Investigating Desktop Wallpaper - Forensafe
How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - inversecos Investigating Cisco Webex Meetings - Forensafe Recovering Cleared Browser History - Chrome Forensics - InverseCos CyberDefNerdĬapability Access Manager (Camera/Mic Usage)Ĭan you track processes accessing the camera and microphone? and an Update in: I can see and hear you seeing and hearing me! Why do the battery use and the battery level matter during the investigation? - CyberDefNerdĪnalysing Web Browsers Forensic Artifacts - Digital InvestigatorĮasy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. Investigating Windows Background Activity Moderator (BAM) - Forensafeīattery charge level and its importance in forensics investigations - CyberDefNerd List of articles or Windows Alternate Data Streams (ADS) - winitorĪmcache contains SHA-1 Hash – It Depends! - NVISO Labsĭigital Forensic Artifact of Anydesk ApplicationĪnyDesk Forensic Analysis and Artefacts - Hats Off SecurityĪnyDesk Forensics | AnyDesk Log Analysis - Tyler BrozekĪpple Pattern of Life Lazy Output'er (APOLLO) on WindowsĪpp Timeline Provider - SRUM Database - Cassie Doemel Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode. Investigating 360 Secure Browser - Forensafe See below for a list of Windows Artifacts.
Velociraptor for Dead Disk & Dead Disk Forensics - Velociraptor & Paths and Filesystem Accessors - VelociraptorĢ Python scripts for parsing out WMI artifactsĬreate diagrams by importing external data - layout algorithms arrange even large datasets - (Shown in this example article on firewall analysis.) Thumbs.db, ehthumbs.db, ehthumbs_vista.db, Image.db, Video.db, TVThumb.db, and musicThumbs.db database files Thumbcache_*.db and iconcache_*.db database files NTUser.dat, System.dat, Security,dat, Software.dat, SAM.dat Memory Baselining tool with Volatility 3 and standaloneįind Windows registry files in a blob of data The LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain a user's Autologon password, RAS and/or VPN passwords, and other system passwords/keys. Jump lists in depth: Understand the format to better understand what your tools are (or aren't) doing Hashtopolis is a multi-platform client-server tool for distributing Hashcat tasks to multiple computers. HashFinder, Hash Verifier, Password Checker, Hash Manager Toolįree Windows tool - Tool explanation (Part 1) (Part 2) (Part 3)Ĭmdlets for capturing Windows Events - Tool explanation (here)Ĭomprised of 2 back-end Extensible Storage Engine (ESE) databases and other configuration files.įorensically sound logical file/folder acquisition
0 kommentar(er)
