Installing HDFS for Forensics Research

Posted on 1 May 2019 by [email protected]

It sure has been a long time since I last wrote anything here, so I remembered there was a blog that is either dead or is about to die :)

Anyway, just wanted to say “hi” to everyone out there and let them know the blog is not dead, I will be sharing some of the work I have been doing, as soon as I can. For now, just wanted to share a couple of documents for those interested in working on HDFS. Continue reading

Posted in Academia, HDFS, Publications, Research | Tagged , , , | Comments Off on Installing HDFS for Forensics Research

Anti-Forensics: Leveraging OS and File System Artifacts

Posted on 9 December 2016 by [email protected]

Hola,

I know it seems that the zone has been abandoned for a year, and that is why I didn’t want the year to end without posting anything. Anyway, this presentation has been covered in Feb-2016, and thought why not share it with the DFIR community, maybe it will be useful to someone out there.

Presentation title: Anti-Forensics: Leveraging OS and File System Artifacts.

It doesn’t cover all the anti stuff, but it is a good start.

Enjoy…

Posted in DFIR, Forensics | Comments Off on Anti-Forensics: Leveraging OS and File System Artifacts

Digital Forensic Challenge #4

Posted on 16 September 2015 by [email protected]

The Case:
A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. The files can be found below:
1- System Image: here
2- System Memory: here
3- Hashes: here
4- Passwords = DFChallenge@s4a
Continue reading

Posted in Academia, Challenges, Forensics, z0ne | Tagged , , , | 2 Comments

Forensic Analysis: Creating User GUI vs CLI

Posted on 7 January 2015 by [email protected]

Hello,

This is my first forensic analysis post in English; as I’m sure you noticed by now that all of it is in Arabic; so excuse me for my bad English :)

The whole idea came out when @azeemnow asked the #DFIR community the following:
how can you tell the difference between a Windows account created from cmdline vs GUI interface?
Found here: URL

I tried to help by giving ideas, but it seems they didn’t help solve the case! So I said to myself why not replicate the process and do some checks!

Actions below done not in exact listed order (more later)!!!
1- Started a cmd.exe with Administration priveleges, and executed:
net user cmduser cmduser /add
2- From the Windows Control Panel and using the User Account applet, I added a user named guiuser.

Now; the first idea I had in mind is I thought that checking the system logs alone was enough to find clues about the exact location of execution & creation. I was wrong about that! Both log entries showed no difference at all except the username for sure :)
Continue reading

Posted in Forensics, Windows | Tagged , , , , , | Comments Off on Forensic Analysis: Creating User GUI vs CLI

رسميا: اليوم الأخير!

Posted on 31 August 2014 by [email protected]

اليوم هو آخر يوم عمل رسمي لي في الجامعة وسوف أنتقل إبتداءاً من الشهر القادم (يوم غد) الى جامعة آخرى. أحببت من خلال هذه التدوينة البسيطة أن أشكر جميع الزملاء الذين عملت معهم سواءاً في نفس القسم أو نفس الكلية. الجميع كان متعاون معي في جميع المجالات سواءاً العلمية أو الإدارية.
Continue reading

Posted in Academia, Life | Comments Off on رسميا: اليوم الأخير!