Jekyll2022-11-16T06:27:32+09:00https://dfir.science/feed.xmlDFIRScienceTutorials and research about the science and practice of digital forensics and incident response.Joshua I. JamesiLEAPP and RLEAPP updates and dev thoughts2022-08-18T06:11:22+09:002022-08-18T06:11:22+09:00https://dfir.science/2022/08/iLEAPP-and-RLEAPP-updates<p>Alex (<a href="https://twitter.com/kviddy">@kviddy</a>) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Specifically, they introduced modular artifact definitions and loadable profiles.</p>
<p>Modular artifact definitions mean that artifacts and their parsing code is now contained in one file. Drop a parser in the <a href="https://github.com/abrignoni/ALEAPP/tree/master/scripts/artifacts">scripts/artifacts</a> folder, and it will be automatically detected. This detection is made possible by an artifact definition at the end of the script that looks like this:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">__artifacts__</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"bashHistory"</span><span class="p">:</span> <span class="p">(</span>
<span class="s">"Bash History"</span><span class="p">,</span>
<span class="p">(</span><span class="s">'**/.bash_history'</span><span class="p">),</span>
<span class="n">get_BashHistory</span><span class="p">)</span>
<span class="p">}</span>
</code></pre></div></div>
<p>First we specify that this is an artifact structure. Then we have the <code class="language-plaintext highlighter-rouge">keyname</code> bashHistory, the <code class="language-plaintext highlighter-rouge">pretty name</code> ‘Bash History’, the location(s) of the files to find which are regular expressions for the path and be a comma-separated list, and finally, we have the entry point into the parser script (get_SOMETHING).</p>
<p>Drop-in modules make development, maintenance, and portability much, much easier. It also enables loadable profiles…</p>
<p>Loadable profiles are found in the GUI version of ALEAPP (aleappGUI.py). Select which modules you want in your profile, then click “Save Profile.” As more modules are added, this can help you to focus your investigation on only the modules you use the most. Note that if you select all modules, it will skip modules where no data is found. The speed up is not very significant, but there is some benefit to selecting only modules you need.</p>
<h2 id="ileapp-and-rleapp">iLEAPP and RLEAPP</h2>
<p>These features are so useful to the community, so we decided to port them over to <a href="https://github.com/abrignoni/iLEAPP/pull/325">iLEAPP</a> and <a href="https://github.com/abrignoni/RLEAPP/pull/111">RLEAPP</a>. Alex’s code is so clean that the porting was very easy.</p>
<p>There were also some awesome <a href="https://github.com/abrignoni/ALEAPP/pull/280">optimizations</a> added to ALEAPP by bconstanzo that improve processing speed. They have also been ported to iLEAPP and RLEAPP.</p>
<h2 id="whats-next">What’s next?</h2>
<p>Now that artifact definitions are modular and profiles can be created to run at specific times, I would like to see a <em>core</em> LEAPP created. Porting changes duplicates work, and you can see how each project starts to drift slightly. Although each LEAPP project uses the same base code, eventually, small changes creep in that make maintaining the project harder.</p>
<h3 id="leapp-core">LEAPP Core?</h3>
<p>There are at least two ways that a core LEAPP could be managed. The first is to create a ‘LEAPP core’ that becomes a <a href="https://git-scm.com/book/en/v2/Git-Tools-Submodules">git submodule</a> for each of the current project repositories. You would clone the repository, pull in required sub-modules (the core), and then run/build per usual. This is fairly standard for larger projects, and it would keep the separate project concept while centralizing the core maintenance.</p>
<p>The second way is to combine all the LEAPPs into one project and use the new profile features to select modules based on the data type. This would be easier to maintain and probably easier for users but require much more profile support work upfront.</p>
<h3 id="testing">Testing</h3>
<p>I would also like to see more automated optimization and unit tests created. The testing bconstanzo did lead to some significant performance enhancements with very few changes. I think optimization and unit testing would be way easier with the new modular system.</p>
<p>It would also be cool if we can find a way to integrate testing with the <a href="https://github.com/AndrewRathbun/DFIRArtifactMuseum">DFIR Artifact Museum</a>.</p>
<h2 id="more-to-come">More to come</h2>
<p>Ultimately, the decision is up to <a href="https://twitter.com/AlexisBrignoni">Alexis</a>. He has done an amazing job with the project, and I’m sure whatever he decides will be AWESOME. Thanks to everyone that works on all of these great projects.</p>Joshua I. JamesAlex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Specifically, they introduced modular artifact definitions and loadable profiles.What data can you find in RAM?2022-08-17T00:46:18+09:002022-08-17T00:46:18+09:00https://dfir.science/2022/08/What-data-can-you-find-in-RAM<p>To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.</p>
<p>Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing.</p>
<p>To do Live Data Forensics of any kind, you need to know how Random Access Memory works, how it changes, and how your actions on the target system will affect possible evidence in RAM (and on a hard drive).</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/kkHNhtpa0SU" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>
<h3 id="ram-acquisiton-and-analysis-tutorial">RAM Acquisiton and Analysis Tutorial</h3>
<p>We have a full course on Random Access Memory acqusition and forensic analysis. Use this link to get 5% off FULL COURSE on <a href="https://learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=YOUTUBERAM5">RAM Acquisition and Analysis</a>.</p>Joshua I. JamesTo determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.Modular artifact scripts coming to iLEAPP2022-08-13T06:58:28+09:002022-08-13T06:58:28+09:00https://dfir.science/2022/08/Modular-artifact-scripts-coming-to-iLEAPP<p><a href="https://twitter.com/kviddy">kviddy</a> has been pushing some great core updates to <a href="https://github.com/abrignoni/ALEAPP">ALEAPP</a>. Specifically, artifact scripts are now self-contained. This means that script authors no longer need to update an artifacts list. Instead they can write their parser script, drop it into the scripts folder, and DONE! Awesome.</p>
<p>This change also makes it easier to create “run filters” based on the datasets you are processing. For example, say you are only interested in calendar and sms artifacts for most of your cases. Now you can create a parsing filter to just run selected modules. One click and done! This is extremely useful since the supported artifacts in all LEAPPs is getting very large.</p>
<p>These updates are already rolled out to ALEAPP v3.0+. Go check it out!</p>
<p>These great features, however, were not pushed to iLEAPP and others yet, so I’ve started working on that. iLEAPP modular artifact scripts based on kviddy’s work was <a href="https://github.com/abrignoni/iLEAPP/pull/325">submitted</a> this week. Currently working on the selectable script filters and updating everything in RLEAPP.</p>
<p>After that, I want to start working on LEAPP core optimization. I suspect the new way of calling scripts may see better performance with concurrency or multiprocessing. Needs more testing.</p>Joshua I. Jameskviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer need to update an artifacts list. Instead they can write their parser script, drop it into the scripts folder, and DONE! Awesome.Forensic 4:Cast Awards - The real award is DFriends we made along the way2022-08-12T06:53:40+09:002022-08-12T06:53:40+09:00https://dfir.science/2022/08/Forensic-4:Cast-Awards-The-real-award-is-DFriends-we-made-along-the-way<p>Come hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: <a href="https://www.13cubed.com/">13Cubed</a>, <a href="https://cellebrite.com/en/series/beg-dfir/">I Beg to DFIR</a>, and <a href="https://youtube.com/dfirscience">DFIR Science</a>!</p>
<p>We will have a chat immediately after day 2 of the SANS DFIR Summit 2022. We will be talking about the state of digital forensics and what each show is planning for next year!</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/zvrIH6lGOZs" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>Joshua I. JamesCome hang out with the nominees for the Forensic 4:Cast “Best DFIR Show of the Year”: 13Cubed, I Beg to DFIR, and DFIR Science!Digital Forensics and the Military - Interview with Andrew Lister2022-08-11T06:51:17+09:002022-08-11T06:51:17+09:00https://dfir.science/2022/08/Digital-Forensics-and-the-Military-Interview-with-Andrew-Lister<p>We often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join us on August 15th, 2022 as we speak with Andrew Lister from Detego Global about starting a digital forensics career via the military.</p>
<p>We will also be giving away some amazing prizes from Detego!
https://www.mcmsolutions.co.uk</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/cRxUZTRMpD8" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>Joshua I. JamesWe often talk about digital forensics in criminal and civil investigations, but a lot of innovation happens in military acquisition and investigations. Join us on August 15th, 2022 as we speak with Andrew Lister from Detego Global about starting a digital forensics career via the military.Acquire and Analyze Random Access Memory2022-07-28T05:04:57+09:002022-07-28T05:04:57+09:00https://dfir.science/2022/07/Acquire-and-Analyze-Random-Access-Memory<p>DFIR Science has launched a new course on <a href="https://learn.dfir.science">learn.dfir.science</a> on how to <a href="https://learn.dfir.science/courses/RAM-Forensics-Tutorial">Collect and Analyze Random Access Memory</a>.</p>
<p><a href="https://learn.dfir.science/courses/RAM-Forensics-Tutorial"><img src="assets/images/posts/ramcourse.webp" alt="The course has six sections and over 42 lessons on acquisition and investigation of Random Access Memory" /></a></p>
<p>There are over 42 lessons - over 3 hours of content - covering RAM acquisiton and analysis in Windows and Linux systems. The course includes a certificate of completion and a RAM analysis reference guide.</p>
<p>Learn how to include RAM in your investigations!</p>Joshua I. JamesDFIR Science has launched a new course on learn.dfir.science on how to Collect and Analyze Random Access Memory.What is Random Access Memory?2022-07-26T23:00:15+09:002022-07-26T23:00:15+09:00https://dfir.science/2022/07/What-is-Random-Access-Memory<p>Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing.</p>
<p>To do Live Data Forensics of any kind, you need to know how Random Access Memory works, how it changes, and how your actions on the target system will affect possible evidence in RAM (and on a hard drive).</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/7CqWBw6aOrs" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>
<h3 id="ram-acquisiton-and-analysis-tutorial">RAM Acquisiton and Analysis Tutorial</h3>
<p>We have a full course on Random Access Memory acqusition and forensic analysis. Use this link to get 5% off FULL COURSE on <a href="https://learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=YOUTUBERAM5">RAM Acquisition and Analysis</a>.</p>
<h2 id="related-books">Related books</h2>
<ul>
<li><a href="https://amzn.to/3OqYeEk">Practical Malware Analysis</a></li>
<li><a href="https://amzn.to/3J0AJ3T">Operating System Concepts</a></li>
</ul>Joshua I. JamesRandom Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing.DFIR Science nominated for Forensic 4:cast Award2022-07-16T01:12:00+09:002022-07-16T01:12:00+09:00https://dfir.science/2022/07/DFIR-Science-nominated-for-Forensic-4Cast-Award<p>The DFIR Science YouTube channel was <a href="https://forensic4cast.com/2022/06/2022-forensic-4cast-awards-voting-is-now-open/">nominated</a> for the 2022 Forensic 4:cast Awards under “DFIR Show of the Year”!</p>
<p><strong>THANK YOU</strong> to everyone that thought of us for nomination! This is the first time we have been nominated for a Forensic 4:cast award. I still can’t believe it!</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/9KxonH0OaUw" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>
<p>Voting is now open to select the winner. <strong><a href="https://forms.gle/nRDGNP2qeEVPPyPj6">VOTE HERE (for DFIR Science Show of the Year)</a></strong></p>
<h2 id="why-do-we-run-the-youtube-channel">Why do we run the YouTube channel?</h2>
<p>Because we want to help as many people as possible learn about technology, digital forensics and security. We get a lot of comments and questions like this:</p>
<p><img src="/assets/images/posts/reviews/ytcomment003.webp" alt="YouTube comment saying thanks for the video and asking about hard disk drives." /></p>
<p>I love helping beginners and experts find resources so they can learn and investigate better. DFIR Science videos try to suppliment other contents and provide additional context. Some people just learn better with audio/visual than text.</p>
<p><img src="/assets/images/posts/reviews/ytcomment004.webp" alt="YouTube comment saying the video is better than their course textbook." /></p>
<p>Nothing wrong with different learning styles. The DFIR community is good at providing resources in many different formats.</p>
<p>But overall we do it to help that one investigator that might be in a lab by themselves with no budget and left to “figure it out.”</p>
<p><img src="/assets/images/posts/reviews/ytcomment001.webp" alt="YouTube comment saying thank you for the videos." /></p>
<p><img src="/assets/images/posts/reviews/ytcomment002.webp" alt="YouTube comment saying thank you for the videos." /></p>
<p><img src="/assets/images/posts/reviews/ytcomment005.webp" alt="YouTube comment saying thank you for the videos." /></p>
<p>Knowing that we’ve helped someone is why we do it.</p>
<h2 id="nominees">Nominees</h2>
<p>We are competing in the same category with the excellent <a href="https://www.13cubed.com/">13Cubed</a> and Cellebrite’s <a href="https://cellebrite.com/en/series/beg-dfir/">I Beg to DFIR</a>. Two shows that I listen to often as well. It’s gonna be tough!</p>
<h2 id="other-categories">Other categories</h2>
<ul>
<li>DFIR Commercial Tool of the Year
<ul>
<li><a href="https://cellebrite.com/">Cellebrite</a></li>
<li><a href="https://www.magnetforensics.com/">Magnet Forensics</a></li>
<li><a href="https://belkasoft.com/">Belkasoft</a></li>
</ul>
</li>
<li>DFIR Non-Commercial Tool of the Year
<ul>
<li><a href="https://www.autopsy.com/">Autopsy</a></li>
<li><a href="https://velociraptor.velocidex.com/">Velociraptor</a></li>
<li><a href="https://github.com/abrignoni">xLEAPP</a></li>
</ul>
</li>
<li>DFIR Blog of the Year
<ul>
<li><a href="https://cellebrite.com/en/blog/">Cellebrite</a></li>
<li><a href="https://blog.d204n6.com/">D20 Forensics</a></li>
<li><a href="https://thisweekin4n6.com/">This Week in 4n6</a></li>
</ul>
</li>
<li>DFIR Book of the Year
<ul>
<li><a href="https://amzn.to/3IGvZjA">Practical Linux Forensics</a></li>
<li>Practical Mobile Forensics (I think it is <a href="https://amzn.to/3RD30kT">this one</a> but I’m not sure.)</li>
<li><a href="https://amzn.to/3Od4z6d">X-Ways Practitioner Guide 2nd Ed</a></li>
</ul>
</li>
<li>DFIR Article of the Year
<ul>
<li><a href="https://www.ediscoverydude.com/2022/03/air-tag-youre-it.html">Air-Tag, You’re It</a></li>
<li><a href="https://www.sans.org/blog/six-steps-to-successful-mobile-validation-paper/">Six Steps to Mobile Validation</a></li>
<li><a href="https://www.forensicfocus.com/articles/writing-dfir-reports-a-primer/">Writing DFIR Reports - A Primer</a></li>
</ul>
</li>
<li>DFIR Social Media Contributor of the Year
<ul>
<li>Alexis Brignoni</li>
<li>Heather Mahalik</li>
<li>Jessica Hyde</li>
</ul>
</li>
<li>DFIR Degree or Training Program of the Year
<ul>
<li>SANS</li>
<li>Magnet Forensics</li>
<li>Cellebrite</li>
</ul>
</li>
<li>DFIR CTF of the Year
<ul>
<li>Belkasoft</li>
<li>Cellebrite</li>
<li>Magnet Forensics</li>
</ul>
</li>
<li>DFIR Newcomer of the Year
<ul>
<li>Scott Koenig</li>
<li>Josh Brunty</li>
<li>DFIR Diva</li>
</ul>
</li>
<li>DFIR Resource of the Year
<ul>
<li><a href="https://discordapp.com/invite/JUqe9Ek">Digital Forensics Discord</a> - <a href="https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/">Guide</a> if you’ve never used Discord before</li>
<li><a href="https://thisweekin4n6.com/">This Week in 4n6</a></li>
<li><a href="https://dfir.training">DFIR Training</a></li>
</ul>
</li>
<li>DFIR Team of the Year
<ul>
<li>Magnet Forensics</li>
<li>Oxygen</li>
<li>Cellebrite</li>
</ul>
</li>
<li>Digital Forensic Investigator of the Year
<ul>
<li>Jessica Hyde</li>
<li>Ian Whiffin</li>
<li>Alexis Brignoni</li>
</ul>
<p>A lot of amazing DFIR people and resources! Make sure you <strong><a href="https://forms.gle/nRDGNP2qeEVPPyPj6">VOTE (for DFIR Science Show of the Year)</a></strong>!</p>
</li>
</ul>Joshua I. JamesThe DFIR Science YouTube channel was nominated for the 2022 Forensic 4:cast Awards under “DFIR Show of the Year”!🇺🇳 Africa DFIR CTF 2022 Award Ceremony 🎉2022-07-06T03:33:17+09:002022-07-06T03:33:17+09:00https://dfir.science/2022/07/Africa-DFIR-CTF-2022-Award-Ceremony<p>Huge DFIR stream with a lot of Q&A. Check out the chapter times below!</p>
<p>🎉 The Africa DFIR CTF 2022 is finished! It ran from 2022-05-30 to 2022-06-27 - four weeks of digital forensic challenges. We covered Linux computer disk investigation, cryptocurrency investigation, dark web investigation, and a few people finally found the suspect and wrote amazing forensic reports!</p>
<p>In this event, we live stream the United Nations Office on Drugs and Crime award ceremony.</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/F6LLq7EFFH0" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>Joshua I. JamesHuge DFIR stream with a lot of Q&A. Check out the chapter times below!Fast password cracking - Hashcat wordlists from RAM2022-06-15T22:53:04+09:002022-06-15T22:53:04+09:00https://dfir.science/2022/06/Fast-password-cracking-Hashcat-wordlists-from-RAM<p>Password cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.</p>
<p>Popular wordlists like Rockyou are good for general cases, but making password lists specific to the user can produce faster results. One of the best data sources to produce a customized wordlist is a target’s RAM.</p>
<p>We show how to use strings to extract password candidates from a RAM dump and use the resulting wordlist with Hashcat, a high-powered password cracking software.</p>
<!-- Courtesy of embedresponsively.com -->
<div class="responsive-video-container">
<iframe src="https://www.youtube-nocookie.com/embed/lOTDevvqOq0" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</div>
<h2 id="links">Links</h2>
<p>Links:</p>
<ul>
<li><a href="https://hashcat.net/hashcat/">Hashcat Official</a></li>
<li><a href="https://amzn.to/3Hmpe63">Hash Crack: Password Cracking Manual v3</a></li>
</ul>Joshua I. JamesPassword cracking often takes a long time. Brute force is normally your last option. But before that, a wordlist usually helps guess the password faster.