Is there a way to spot the method which an attacker used to do all of the necessary credential dumping, or stealing/forging tickets/using pass-the-hash/ticket techniques, if we don’t have access to the DC security log files, but only from the end users log files?
Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
For forensics purposes, I am looking to find suspicious scripts or patterns that could give me clues to find crypto-mining malware on a Linux server.
I have a copy of suspicious data but it is not possible to run the virtual machine in the lab.
P.S.I scanned all files with ClamAV, there was no helpful result.
I have received a file called memory.dump (1GB) which is a dump file format that I’ve never come across.
I usually use volatility and for most cases, it worked just fine for FDA but in this case, it just doesn’t do anything and just this ‘No suitable address space mapping found’ message pops up.
Thanks for any advice.
And I’m very grateful for your time.
You have to enable process auditing in your Windows instance, you can use Group Policy Editor (
gpedit.msc) or Local Security Policy (
You should configure Security Settings –> Audit Policy –> Audit Process Tracking or use Advanced Audit Policy Configuration –> System Audit Policy –> Detailed Tracking.
After enabling process auditing, Windows will register the following events in Security log:
4688 – A new process has been created. 4689 – A process has exited.
This is an example of an event (process creation):
A new process has been created. Subject: Security ID: S-1-5-21-1388294503-2733603710-2753204785-1000 Account Name: Administrator Account Domain: HACKEM Logon ID: 000332DD Process Information: New Process ID: 0000254C New Process Name: C:Program Files (x86)JitsiJitsi.exe Token Elevation Type: TokenElevationTypeLimited (3) Creator Process ID: 00001010 Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
A screenshot of the event log is included:
I am new to memory forensics. When a process in Windows is ended are all artifacts for the process in memory gone? I ask because my EDR solution gives me the local process ID of a process I am trying to look at. I obtain a full memory and kernel image minutes later of the detection and I am unable to find the local process ID that my EDR reported.
I am making a series of python scripts for data overwriting. My current prototype creates a series of large files and simply fills the memory (using a different system for additional overwrites). Is there an advantage to overwriting the entire USB after removing all files rather than doing this in terms of protecting against advanced cyber-forensics?
This simple project will be exclusively for USB overwriting so keeping the system running is irrelevant.
By “background data” I mean data that is not currently occupied by another file.
I have a SSD and wanted to use Veracrypt for plausible deniability and protection against any & all level attacks e.g. state sponsored, non sponsored. My goal was to use a VM and place it in the hidden VC container. After further research it seems using VC on a SSD won’t “ensure” the level of security I desire for several reasons.
As you know Veracrypt recommends not using SSD due to wear leveling https://www.veracrypt.fr/en/Wear-Leveling.html and the Trim operation. https://www.veracrypt.fr/en/Trim%20Operation.html Even tho Trim can be disabled the wear leveling is compromising enough.
I was, considering replacing it with a HDD. But after reading “Comparing SSD Forensics with HDD Forensics” analysis paper from 2020 ( https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1140&context=msia_etds ) SSD are superior in thwarting forensic efforts for several reason. The Trim function, and self-corrosion properties of the SSD play a large role in the prevention of data recovery. (Pg 101/102 Conclusion) “From the results obtained, this study concludes that data deleted on Hard Disk Drives can completely be retrieved, and data deleted on Solid-State Drives cannot be completely retrieved using Autopsy forensic tool, whereas sometimes it can be retrieved using ProDiscover Basic forensic tool”.
I’m conflicted. How does one interpret these facts from a Op-sec pov? On one hand SSD are vulnerable when encrypted due to wear leveling, yet against data recovery tools difficult to retrieve data from. HDD offer the better security when encrypted, but vulnerable to data recovery tools. If encryption is compromised, so is your data. Based on this information What are your thoughts? Does it still depend on the threat model?
I’m running a forensic artifact analysis on a MacBook Pro, running Big Sur, but the .fseventsd folder is not present on one of the 3 user accounts/folders available on the machine, even among hidden folders/files. How would the user disable the generation of this file and is there any way to re-enable it?
Is there a standard procedure when it comes to preserving evidence of a crime committed on a website of a third party?
Let’s assume that a crime was committed on a website I visit, like defamation. Other than using the Wayback Machine or browser plugins to save the page in case either the website owner or the perpetrator removes the evidence, is there a better way?
My goal is to be able to prove to the authorities that a crime was committed so that they start an investigation. For not-so-serious crimes unless it’s very easy to prosecute – e.g. the evidence is still accessible without the need for a warrant – the police might not even bother.
I’m trying to query all group members for a specific user in OSquery. but as result, I just got one group and all group does not show.
for example, I create a user named “test” and member of “administrators” and ” users ” and then I query “select * from users where username like ‘test’;” and see one gid (for example 514).
the question is, why I could not see two gid?