Questions tagged [forensics]
Computer forensics works to analyze information on computer systems in an attempt to find evidence regarding certain actions of a process, application, user or computer to determine the source of change within a host, network or device.
527 questions
1
vote
0
answers
135
views
Process injection behaviour: DWM executing CreateRemoteThread in Csrss.exe
To expand on the title, I noticed my system was regularly running CreateRemoteThread commands in random intervals from system bootup (between 0-5) minutes. My OS Version is Windows 11 Pro 24H2. ...
- 61
8
votes
1
answer
2k
views
iPhone X forensics
As part of a wargame, I have been given an unlocked iPhone X. I am required to find a hidden video/audio file somewhere within the device.
What would be recommended to make a forensic image of this ...
- 813
2
votes
0
answers
370
views
How to capture fully decrypted HTTPS traffic in a transparent proxy setup without TLS key logs?
I am currently working on a home "forensic" lab and I have set up an OPNsense-based transparent proxy (squid) to intercept and analyze HTTPS traffic coming from a Windows 11 client. I can ...
2
votes
0
answers
179
views
How long does SSD garbage collection take? [closed]
Let's say I have an SSD on a Windows machine that supports TRIM. After I delete a file / some files on it, assume the TRIM command is sent, and those pages are marked as invalid. At some point, the ...
- 21
1
vote
0
answers
167
views
Are there any known BIOS that clear a TPM on disabling secure boot?
I noticed that when the secure boot options is disabled on a Bitlocker enabled Windows laptop with TPM, in order to boot into a forensic live OS like Kali in Forensic Mode or Parrot OS that the TPM is ...
- 7,715
1
vote
0
answers
70
views
Is booting into the Windows (advanced) startup menu without a write-blocker forensically safe?
I wonder if entering the Windows (advanced) startup menu changes or logs anything on the disk itself. Where does this exactly happen in the boot sequence? If for example, a laptop was to be ...
- 7,715
0
votes
0
answers
117
views
Analysing Advanced Malware
Some malware today use anti-analysis features such as:
Detecting Virtualisation (Adapternames, UTC Timedifference between realtime and in VM,...)
Check if Internet is available
...
Also a lot of ...
- 1
0
votes
1
answer
106
views
Linux / Fedora Memory Capture and Analysis Guide Needed
I'm using the following commands to capture 2 memory dumps, one for bios only and the other the first MB of the memory on a old laptop that uses phoenix legacy, non uefi , Bios and run fedora .
sudo ...
- 1
2
votes
1
answer
341
views
Is Error Level Analysis (ELA) in image forensics a reliable indicator for detecting digital modifications?
I'm reading about Error Level Analysis (ELA) in image forensics as means to detect if modifications were made to a photo. ELA is nicely described here: https://fotoforensics.com/tutorial.php?tt=ela. ...
- 7,715
1
vote
0
answers
73
views
Can Benford's law be used for the purpose of detecting deviations in a file metadata dates?
Considering the metadata such as creation and modification datetimes of files in terms of computer forensics. If tampering of such metadata date information is expected, can Benford's law be used to ...
- 7,715
1
vote
0
answers
59
views
Real IP address of the sender [duplicate]
I have a question about sender IP address that is written in email headers.
If we know that this IP is not correct and valid (it means email was sent with using VPN)
Is there any method to find out ...
- 31
18
votes
2
answers
5k
views
How can you trust a forensic scientist to have maintained the chain of custody?
I have been reading about the chain of custody in cybersecurity-related forensics and I wonder how you can be so sure the forensic scientist made their job right and they are not a malicious actor.
I ...
- 281
0
votes
1
answer
118
views
Are there better methods of sustaining forensic integrity apart from disk hashing?
As far as I've heard, hashing a disk image before computer forensics is started, and then comparing that hash to a new hash after the forensics is finished is the most common way to make sure that ...
- 4,795
1
vote
0
answers
83
views
forensics on memfd_create
I'm doing an IR on a Linux machine. The attacker has a trojan executed in memory, the file content is backed by a memfd_create based fd.
My questions
How can I extract the contents from memfd?
When a ...
- 2,097
0
votes
0
answers
144
views
How do I start inspecting, in a basic way, what a socket is or was doing?
Exploring a plist related with a flash pop-up when booting, I found this folders:
launchctl print gui/$(id -u)/com.apple.sharingd
...
path = /System/Library/LaunchAgents/com.apple.sharingd.plist
...
- 101