من مُذكرات مُهاجر

Posted on 11 September 2020 by [email protected]

منذ أكثر من عشرة سنوات وأنا أحاول السفر الى الخارج من خلال الهجرة. والدي ووالدتي يرفضون سفري وغير موافقين على ذلك… كُنت مُلحاً في كل مرة بأن يسمحوا لي بالهجرة، ولكن طلبي كان دائماً يلاقي الرفض… والدي كان أقل تشدداً من والدتي، لانه يعلم رغبتي ولكن والدتي وبحكم خبرتها مع أخوانها، كانت ترفض رفضاً قاطعاً …

المهم أستطعت أقنع والدي وأن أقوم بالتقديم على الهجرة وحين أحصل على الموافقة، أخبر والدتي وأضعها أمام الأمر الواقع… قمت بتعيين محامي وذلك لكي يقوم بإجراءات الهجرة الى استراليا، من خلال برنامج هجرة أصحاب الكفاءات… سارت الأمور بشكل جيد، وتمت المُصادقة على جميع أوراقي، شهاداتي التي تثبت الكفاءة وحصلت كذلك على موافقة جمعية علم الحاسوب لديهم، وهي خطوة جوهرية جداً في الحصول على الموافقة … بعد أن أكملنا جميع الأمور والأوراق، كان مُتبقي إمتحان اللغة الانجليزية (آيليتس) … وكان مطلوب علامة 6 في جميع الأقسام … قمت بالإستهتار في الامتحان ولم أدرس، وذلك لأنني وحسب قناعتي الشخصية، بإن لغتي الانجليزية ممتازة وإجتياز الامتحان سهل للغاية! ولكن أكتشفت إن ذلك غير صحيح ولم أحصل على 6 في المحادثة … وبالتالي المعاملة والهجرة تعطلت قليلاً … المهم رجعت حجزت للإمتحان مرة ثانية … وكذلك ذهبت له بدون أية إستعداد وذلك لأنه الغرور كبر في رأسي وإن الموضوع سهل والمرة السابقة كان مجرد هفوة صغيرة … المهم أمتحنت هذه المرة وحصلت على العلامة 6 في جميع الأقسام !!! يا سلام الهجرة تنتظرني …

Continue reading

Posted in Life | Comments Off on من مُذكرات مُهاجر

Linux Forensics Workshop

Posted on 13 May 2020 by [email protected]

Hello,

I’ve been invited by the Saudi Federation for Cyber Security and Programming (SAFCSP) to do a Linux Forensics workshop during their series of Cybersecurity Nights. My session will be next Thursday, May 14th, 2020 at 10:00 PM (KSA time) and will be 3:00 PM (EST). If you’re interested in Linux Forensics or have the will to learn, please download the files found here and join me then.

In Arabic:

قام الإتحاد السعودي للأمن السيبراني والبرمجة والدرونز بدعوتي لعقد ورشة عمل تخص التحقيقات الرقمية الجنائية في أنظمة التشغيل لينُكس. إن كنت مُهتم في ذلك، أرجوا أن تتابع البث المُباشر أو تقوم بحضور التسجيل من عبر مواقع الإتحاد.
ورشة العمل سوف تكون يوم الخميس القادم 14/5/2020 الساعة 10 مساءاً بتوقيت السعودية، والساعة 3 ظهراً في توقيت الولايات المتحدة. يمكن تحميل ملفات الورشة للمشاركة بشكل مُبشار معي من خلال هذا الرابط.

Thanks to SAFCSP for the invitation and see you on Thursday :)

Posted in Forensics, Investigations, Workshops | Tagged , , , , | Comments Off on Linux Forensics Workshop

Investigating USB Drives using Mount Points Not Drive Letters

Posted on 4 April 2020 by [email protected]

Yes, another excellent question came up by one of my students:
If a user mounts the volume to a mount point, what artifacts could we find for the USB?

Starting I think from Windows 8.1 or 10, a user could mount a volume into an empty directory. Which means, that a USB could be mounted to a directory and then the user accesses the content of the volume using that directory. A feature in the past was only seen on POSIX operating systems, such as Linux. The scenario I will be using for this experiment, is a user mounts a volume (USB) to a directory and also removes the drive letter. I will be using the C:\Mountpoint as the mount point for the USB.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

PART#1 – SETUP
First as we can see in figure 1.1, the USB labeled FOR340USB has a drive letter E:, so let’s remove it.

Figure 1.1 – Drives Available
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Comments Off on Investigating USB Drives using Mount Points Not Drive Letters

No Drive Letter, No USB Evidence? Think Again!

Posted on 3 April 2020 by [email protected]

This post is about a question asked:
If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry?

Short answer is, YES it will still be seen in Disk Management. But let’s assume you do not have access to the computer anymore, but you do have the registry files. In other words, you imaged the drive but missed imaging the USB for some reason.

Note(s) before you continue reading:
1. This post does not cover all USB artifacts (registry keys, registry values, events, etc), only the ones needed to answer the question above
2. The experiment in this post was repeated three times and they all led to the same results you will find below

I will be listing all the registry locations that we can still check and find entries that the USB was plugged into the system, but it’s not seen currently. Also, I won’t go over all the USB artifacts, there are so many posts out there and good books too (WR 2ED, WFA 4ED, etc). In this post, I will just focus on some might have not been used before and then just need to correlate them together. So, let’s say you start by loading your registry files into Registry Explorer or RegRipper (System, Software, and NTUSER), will use both here.
Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Comments Off on No Drive Letter, No USB Evidence? Think Again!

Howto Setup and use the CuckooVM v2

Posted on 18 March 2020 by [email protected]

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already know that I have shared a previous version of this CuckooVM which I configured. Even if you do not do malware analysis or digital forensics and incident response, this VM could come handy and useful to you, so please do not skip just because you’re not working in those areas.

Now, in order to use the Cuckoo Sandbox which I think many of the online service providers today have their systems built around Cuckoo (no proof to this claim!), you will need a dedicated machine. The installation process itself is also not simple for some, but it could be a piece of cake to others (not saying it is for me!), so this VM could save you the trouble of:
1. Need to purchase or dedicate a whole machine for Cuckoo (it is worth though!)
2. Need to go through the installation process

Before moving forward, if any of the figures below is not clear, just click on it to enlarge it.

INTRODUCTION
The Cuckoo VM is running Cuckoo in what is called a “Nested Virtualization”. What that means, well first let’s check this general architecture as seen in figure 1.1.

Figure 1.1 – General Architecture
Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Comments Off on Howto Setup and use the CuckooVM v2