Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Active Directory Domain Services Installation & Configuration - Windows Ser...Adel Alghamdi
- Windows Server 2012
Active Directory Domain Services Installation & Configuration
this is my first time making guide it hope it help someone
feel free to share and like :)
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Active Directory Domain Services Installation & Configuration - Windows Ser...Adel Alghamdi
- Windows Server 2012
Active Directory Domain Services Installation & Configuration
this is my first time making guide it hope it help someone
feel free to share and like :)
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
The article briefly touches upon hiding, finding and destroying data
on Linux file systems. It should become clear that the area of computer
forensics, aimed at recovering the evidence from captured disk drives,
has many challenges, requiring knowledge of hardware, operating
systems and application software.
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Writing Character driver (loadable module) in linuxRajKumar Rampelli
It covers the step by step approach on how to write a simple loadable character device driver in linux. What are Device files in linux detail. How user application interact with character driver using a device file.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
3. Introduction
• Using forensics techniques and tools to gather digital
evidence from a device or pc running on Microsoft
Windows.
• Different versions of Windows OS, Win XP, 7, Vista, 8,
8.1, 10
• With every version new features of forensic
importance has been discovered.
• Some Areas include: Windows Registry, Live
Acquisition, System files, Cache, Prefetch, ADS etc.
www.malc0de.org
4. Recycle Bin Forensics
• RECYCLER folder for Windows XP
• $Recycle.Bin folder for Windows 7 or Windows
Vista,(C:)
• “$RECYCLE.BIN” Other Drive
• The subfolder is named with the user’s SID and
contains its own INFO file, making it possible to
determine which user account was used to delete a
file
www.malc0de.org
5. When a file is deleted, it results in three steps:
– 1) the deletion of the file’s folder entry in the folder in which the file
resided
– 2) the creation of a new folder entry for the file in the Recycle Bin
– 3) the addition of information about the file in a hidden system file
named INFO (or INFO2 depending on windows systems) in the Recycle
Bin
www.malc0de.org
6. Every file sent to the recycle bin is renamed in the following
format
D[ orginal drive letter of file][index no][original extension]
E.g. hw1.txt residing in C:My Documents was sent to empty
recycle bin
» Its new name is DC0.txt
www.malc0de.org
7. SID
• According to the Microsoft Developer Network (2009), the
SID is an alpha-numeric string that is used by Windows to
uniquely identify an object - like a user or a group
• “S” means the string is a Security Identifie
• “1” refers to the Revision Level. (This value has always
been 1)
• “5” is the identifier for the Authority Level or
“IdentifierAuthority”
• “500” at the end of the string, is the Domain or Local
Computer Identifier
• The “500” at the end is known as the Relative ID, and in
this case, “500” means the user is a system administrator
www.malc0de.org
8. Forensic Importance of SID
• HKEY_LOCAL_MACHINE
SOFTWAREMicrosoftWindows NT
www.malc0de.org
9. SID
• If there are three users and four drives,
• there will be four folders named $Recycle.Bin
(one on each drive)
• And within each of these $Recycle.Bin folders
will be three sub-folders with names that
correspond to the SID of each of the three
users
www.malc0de.org
10. METADATA ANALYSIS
• Inside recycle bin folder there are two sub
folder
– DC1.txt and INFO2
– DC1.txt contain the original file
– Info2 Contain Metadata
– There is only one INFO2 file for each user‟s
Recycle Bin, where all of the metadata for all of
the files/folders that are found in that Recycle Bin
is stored.
www.malc0de.org
11. EXTRA “TRASH” IN THE BIN
• desktop.ini (file is a hidden Windows system
file that provides information to Windows
Explorer about how to display the contents of
a folder. )
• directory named “.” (dot)
• “..” (dot-dot) directory
www.malc0de.org
12. $R-file and $I-file
• If a file that is deleted was originally in a folder that no
longer exists, How it will restore?
• When a folder is sent to the Recycle Bin, it too has the
“deleted” and “created” time-stamp, but when it is
restored, it only retains the “created” time-stamp, and
never gains the “modified” or “accessed” time-stamp,
unlike what happens with a file.
• If the restored file is deleted again, a new $I-file and
$R-file are generated.
• There will be an $Ifile and $R-file for the folder and
there will also be a $I-file and $R-file for each file that
was in the deleted folder
www.malc0de.org
14. PREFETCH FILES
SuperFetch
• The Prefetching process tries to speed the
boot process and application startup
• The Prefetching process monitors the first 10
seconds of application startup
www.malc0de.org
15. Forensic
• Identify whether the system has been enabled the
Prefetching process
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetCo
ntrolSessionManagerMemoryManagementPrefetc
hParameters
• “0” means “disabled
• “1” means “application launch Prefetching enabled
• “2” means “boot Prefetching enabled”
• “3” means “application launch and boot enabled
(default
www.malc0de.org
18. Hibernate is a feature of many computer operating systems where the
contents of RAM are written to non-volatile storage such as a hard disk,
as a file or on a separate partition, before powering off the computer.
The computer uses the Hiberfil.sys file to store a copy of the system
memory on the hard disk when the hybrid sleep setting is turned on.
The Hiberfil.sys hidden system file is located in the root folder of the drive
where the operating system is installed and Windows Kernel Power
Manager reserves this file when you install Microsoft Windows.
The size of this file is approximately equal to the amount of random
access memory (RAM) that is installed on the computer.
ANALYZING HIBERFIL.SYS FILES
www.malc0de.org
19. A page file is a hidden file or files on the hard disk that the operating system uses
to hold parts of programs and data files that do not fit in memory.
Virtual memory comprises the paging file and physical memory or random access
memory (RAM).
Windows moves data from the paging file to memory as needed, and it moves
data from memory to the paging file to make room for new data.
By default, Windows stores the paging file on the boot partition (the partition that
contains the operating system and its support files). The default paging file size is
equal to 1.5 times the total RAM.
ANALYZING PAGING FILES
www.malc0de.org
20. The computer can be configured to clear the paging file at shutdown.
For this the data value of the ClearPageFileAtShutdown value in the
following registry key must be set to a value of 1:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerMemory Management
ANALYZING PAGING FILES
www.malc0de.org
21. Thumbs.db is a hidden file used by Windows to store thumbnail
images of the files in a folder.
It is then used to display thumbnails when a folder is in Thumbnails
view.
Deleting images from a folder does not remove the thumbnail from
the thumbs.db database cache.
This makes the thumbs.db file useful from a forensic point of view.
FTex is useful utility for thumbs.db analysis.
ANALYZING THUMBS.DB FILES
www.malc0de.org
22. Registry Hive
• The five most hierarchal folders are called hives and begin with .HKEY (an
abbreviation for Handle to a Key).
• Although five hives can be seen, only two of these are actually real,
HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM).
• The other three are shortcuts or aliases to branches within one of the two
hives.
www.malc0de.org
25. HIVE KEY:
HKEY_LOCAL_MACHINE (HKLM)
It is the first master key.Contains all of the configuration setting of a computer. When a computer startups, the local machine
settings will boot before the individual user settings.The HKEY_LOCAL_MACHINE key has the following subkeys:
HARDWARE
SAM
SECURITY
SOFTWARE
SYSTEM
REGISTRY ANALYSIS
www.malc0de.org
26. Registry keys of forensic
value
MRU
Most-recently-used
key maintains a list of
recently opened
files(e.g. .txt, .pdf,
.htm, .jpg) or saved
files from within a web
browser (including IE
and Firefox).
OpenSaveMRU contain
far more entries
related to previously
opened or saved files
(including the 10 most
recent ones).
HKCUSoftwareMicro
softWindowsCurrent
VersionExplorerCom
Dlg32 OpenSaveMRU
www.malc0de.org
28. Device ID
• The device ID for a specific device identified.
• It should be noted that not all USB thumb
drives will have a serial number.
www.malc0de.org
30. Autostart locations
• Used by a great many pieces of malware to
remain persistent on the victim system.
• Example:
HKEY_CURRENT_USERSoftwareMicros-
oftWindowsCurrentVersionRun
www.malc0de.org
31. Wireless SSIDs
• SSIDs (service set identifiers)
• This shows you which wireless networks
you’ve connected to, and if you travel and
make use of the ubiquitous wireless hotspots,
you’ll see quite a few entries there.
www.malc0de.org
32. Registry: A Wealth of Information
Information that can be recovered include:
– System Configuration
– Devices on the System
– User Names
– Personal Settings and Browser Preferences
– Web Browsing Activity
– Files Opened
– Programs Executed
– Passwords
www.malc0de.org
34. Registry Organization
• Root Keys
– HKEY_CLASSES_ROOT (HKCR)
• Contains information in order that the correct program opens when executing a file with
Windows Explorer.
– HKEY_CURRENT_USER (HKCU)
• Contains the profile (settings, etc) about the user that is logged in.
– HKEY_LOCAL_MACHINE (HKLM)
• Contains system-wide hardware settings and configuration information.
– HKEY_USERS (HKU)
• Contains the root of all user profiles that exist on the system.
– HKEY_CURRENT_CONFIG (HKCC)
• Contains information about the hardware profile used by the computer during start up.
• Sub Keys – These are essentially sub directories that exist under the Root
Keys.
www.malc0de.org