This page will be used to describe techniches and tools on how to conduct forensic analysis.
Acquisition/Preservation
- Acquire using the tool of choice (Dumpit, EnCase, Magnet Acquire)
- Memory from VMEM
- Don't forget to copy the snapshots (VMSN and VSSD)
- Convert using vss2core (with -W8 switch)
- Convert the memory.dmp to RAW using imagecopy (volatility)
Keyword Search
- Run bulk_extractor with -F ioc.txt -E find
- RAW search with EnCase for wordlist (IOCs)
- Run strings (GNU Linux is best and faster) on memory dump
Scan and AntiVirus
- Run volatility yarascan with YaraRules (-y switch)
- Dump all the DLLs and run with antivirus solution
- Dump all the processes and run antivirus solution
Other Techniques
- Mount the memory with MemprocFS for faster analysis
- Check unique environment variables (envars)
- Run volatility netscan and check for suspicious connections
- TCP/445 (outbound): Lateral movement
- TCP/22 (out): lateral movement
Disk Analysis
- RAW search with EnCase for wordlist (IOCs)
- Mount the disk as file system and scan with antivirus solution