Posts tagged "DFIR":
In this blog post, you'll learn about a dockerized setup of
and its usage for offline and online analyses. I'll demonstrate its
usage and value by creating a Snort rule to detect the loader dubbed
A hard drive is a relatively fragile data store. After discovering the
first indicators of a drive failure, the hard drive might suddenly die.
The present blog post, therefore, discusses the gradual acquisition of
evidence from an erroneous drive by utilizing the synergy of the open
partclone. To spare the
mechanics of the drive and acquire the most critical data first,
partclone is used to create a so-called domain file, where the used
blocks of the file system are noted.
Using AFF4-L containers is an efficient and forensically sound way of storing selectively imaged evidence. There exist two open source implementations to perform this task: c-aff4 and pyaff4. To image a directory with
Virtualization is everywhere nowadays. So when you have to analyze an
incident, you often come across virtual hard disks in the form of
sparsely allocated VMDKs, VDIs, QCOW2s, and the like. To inspect the
data in the virtual machine images you have several options to do so.
guestmount is a helpful tool to perform a logical inspection of the
file system, and
qemu-nbd is a good choice to work on a raw block
device without having to convert a sparsely allocated virtual disk
into a raw image or rely on proprietary software.
If you need to acquire the process memory of a process running on a
Linux system, you can use
gcore 1 to create a core file or,
alternatively, retrieve its memory areas from
use GDB 2 itself to dump the content into a file. For a
convenient way to do this, refer to a basic shell script hosted as a