมายต่อไป

ระยะเวลาการอบรม 1 วัน

Digital Forensics - Unlocking the Secrets

สถานที่อบรม



ที่มา:    https://swpark.or.th 
           

อ่่านเพิ่มเติม:  อบรม computer forensic.

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD



Identifying uninstalled software using Event Logs with Osforensics

Identifying uninstalled software using Event Logs with Osforensics

Windows Event Logs are a detailed record of system, security, and application notifications and messages stored by the Windows operating system. These logs are invaluable for troubleshooting, monitoring system health, and analyzing security incidents.

Here's an overview of the main types of Windows Event Logs:

  1. Application Logs: These contain events logged by applications or programs. For example, a database application might record errors and significant operations here.

  2. Security Logs: These log security-related events, such as login attempts, resource access, and system changes. They are crucial for auditing and monitoring security-related activities.

  3. System Logs: These contain events logged by Windows system components. For example, drivers and services will log events here when they encounter issues or perform significant actions.

  4. Setup Logs: These are used for logging events related to the installation of applications or system components.

  5. Forwarded Events: These are events collected from remote computers and stored locally.

Windows Event Logs are stored at the following path: C:\Windows\System32\winevt\Logs

Osforensics V7 can be used to help identify uninstalled software. Open the Event Log Viewer from the Start screen in OSF…

Like many other actions and events recorded within the Windows Event Logs you can analyze these logs for records of uninstalled software. 

Identifying uninstalled software using Event Logs with Osforensics

You will first need to run a scan to search for any Event Logs that are located on a forensic image file or connected drive. Once complete, navigate to the Application event logs

Identifying uninstalled software using Event Logs with Osforensics


There will likely be tens of thousands of Application event logs on a system. To quickly identify logs that contain information about uninstalled software, use the Preset filtering options that are available in the drop-down menu
Identifying uninstalled software using Event Logs with Osforensics

Choose the ‘Software Package Removal Success’ preset which will then filter and present you with all logs with Event ID 11724 that deal with software uninstallation.


Identifying uninstalled software using Event Logs with Osforensics

In the example above, we can see that the software application ‘OpenVPN 2.6 was successfully uninstalled on 2/13/2024 at 10:29:29. Unfortunately, in our testing, this data is not comprehensive, meaning it does not seem to contain a complete historical list of uninstalled software.



อ่านเพิ่มเติม :


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud