Search the Community
Showing results for tags 'forensics'.
Found 4 results
Synopsis: Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! Source: https://ericzimmerman.github.io/#!index.md Blog Post: https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html?view=sidebar Demo Video:
Daphne Caruana Galizia's Murder and the Security of WhatsApp Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb. Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were. One journalist reports: Part of Daphne's destroyed smart phone was elevated from the scene. Investigators say that Caruana Galizia had not taken her laptop with her on that particular trip. If she had done so, the forensic experts would have found evidence on the ground. Her mobile phone is also being examined, as can be seen from her WhatsApp profile, which has registered activity since the murder. But it is understood that the data is safe. Sources close to the newsroom said that as part of the investigation her sim card has been cloned. This is done with the help of mobile service providers in similar cases. Asked if her WhatsApp messages or any other messages that were stored in her phone will be retrieved, the source said that since the messaging application is encrypted, the messages cannot be seen. Therefore it is unlikely that any data can be retrieved. I am less optimistic than that reporter. The FBI is providing "specific assistance." The article doesn't explain that, but I would not be surprised if they were helping crack the phone. It will be interesting to see if WhatsApp's security survives this. My guess is that it depends on how much of the phone was recovered from the bombed car. EDITED TO ADD (11/7): The court-appointed IT expert on the case has a criminal record in the UK for theft and forgery. via Bruce Schneier
Mozilla has released an open source memory forensics tool that some college students designed and built during the company’s recent Winter of Security event. The new tool, known as Masche, is designed specifically for investigating server memory and has the advantage of being able to scan running processes without causing any problems with the machine. Masche runs on Linux, OS X and Windows and Mozilla has posted the code on GitHub. “Masche provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system. Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast,” Julien Vehent wrote in a blog post. “The effort needed to implement a complex scanning solution across three operating systems, and complete this work in just a few months, was no easy feat.” The new forensics library is the work of a group of students at the University of Buenos Aires, and can be seen as a kind of companion tool to Mozilla’s InvestiGator. The MIG is more of a platform than a discrete tool, and it’s meant for investigating issues remotely. “MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messenging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays, a terminal console and command line clients. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on,” the InvestiGator documentation says. Masche is meant to be a module on the MIG platform and Mozilla is now integrating the forensics tool into that platform. Source