Category Archives: DFIR

Investigating USB Drives using Mount Points Not Drive Letters

Yes, another excellent question came up by one of my students: If a user mounts the volume to a mount point, what artifacts could we find for the USB? Starting I think from Windows 8.1 or 10, a user could … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Leave a comment

No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked: If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry? Short answer is, YES it will still … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Leave a comment

Howto Setup and use the CuckooVM v2

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already … Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Leave a comment

Acquiring Linux Memory using AVML and Using it with Volatility

This is another quick post going over the process to acquire memory from a Linux system, but instead of using LiME, I’m going to use AVML which stands for Acquire Volatile Memory for Linux, and could be found here. The … Continue reading

Posted in DFIR, Forensics, Memory, Software/Tools | Tagged , , , , , , , | Comments Off on Acquiring Linux Memory using AVML and Using it with Volatility

Forensic Acquisitions over Netcat

In the past I used to write here what I did so I do not forget, so I’ll try to get back to that habit again :) These days whenever I find time, I’m playing with TSURUGI, which is a … Continue reading

Posted in DFIR, GNU/Linux | Tagged , , , , , , , , , | Comments Off on Forensic Acquisitions over Netcat