Windows 10 shell items are metadata files that hold details about various objects in the Windows operating system, including shortcuts, files, and folders. These items are invaluable for forensic investigations because they provide insights into the location and usage of these objects.
To perform shell item forensics on Windows 10, you can use forensic tools such as Autopsy, EnCase, or Belkasoft Evidence Center, which are capable of extracting and analyzing shell item metadata.…
Network forensics is a specialized field within cybersecurity focused on the monitoring, capturing, and analysis of network traffic to uncover and investigate security incidents or breaches.
By examining data packets, network logs, and communication patterns, network forensics aims to reconstruct events leading up to an incident, and understand their methods.…
A Security Information and Event Management (SIEM) solution acts as the central nervous system of an organization’s security framework. It collects, analyzes, and correlates data from various sources within the IT infrastructure, including network devices, servers, and security systems.
By integrating a SIEM solution in a SOC, organizations can significantly enhance their ability to monitor, assess, and mitigate cybersecurity risks in real-time.…
Experience Level required: Intermediate
In this report, we will analyze CyberGate, a Delphi malware, to determine its function and capabilities.
According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system. Attackers can remotely connect to the compromised system from anywhere around the world.…
Google Drive is one of the most used storage systems on the planet, Google Drive has over a billion users, For context that’s about 1/8 of the human population! It’s a staggering figure by no doubt, you will likely end up encountering this behemoth of a giant that is Google Drive.…
The registry is a hierarchical database, The Windows Registry holds configuration information about all the applications on the system, user-specific settings, configuration of various hardware devices used by the system, settings for all the software on the system, etc.
DIVE INTO THE REGISTRY, ONE OF THE FIRST THING WE NEED TO KNOW IS… WHERE IS IT?…
Windows operating systems maintain event logs that capture extensive information about the system, users, activities, and applications. These logs primarily help to inform administrators and users, categorized into five levels: information, warning, error, critical, and success/failure audit. For forensic analysis, event logs are an invaluable resource for reconstructing the sequence of events on a system.…
In this blog, we will learn how to write a YARA Rule to detect different samples from the same families and hunt for them on a scale.
This section defines the metadata for the rule such as (the description of the rule, the author’s name, the date of writing the rule, etc.)…
Email forensics involves the examination, extraction, and analysis of email data to gather digital evidence crucial for resolving crimes and specific incidents, ensuring the integrity of the investigation process.This investigative process encompasses various aspects of emails, focusing on:
Email content, including messages and attachments.…In this blog post, we will go through a famous packing technique which is the use of VirualAlloc and VirtualProtect to decrypt data in memory and execute it, and how to unpack it manually, we are going to apply it to Death Ransomware malware
What is packed malware?…
Hard disks are the containers that hold our evidence files “from the investigator’s perspective”, understanding them is mandatory for every forensic analyst as they can provide valuable information within the investigation. As the investigator is required to handle the case with caution to preserve the data, he must understand how this data is stored and how it’s handled by the hard disk itself, this will make him understand the consequences of any action he makes while handling the evidence.…
Experience Level required: beginner
In this blog we will Learn how to analyze MS Office Macro enabled Documents.
1st sample: 8d15fadf25887c2c974e521914bb7cba762a8f03b1c97a2bc8198e9fb94d45a5 2nd sample: a9f8b7b65e972545591683213bb198c1767424423ecc8269833f6e784aa8bc99Let’s see the sample in Virus Total
37 of 63 security vendors detected this file as malicious.
Let’s open the file.
It uses a social engineering technique to persuade the user to enable the macros that lead to the infection of the user.…
In this report, we will conduct a comprehensive analysis of Gafgyt, which is an ELF malware. Our aim is to examine the malware’s capabilities and determine its functions:
DDoS Attack Capabilities Communication with Command and Control (C&C) Server Evade detection Network Setup and Configuration Process ManipulationGafgyt malware, which is also known as Bashlite has targeted millions of vulnerable IoT devices in the last few years.…
Experience Level required: Beginner
In this blog, we will learn how to analyze and deobfuscate Javascript malware.
Let’s view the sample code
The code has obfuscation with ° and g0 spread throughout, so let’s remove them.
We need to take care because g0 is being used here as a variable.…
In this blog post, we are talking about what we can do if we are presented with a Memory image for a suspected machine to investigate and how to leverage our tools to get as much information as we can from it.
we will be dealing with two tools:
Volatility 3 MemProcFSExperience Level required: Beginner
Memory forensics is a must-have skill for any computer forensics investigator, you can find a lot of evidence that can’t be found on the disk like:
Establised Network connections.…Experience Level required: Intermediate
In this report, we will analyze the CryptNet Ransomware, starting with deobfuscating the sample and proceeding through the ransomware’s techniques:
Obfuscated strings encrypted strings AES & RSA Encryption algorithmsCryptNet is a NET ransomware that has been advertised as a new ransomware-as-a-service in underground forums since at least April 2023.…
In this report, we will analyze the MATANBUCHUS loader, a C++ malware, to determine its function and capabilities:
API Hashing Stack Strings Checks number of running process PEB Traversal Anti-Sandbox techniquesWe’ll start with resolving APIs and decoding the strings, then proceed through the loader’s techniques.…
The New Technology File System (NTFS) is a file system developed and introduced by Microsoft in 1995, It was produced to overcome some limitations and offer new features.
Hard-links Improved performance, reliability, and disk space utilization Security access control lists File system journalingHere are some files related to the NTFS file system and what are they used for:
$MFT Store MFT record $MFTMirr Contains a partial backup of MFT $LogFile Transaction logging file $Volume Contain volume information such as label, identifier, and version $AttrDef Attribute definition $Bitmap Contains the allocation status of all clusters $Boot Contain the boot record $BadClus Mark clusters as bad clusters $Secure Contain information about the security and access control informationSo I will start to discuss what we can get out of analyzing NTFS Artifacts.…