Набор уроков по Digital Forensics для новичков (Eng)
Intro
Мы уже публиковали недавно похожую серию уроков по Metasploit для новичков. Теперь очередь добралась и до аналогичной сессии по цифровой форензике (искусству расследования кибер-преступлений). На эту тему, кстати есть еще один полезный материал, это подборка ресурсов для самостоятельного изучения, так же чуть ранее опубликованная в нашем паблике.
А сегодня вашему вниманию представлен цикл статей из 16 уроков на английском языке по основам форензики с применением тулз преимущественно из базового набора Kali Linux. Хотя честно говоря, прочитав все это, я не сказал что материал ориентирован исключительно для новичков, но как известно "из песни слов не выкинешь..". Среди прочего тут частично затесался и материл по анализу малвари и по реверс инженирингу и даже сеттинг по работе с SIEM-системой на базе Splunk! Ну, ебать, дела!:) Но такие темы как Windows registry, recovering deleted files, EXIF, Memory Dumping освещены неплохо. Не плохо, кстати рассказано про основы пакет серчинга в Wireshark. Вообщем, каждый здесь сможет почерпнуть что-то свое:)
Digital Forensics for the Aspiring Hacker, Part 1 (Tools & Techniques)
The best way to evade detection is to understand what the other side is doing and using. So, this series will focus on the tools and techniques that law enforcement and the security engineers are using to detect and prosecute hackers around the world.
Digital Forensics for the Aspiring Hacker, Part 2 (Network Forensics)
This is the second installment in that series and will focus upon network forensics. In other words, what can a network forensic investigator learn about the attacker during an investigation and how.
Digital Forensics for the Aspiring Hacker, Part 3 (Recovering Deleted Files)
In this installment of that series, we will look at recovering deleted files. This is important to hackers because you need to know that even when you delete files on your computer or on the victim's computer, a forensic investigator can usually recover them.
Digital Forensics for the Aspiring Hacker, Part 4 (Evading Detection While DoSing)
In this tutorial, I will try to answer that question by running an attack against a vulnerable system, but with an Network Intrusion Detection System in place monitoring for malicious traffic, i.e. you.
Digital Forensics for the Aspiring Hacker, Part 5 (Windows Registry Forensics)
In this post, I want to help you to understand how the Windows registry works and what evidence it leaves behind when someone uses the system for good or ill.
Digital Forensics for the Aspiring Hacker, Part 6 (Using IDA Pro)
No tool embodies this complementary relationship better than IDA Pro. It is an excellent tool for malware forensics and an excellent tool for malware re-engineering.
IDA Pro is designed to debug and disassemble software that can be critical for reverse engineering malware and doing malware forensics. These are some of the most valuable and most sought after skills in the digital forensic industry. Becoming familiar with IDA Pro and other reverse-engineering tools is a prerequisite to working in this industry.
Digital Forensics for the Aspiring Hacker, Part 7 (Windows Sysinternals)
Windows Sysinternals is particularly useful when we suspect a system has been hacked and we are trying to understand what processes the malware is using and how it is operating.
Digital Forensics for the Aspiring Hacker, Part 8 (More Windows Registry Forensics)
In this tutorial, we will look at several registry entries that will reveal what the attacker was doing on the suspect system. As Windows 7 is still the world's most widely used OS, by far, I will demonstrate these techniques on a Windows 7 machine.
Digital Forensics for the Aspiring Hacker, Part 9 (Finding Storage Device Artifacts in the Registry)
The occupation of digital forensic investigation is a rapidly growing one. Nearly every crime has a digital component these days. This might include things as innocuous as a text message, a Google search, or an email, and law enforcement and civil litigators need trained professionals to find the necessary information and preserve it in a forensically sound manner.
Although Wireshark is largely used a network analysis tool, it is also an excellent network forensics tool. If we can capture the packets with Wireshark while being attacked, or if we can work while the attack is in progress (such as in an Incident Response Team), we can learn a lot about the attack and the attacker.
Digital Forensics for the Aspiring Hacker, Part 11 (Using Splunk)
At its most basic level, Splunk is capable of gathering all of the data that systems generate and index it for searching. Originally developed for system administration, Splunk can also be a great tool for digital forensics.
We will be installing Splunk on Windows system and using it to conduct digital forensics on it (Splunk is also available for Linux, but in most cases, you will be conducting forensic analyses on Windows systems).
Digital Forensics for the Aspiring Hacker, Part 12 (Windows Prefetch Files)
In earlier posts in this series, we examined registry files and what they can tell us about what the user was doing when their computer was seized. Windows has another type of file system that can also reveal a treasure trove of information about the user before the machine was seized for examination—the prefetch files.
Digital Forensics for the Aspiring Hacker, Part 13 (Browser Forensics)
In this tutorial, we will explore where and what the forensic investigator can find information about the activities of the suspect in their web browser. It's important to note that this information will vary by operating system and browser. Here we will look briefly at Internet Explorer and go into a bit more depth on Mozilla's Firefox.
Digital Forensics for the Aspiring Hacker, Part 14 (Live Memory Forensics)
n some cases, the forensic investigator will need to grab an image of the live memory. Remember, RAM is volatile and once the system is turned off, any information in RAM will be lost. This information may include passwords, processes running, sockets open, clipboard contents, etc. All of this information must be captured before powering down the system or transporting it.
Digital Forensics for the Aspiring Hacker, Part 15 (Parsing Out Key Info from Memory)
In this tutorial, we will look to find other information on that image that we can parse out that may have forensic significance. As we know, there is voluminous amount of information in the RAM of a running system that can reveal what the suspect was doing at the time of the system capture. This would include, of course, much of the same information we can get from Sysinternals from a running system, but here we are working with a memory image and not a running system. In most forensic investigations of a suspect's computer, we are working with a forensic image of the RAM and not the running system.
Digital Forensics for the Aspiring Hacker, Part 16 (Extracting EXIF Data from Image Files)
In many cases when a computer, phone, or mobile device is seized for evidence, the system will have graphic images that might be used as evidence. Obviously, in some cases these graphic images may be the evidence such as in child pornography cases. In other situations, the graphic images may tell us something about where and when the suspect was somewhere specific.
Most digital devices "stamp" information on these graphic images that can tell us a lot about the who, what, when, and where the pictures were taken. This information is known as EXIF data and can very often be useful to the forensic investigator.
На этом пока все! До встречи!
Следи за новостями в нашем паблике @w2hack