Practical Memory Forensics.: Jumpstart effective forensic analysis of volatile memory ISBN-13 : 9781801070331 -- LINKS -- (When available, we use affiliate links and may earn a commission!) Best Digital Forensics Books Links: ► Practical Memory Forensics: Jumpstart effective forensic analysis of volatile memory 2022: amzn.to/4eAy8fy... (Amazon) ► Practical Guide to Digital Forensics Investigations the old one 2020: amzn.to/3zv4tpj... (Amazon) ► The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 2014: amzn.to/47DppXT... (Amazon)
Went on Amazon and bought it. It is always referenced to buy, The Art of Memory Forensics. It was published in 2014 but I keep seeing that it is recommended in current instructions. What is you opinion?
@@CyDig Good to know. I've been doing the memory forensics labs from MemLabs and I'm finding out the Volatility 3 isnt giving the same information as Volatility 2.6. Cmdline in vol 3 didnt show that cmd.exe process ran python.exe. Cmdscan did in Vol 2.6. I can see python.exe executed but only when I ran the userassist plugin in 3. Are you finding any major gaps in forensic data between the 2 versions?
@@CyDig That would be great. Then you can see if you get the same results between the two. I would be highly interested in the results and your analysis.
Hi All, I hope you enjoy my videos. Could I ask you to support my channel by sharing my videos to help it grow? Don't forget to like and subscribe. Also, if you'd like me to create a new video on any topic related to cyber security and digital forensics, just let me know.
Hi All, I hope you enjoy my videos. Could I ask you to support my channel by sharing my videos to help it grow? Don't forget to like and subscribe. Also, if you'd like me to create a new video on any topic related to cyber security and digital forensics, just let me know. -- LINKS -- (When available, we use affiliate links and may earn a commission!) Best Digital Forensics Books Links: ► Practical Memory Forensics: Jumpstart effective forensic analysis of volatile memory 2022: amzn.to/4eAy8fy... (Amazon) ► Practical Guide to Digital Forensics Investigations the old one 2020: amzn.to/3zv4tpj... (Amazon) ► The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 2014: amzn.to/47DppXT... (Amazon)
Hi All, I hope you enjoy my videos. Could I ask you to support my channel by sharing my videos to help it grow? Don't forget to like and subscribe. Also, if you'd like me to create a new video on any topic related to cyber security and digital forensics, just let me know.
definitely i will share it on my socials, also i am threat researcher and started sharing some Malware analysis and reversing content,if you're into give it a look !
Hey! Thank you for the video, i wanna see more stuff on file carving, GPT analysis and extended partition analysis. I am actually just getting starting into forensics and found your video really helpful to understand the structure of DOS|MBR partitioned drives, furthermore i have downloaded the raw disk images you mentioned and have examined the second partition entry metadata. 1- first byte set to 0x00 indicating this as non-bootable partition 2- partition type value to 0x07, indicating NTFS partition(FS type is NTFS) 3- starting LBA address -> 0x32800 = 206,848 -> starting in-file offset -> 0x6500000 4-size of the partition in sectors 0x27CD000 -> size of the partition in bytes 21367881728 =~21GB
Are you all delusional, guidelines are legally pointless. If your company uses Cellebrite you have no idea what it's doing to achieve the extraction, you would know what they tell you its doing that's all if you knew you wouldnt be using cellebrite
Yet you don't have the source code for the program that get used how do you meticulously document actions in programs that you don't know what they're actually doing
You can do this via Evidence Processor within EnCase See my video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-RG4ysj2dwg8.htmlsi=5AwyFS2cCBq7OUOt Make sure to press Find Internet Artifacts Hope this helps
@@CyDig I did it. After Process has completed. I run the Case Analyzer. Internet Activity Tab showed me "Bookmarks,Cache-Image and Video,Cookies, Downloads,History-Domains, History URS" but. I do not see the searches those done via web browsers?. Did I miss something?
You may find more evidence about the Web activities within the Windows Registry. And remember that EnCase will not recover all activities and may not support all browsers
I have created memory dump of the Kali Linux version 6.8.11 -amd 64 using avml command but the volatility 3 is not showing results it shows (Unsatisfied requirement plugins. Bash. kernel ,A translation layer requirement was not fulfilled,A symbol table requirement was not fulfilled) Please Help.
Hi, tray to watch my other videos on how to install and configure volatility 3 for Windows OS ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html
@@shubhamxthakur_01 I have tried this on my Linux PC. You only need to download symbols table from downloads.volatilityfoundation.org/volatility3/symbols/windows.zip to volatility 3/symbols/ as a zip file and it should work. I will try to create a new video about this soon.
@@CyDig Sir You Didn't get me I'm taking about ram dump of Kali Linux Not Windows.Yes I know It's bit confusing to understand since we can analyze windows dump in linux system and linux dump in windows system , but my point here is about Ram dump of kali linux which requires linux plugins and symbols to work but unfortunately I can't figure it out because the website tell to create the symbols own your own according to the kernal version.
Sir, I followed your instruction.. Getting a RAM dump file that contains the complete content of the target jpeg file was impossible for me. I was able to locate the jpeg file searching a jpeg standard header (signature) and the target jpeg file's metadata (camera company). However, the RAM dump file only had jpeg header, not the entire content. I noticed that my jpeg file content was segmented everywhere in RAM and was impossible to retrieve.... Can I ask how did you capture the RAM to begin with? For me, what I did was basically opening the Jpeg file right before capturing RAM. I used Magnet Ram Capture
What you have done is correct. You open the file (picture) and then take the RAM Image. As when you open any file it will load to the RAM. To help you recover any picture, try first with very small picture in size and follow my stepsin thevideo. I am 100% sure you will be abletorecover it. Thanks
@@CyDigSir, I tried with very small (800 B) size JPG and it worked!! I am so happy. I was struggling with this issue for couple hours 😅 thank you and have a great day
Thank you very much sir from Chile, could you recommend a cheap USB write block? I am starting out in the forensic world and I don't have much money to start my tests.
There are plenty of write blockers available in the market. Before choosing one, it's important to consider the source of evidence - whether it's from USB drives, hard drives, mobile phones, etc. Not all write blockers support all devices, so knowing your specific requirements is essential before purchasing.
You can only recover all data while the computer is on. Once you shutdown the computer the data will be lost. That’s why the called volatile data and live forensics.
Hello, How can I get UUID of a device from its memory dump? I have looked everywhere but could not find it. It would be great to receive a help.. Thank you.
Hi, I don't have a direct answer to that. But you can use Yarascan to find simple patterns like UUID. Or you may use the Strings command. Here is my video about Volatility 3 and the select-string command. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Nh9H3qQ8wBY.htmlsi=YXXzU6gtpM3hVeOf I hope that helps.