top of page

Search Results

303 results found for "forensic"

  • SentinelOne (P8- SentinelOne Automation) :Guide / Training to Forensic Collection, KAPE Integration, Running Script and Incident Response

    Crucial forensic artifacts like $MFT , $J , Prefetch and more. Let’s explore the Forensic Profile  option first. Click on Actions , then Search for Forensic Collection . Choose the forensic profile you created earlier and hit Run Collection . It’s a game-changer for incident response and forensic investigations.

  • Investigating macOS Persistence :macOS stores extensive configuration data in: Key Artifacts, Launch Daemons, and Forensic Strategies"

    Executables : C onfirm if the executables are legitimate by checking their file hashes or running basic forensic

  • Moving Forward with Memory Analysis: From Volatility to MemProcFS : Part 3

    File_Objects through: their process handle table their Virtual Address Descriptor (VAD) tree Memory forensics Forensic File Reconstruction (M:\forensic\files) When MemProcFS is run with forensic options enabled, NTFS Forensics from Memory The M:\forensic\ntfs folder allows analysts to investigate the entire file : M:\forensic\csv\ The timeline_ntfs.csv  file contains file system events, while other timelines focus -1/mastering-memory-forensics%3A-in-depth-analysis-with-volatility-and-advanced-tools

  • The Registry's Dirty Little Secret: Transaction Logs

    You've loaded them into your forensic tool. You're feeling good. The part of Windows forensics that quietly humbles analysts who think grabbing the hive files is enough This process is called a hive flush , and it's the source of a genuinely important forensic blind spot But from a forensics standpoint? The gold standard tool for registry forensics — Registry Explorer  by Eric Zimmerman — does this right

  • Ransomware, Malware, and Intrusions: A Step-by-Step Analysis Methodology

    Artifacts: https://www.cyberengage.org/courses-1/windows-forensic-artifacts ------------------------ Series : https://www.cyberengage.org/courses-1/mastering-windows-registry-forensics%3A ------------- : https://www.cyberengage.org/courses-1/network-forensic -------------------------------------------- Internet History Critical for phishing & exfil evidence. 📌 Guide: Browser forensics series (open-source (indexing section): https://www.cyberengage.org/courses-1/windows-forensic-artifacts ---------------

  • The Registry Analyst's Toolkit: Choosing Your Weapon

    The forensic community has spent years building some genuinely excellent registry analysis tools. Forensic tools change. Vendors stop updating. Better options emerge. It's closer to a full forensic workstation for registry analysis. The Best way to use this find I have showed in USB Forensics Link below https://www.cyberengage.org/post /courses-1/usb-forensics ----------------------------------------------------------------------------

  • The Windows Registry: The Black Box Flight Recorder of Your PC

    That's basically what a forensic analyst does with the Windows Registry — except instead of a crime scene This is where forensics analysts basically strike gold. It means a forensic analyst can tell you that at exactly 01:39:35 UTC on January 30th, 2016 something You need specialized forensic tools to surface them. When you're doing live forensics on a running machine, you see these four root keys through regedit.

  • Cloud Incident Response: How to Acquire and Analyze a VM Disk Image in Azure

    the imaged disk, create a separate VM called the “Forensic VM” with adequate resources for your forensic Create OS Disk:  During setup, the Forensic VM will have its own OS disk where you can install forensic Step 4: Mount the Disk in the Forensic VM Once the Forensic VM is running, access the imaged disk by Step 5: Run Forensic Tools on the Forensic VM With the disk mounted, you can now use forensic tools to on the Forensic VM’s OS disk.

  • Using RADAR and MUICache for Evidence of Execution in Windows

    If you're into digital forensics, especially Windows forensic analysis, you've probably heard of MUICache Velociraptor  – A powerful tool for hunting and forensic analysis. That’s a red flag for forensic analysts! Why is This Useful for Forensics? Stay tuned for more forensic insights!

  • Uncovering Hidden Email Attachments in Outlook’s Secure Temp Folder

    This “Secure Temp Folder” is an important artifact in forensic investigations, as it can reveal previously -------------------------------------------------------------------------- Why Does This Matter for Forensics Before Outlook 2007, Forensic investigators could often recover multiple versions of the same file if artifacts like: $Logfile USNJournal Volume Shadow Copies Using forensic tools, investigators can often For forensic analysts, this folder remains a hidden goldmine of information that can provide crucial

  • Moving Forward with Memory Analysis: From Volatility to MemProcFS : Part 2

    -2-0 Important: Enabling YARA scanning will delay the availability of forensic results. output: Primary results: M:\forensic\csv\findevil.csv Detailed YARA output: M:\forensic\csv\yara.csv When deeper analysis is required, memory forensics truly shines—allowing you to investigate far beyond Handling False Positives Like a Pro Memory forensics is never simple. Files M:\forensic\files <Cached Files> M:\forensic\ntfs <MFT> Registry,

  • Moving Forward with Memory Analysis: From Volatility to MemProcFS Part 1

    detail in the article: “Step-by-Step Guide to Uncovering Threats with Volatility: A Beginner’s Memory Forensics Volatility is one of my favorite memory forensics tools. It’s an excellent memory forensics framework that approaches investigations in a more interactive and An additional useful option is -forensic. file: M:\forensic\forensic_enable.txt It’s important to note that findevil only works on Windows 10

bottom of page