In my point of view, SIFT is the definitive forensic toolkit!
In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me: […] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, è possibile visualizzarne il contenuto? ([…] from a memory dump on a win7 system, I found out that notepad was running,…
In some occasions you need to acquire an image of a computer using a boot disk and network connectivity.
Every analyst, during day by day experiences refines its own workflow for timeline creation. Today i propose mine.
Malware authors have always looked for new techniques to stay invisible. This includes being invisible on the compromised machine, but it is even more important to hide malicious indicators and behavior during analysis.
During a penetration test, you could lucky enough to find a RCE vulnerability: in this case, the next step should be to obtain an interactive shell.