forensics – How to detect crypto mining malware

forensics – How to detect crypto mining malware – Information Security Stack Exchange

forensics – Memory dump analysis

I have received a file called memory.dump (1GB) which is a dump file format that I’ve never come across.
I usually use volatility and for most cases, it worked just fine for FDA but in this case, it just doesn’t do anything and just this ‘No suitable address space mapping found’ message pops up.

Thanks for any advice.
And I’m very grateful for your time.

forensics – Windows Event Viewer: can’t find user-started programs

You have to enable process auditing in your Windows instance, you can use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).

You should configure Security Settings –> Audit Policy –> Audit Process Tracking or use Advanced Audit Policy Configuration –> System Audit Policy –> Detailed Tracking.

After enabling process auditing, Windows will register the following events in Security log:

4688 – A new process has been created.
4689 – A process has exited.

This is an example of an event (process creation):

A new process has been created.
Subject:
            Security ID:                  S-1-5-21-1388294503-2733603710-2753204785-1000
            Account Name:                 Administrator
            Account Domain:               HACKEM
            Logon ID:                     000332DD

Process Information:
            New Process ID:               0000254C
            New Process Name:             C:Program Files (x86)JitsiJitsi.exe
            Token Elevation Type:         TokenElevationTypeLimited (3)
            Creator Process ID:           00001010
            Process Command Line:

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

A screenshot of the event log is included:
4688 Event Log - A new process has been created

Memory Forensics on exited process

I am new to memory forensics. When a process in Windows is ended are all artifacts for the process in memory gone? I ask because my EDR solution gives me the local process ID of a process I am trying to look at. I obtain a full memory and kernel image minutes later of the detection and I am unable to find the local process ID that my EDR reported.

forensics – File based background data eraser

I am making a series of python scripts for data overwriting. My current prototype creates a series of large files and simply fills the memory (using a different system for additional overwrites). Is there an advantage to overwriting the entire USB after removing all files rather than doing this in terms of protecting against advanced cyber-forensics?

This simple project will be exclusively for USB overwriting so keeping the system running is irrelevant.

By “background data” I mean data that is not currently occupied by another file.

forensics – Veracrypt SSD encryption security analysis vs HDD

I have a SSD and wanted to use Veracrypt for plausible deniability and protection against any & all level attacks e.g. state sponsored, non sponsored. My goal was to use a VM and place it in the hidden VC container. After further research it seems using VC on a SSD won’t “ensure” the level of security I desire for several reasons.

As you know Veracrypt recommends not using SSD due to wear leveling https://www.veracrypt.fr/en/Wear-Leveling.html and the Trim operation. https://www.veracrypt.fr/en/Trim%20Operation.html Even tho Trim can be disabled the wear leveling is compromising enough.

I was, considering replacing it with a HDD. But after reading “Comparing SSD Forensics with HDD Forensics” analysis paper from 2020 ( https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1140&context=msia_etds ) SSD are superior in thwarting forensic efforts for several reason. The Trim function, and self-corrosion properties of the SSD play a large role in the prevention of data recovery. (Pg 101/102 Conclusion) “From the results obtained, this study concludes that data deleted on Hard Disk Drives can completely be retrieved, and data deleted on Solid-State Drives cannot be completely retrieved using Autopsy forensic tool, whereas sometimes it can be retrieved using ProDiscover Basic forensic tool”.

I’m conflicted. How does one interpret these facts from a Op-sec pov? On one hand SSD are vulnerable when encrypted due to wear leveling, yet against data recovery tools difficult to retrieve data from. HDD offer the better security when encrypted, but vulnerable to data recovery tools. If encryption is compromised, so is your data. Based on this information What are your thoughts? Does it still depend on the threat model?

forensics – Preserving crime evidence from a website I do not own

Is there a standard procedure when it comes to preserving evidence of a crime committed on a website of a third party?

Let’s assume that a crime was committed on a website I visit, like defamation. Other than using the Wayback Machine or browser plugins to save the page in case either the website owner or the perpetrator removes the evidence, is there a better way?

My goal is to be able to prove to the authorities that a crime was committed so that they start an investigation. For not-so-serious crimes unless it’s very easy to prosecute – e.g. the evidence is still accessible without the need for a warrant – the police might not even bother.

forensics – problem in OSquery result

I’m trying to query all group members for a specific user in OSquery. but as result, I just got one group and all group does not show.
for example, I create a user named “test” and member of “administrators” and ” users ” and then I query “select * from users where username like ‘test’;” and see one gid (for example 514).
the question is, why I could not see two gid?

anybody help?
Thanks

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheapest USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Proxyti.com Buy Quality Private Proxies