Investigating Windows Systems (Book Review)

Hello,

We have a saying in Arabic “ان تأتي متآخراً، خيراً من أن لا تأتي أبدا” and in English “Better late, than never!”. This is my review to Harlan Carvey‘s last book titled “Investigating Windows Systems” which I should have wrote a long time ago (Sorry Harlan)!

If you have been reading for Harlan over the years (like I have), then this book is totally different than those. It is not about a specific Windows version and it is also definitely not about Windows Registry. You might be asking “Then why should I be interested and why is the title about Windows?” This is what I will explain in this post. A couple days ago, Harlan wrote a post about “Improving Your DFIR Skills” adding to another great post by Brett Shaver’s post titled “Want to improve in #DFIR? Study someone else’s case work.” discussing the same concept. I’m not going to repeat what they discuss in their posts, because I’m sure they are well written and share great ideas, I’m just going to explain how this is true from my experience as an instructor and how Harlan’s book is a good choice for you.
Continue reading

Forensic Acquisitions over Netcat

In the past I used to write here what I did so I do not forget, so I’ll try to get back to that habit again :)

These days whenever I find time, I’m playing with TSURUGI, which is a new (at least to me) Linux DFIR distro. More about the distro could be found on the system’s website here. I highly recommend if you are reading these words of mine, that you go download TSURUGI and give it a try. It can be seen as the KALI Linux of DFIR!

Now, there is a project that I’m working on related to Linux, so I needed to acquire an image of a Linux system running on my testing system. So, I turned off the the system to be acquired and used the TSURUGI Linux to boot the system to be acquired. The problem in my setup, is I do not want to use a removable drive to acquire the image using TSURUGI and copy it to that target drive. Therefore, I had to go with other options, one was SSH. Doing acquisitions over SSH will be a great option, but unfortunately, in my situation, it did not work. I have not troubleshooted the reason why, since I’m not into that now, but I assume SSH did not work and every time I tried to connect to the running SSH, it just gave me a reset, because it was running in Read-Only mode from the RAM and therefore SSH sessions could not be created! (not 100% sure, just an assumption).
Continue reading