@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #9: Milestones 5 and 6 detailed

Hello Reader,
      It's day 9 of the Zeltser blog challenge and day 2 of vacation. As I write this I'm looking at the waves roll into the sand so you'll excuse me if I might be brief, the surf is calling (as are my kids).

In today's post we resume explaining the milestones of progression of the digital forensic examiner. We've covered up to milestone 4 in prior posts and we are now approaching a level of maturity in your progression as we explain milestones 5 and 6.

Milestone 5 - You become less about the tool and more about the artifact.

   The more experienced an examiner you become the less dependent on your tools you become. As you get thrown into more time sensitive situations you begin to carry a thumb drive of one off tools that quickly triage artifacts to help you identify facts, actors and threats without the need of the dongle. In some cases you can find and interpret the artifact without a tool at all! That isn't to say that you won't keep your dongle protected tool suite, you just will use it when you need the convenience and additional functionality it provides.

You have come to understand that the underlying magic that you first experienced in milestone 1 was always contained within the artifact and not the tool itself, and the tool was just interpreting the data for you. The most important part of this milestone is how efficient you can become now. Once an investigation is requested you can ascertain which artifacts will contain data that responds to your inquiry, allowing you to get back results faster and with less random keyword searching.

Milestone 6 - You understand what's normal and what's missing for multiple versions of the same operating system.

This milestone may be one of the harder to achieve with so many variants in production and what normal means in your environment. However, the benefits to understanding what's normal in your environment will help you quickly zero in on what was left behind for you to find. Being able to know what's normal includes:
  • Which services should be running.
  • Where those services should be running from.
  • What user the service should be running as.
  • What log errors are normal.
  • What logging is turned on by default.
  • Which artifacts get created by default.
  • What gets created when a user logs in via different methods.
  • Where data created through user activity will exist by default.
  • Knowing the default locations of application artifacts and system logs/registries.
  • What applications are installed by default in your environment.

The benefits are many, but include:
  • The ability to create your own custom white-list of hashes so you can focus only on that data created by your user.
  • The ability to spot what artifacts the user deleted when trying to cover their tracks.
  • Being able to quickly spot malicious processes trying to hide in plain sight.
  • Being able to quickly spot out of place directories or logs, showing the user has a high degree of sophistication and you should no longer trust the system defaults.
  • The ability to quickly bring out relevant data you have committed to heart in the prior section.
  • The ability to find anomalous log ins and accesses to a system.
  • The ability to correctly estimate what data you should expect to exist before you begin your investigation so you can manage the expectations of those requesting work from you.
  • The ability to quickly identify user installed applications that need to be researched before being examined.
This is an important milestone and the mark of a senior examiner, but you still have so much more to learn! Tomorrow we will continue the milestone series while I think up what this week's Sunday Funday will be!

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.