Hey All.. Here I present my favorite forensic acquisition tools!! Tried to make the video to the point and crisp. I hope you will enjoy it and replicate the same on your day to day job. 😊 Feel free to share your feedback and post all your queries... Also, don't forget to hit the LIKE. 😊
I have been watching your channel since the beginning. I am not so social so normally I do not comment. However, I would like to say that your contents and videos are amazing. Keep up the work and thanks for all amazing contents.
Hey Buddy!! Thanks a lot buddy for such kind words.. I really appreciate it. You know, such inspiration from people like you always keep me motivated.. Thanks again. Stay Tuned!
I created this episode keeping in mind the whole acquisition techniques. So be it full disk image or only memory image. Both are anyway important for analysis, right!! So, I did 2 memory dump using DumpIt and MagnetRam and 1 full disk image with FTK!! 😊 If you want to capture RAM using FTK, there is a direct option to do that in the drop down, but I won't recommend to do that. Since FTK is a multithread and heavyweight process, it tends to keep 10 times larger footprint in the machine, which can come negative as investigating the volatile memory!
I noticed DumpIt did not show us acquisition summary. Does it not verify the hash of the image automatically? Any switch to generate the hash of the image?
Dumpit is considered a Software based Acquisition, meaning a software has to be run on the target machine and by that adds some data to the memory (e.g. command history). But nothing else. While it doesn't show us the hash, you need to do one extra step to do that like "md5sums .raw" We don't have an option to add this by default on dumpit, but you can customize the whole tool in code level to add that feature. Ref- github.com/CharlMeyers/AutopsyVolatilityPlugin
I love Dumpit as this is the quickest, puts around 4 reg keys+ 44 DLLs only and since this runs in CMD, consumes very less RAM. Magnet puts around 98 reg keys + 285 DLLs which is the highest and seems slow in processing, but it captures the MOST artifacts around 4 times for the other tools, So it made my list. And I agree FTK uses most RAM, since this is multithread process. I also do agree since it relics artifacts 10 times compared to others and they can override important forensic content in RAM, which will negatively affect the investigation. But I find it useful since the keys tend to record all logs, the use of programs including the access time, walking and even modify the program. So all depends on the usecase. I had done a study last year to compare FTK, Magnet, ProDiscover, WinEn, WinPmem, Windows Memory Reader, DumpIt and Memoryze and then selected the tools which I am heavily use now a days.
Hi, may can I ask you something about the acquisition data with USB drive. When you plug it on infected machine , could USB drive be infected by virus as well ? so may it can infect my host machine due to infected USB drive during analyzing on my host machine. Im wondering your idea. How to protect your USB drive on infected machine ? Thank you for sharing nice video!
Hey There, Thanks for reaching out. Yes, your concern is absolutely correct. If your are using USB stick to collect any sort of evidence from an infected machine, there is always a chance to get the infection to the USB and hence propagate. But in real life, mostly the forensics workstation are kept in isolation and there are need to check, prepare and store your forensic data/report/evidences/traces etc as part of Chain of Custody. So if someone is doing a forensics, it is always recommended to create the workstation with proper guidelines and obviously it should be an isolated one. At times, you will also need to detonate the malware samples in your forensic workstation to understand the TTPs, so it needs to be kept like that. Also, if you need to use a USB to an infected PC but also need to ensure the safety there are some guidelines to be followed like this- www.datanumen.com/blogs/7-useful-tips-protect-usb-flash-drive-viruses/ Hope this helps.
No Buddy. Autopsy is used for analyzing a captured forensic dump. It's more of a forensic analysis helper. It can't help in acquisition. Whereas FTK comes handy in acquisition and to some extend to parse captured dump for analysis.
Thanks for the dfir videos! Just a curious question do usually change the usb's that you use after an engagement like is there a risk that the USB you use to acquire data from an infected machine to be infected itself?
Thanks for the feedback Buddy! Nothing as such, as long as you take the measure properly. 😊 Tips: 1. Your forensic workstation MUST be isolated from Corporates network. 2. It needs to have a working internet connection, but not from backbone. 3. If you don't have a dedicated machine, always use a VM and network in Bridged mode.
bro to start career in soc (blue teamer) where i need to start ? i completed mca , i dont know where to start ? what of things i need to brush up to get a job ? is there any course that provide basic foundation in security operation center analyst ? please help , where i need to start ?
Hey, Thanks for reaching out. So for SOC, if you are interested in doing Incident Response, you can follow my playlist- ruclips.net/p/PLjWEV7pmvSa4yvhzNsCjOJovOn1LLyBXB Now a days, more you practice, more you will learn and grow. So, do the hands on exercise on letsdefend, blueteam lab online, cyberdefenders.org They provide amazing scenario based learning and you need to perform the analysis. So, plan accordingly what you need to learn at first. At first, there is no need to go for any certification. Grab the basic knowledge on these areas. Build your network in LinkedIn, this is most important. And keep watching my videos, I hope they will help.
@@BlackPerl thank you dear bro... I am so sad that skills dont matter nowdays... Coz many big mnc companies visit private colleges to hire students... Most of the students they hire are underskilled, but still they go there like routine(do they get commission?) ... I am trying offcampus job(very difficult to get it with basic skills) ... Sad that many companies shortlisting criteria are unknown... and havent got any call yet, so...now am trying hard to earn more skills and try again in Soc analyst role... 🙏🏻❤️ thank you bro... I will follow all your updates.... For freshers like me certification without job is not affordable too 😭
@@CS-wi3ff Yeh, criteria for mncs keep varying. Stay focused on your study and upskill yourself for SOC. There are plenty of opening out there. You will land in no time!
@@BlackPerl even though am a Post graduate, my college placements are very less, but few private colleges have more placements and also one of my school mate who doesnt even know basics of security land job jus because of placements.... In RSA security... I doubt private universities pay companies to hire from there college.... I wish this system in india should need to be changed... Instead companies should give more weightage to skills more and also give oppertunity to offcampus students... They are also humans... They too have family 😞
Thanks for the Suggestion, will surely try it. But I guess it's a paid one and you get trials only for a limited period of time! But worth validating..
Hey All..
Here I present my favorite forensic acquisition tools!! Tried to make the video to the point and crisp. I hope you will enjoy it and replicate the same on your day to day job. 😊 Feel free to share your feedback and post all your queries... Also, don't forget to hit the LIKE. 😊
I have been watching your channel since the beginning. I am not so social so normally I do not comment. However, I would like to say that your contents and videos are amazing. Keep up the work and thanks for all amazing contents.
Hey Buddy!!
Thanks a lot buddy for such kind words.. I really appreciate it.
You know, such inspiration from people like you always keep me motivated.. Thanks again. Stay Tuned!
Lovely Episode. Enjoyed it a lot. Thanks
Thanks Mate
This episode was for RAM captures but you created a full disk of your USB drive with FTK imager and not the RAM of the VM.
I created this episode keeping in mind the whole acquisition techniques. So be it full disk image or only memory image. Both are anyway important for analysis, right!!
So, I did 2 memory dump using DumpIt and MagnetRam and 1 full disk image with FTK!! 😊
If you want to capture RAM using FTK, there is a direct option to do that in the drop down, but I won't recommend to do that. Since FTK is a multithread and heavyweight process, it tends to keep 10 times larger footprint in the machine, which can come negative as investigating the volatile memory!
I noticed DumpIt did not show us acquisition summary. Does it not verify the hash of the image automatically? Any switch to generate the hash of the image?
Dumpit is considered a Software based Acquisition, meaning a software has to be run on the target machine and by that adds some data to the memory (e.g. command history). But nothing else.
While it doesn't show us the hash, you need to do one extra step to do that like "md5sums .raw"
We don't have an option to add this by default on dumpit, but you can customize the whole tool in code level to add that feature. Ref- github.com/CharlMeyers/AutopsyVolatilityPlugin
Nice work. Any specific reason you have chosen these 3 tools over Winpmem, Mandiant, Belka etc??
I love Dumpit as this is the quickest, puts around 4 reg keys+ 44 DLLs only and since this runs in CMD, consumes very less RAM.
Magnet puts around 98 reg keys + 285 DLLs which is the highest and seems slow in processing, but it captures the MOST artifacts around 4 times for the other tools, So it made my list.
And I agree FTK uses most RAM, since this is multithread process. I also do agree since it relics artifacts 10 times compared to others and they can override important forensic content in RAM, which will negatively affect the investigation. But I find it useful since the keys tend to record all logs, the use of programs including the access time, walking and even modify the program. So all depends on the usecase.
I had done a study last year to compare FTK, Magnet, ProDiscover, WinEn, WinPmem, Windows Memory Reader, DumpIt and Memoryze and then selected the tools which I am heavily use now a days.
Hi, may can I ask you something about the acquisition data with USB drive. When you plug it on infected machine , could USB drive be infected by virus as well ? so may it can infect my host machine due to infected USB drive during analyzing on my host machine. Im wondering your idea. How to protect your USB drive on infected machine ? Thank you for sharing nice video!
Hey There, Thanks for reaching out. Yes, your concern is absolutely correct. If your are using USB stick to collect any sort of evidence from an infected machine, there is always a chance to get the infection to the USB and hence propagate.
But in real life, mostly the forensics workstation are kept in isolation and there are need to check, prepare and store your forensic data/report/evidences/traces etc as part of Chain of Custody. So if someone is doing a forensics, it is always recommended to create the workstation with proper guidelines and obviously it should be an isolated one. At times, you will also need to detonate the malware samples in your forensic workstation to understand the TTPs, so it needs to be kept like that.
Also, if you need to use a USB to an infected PC but also need to ensure the safety there are some guidelines to be followed like this- www.datanumen.com/blogs/7-useful-tips-protect-usb-flash-drive-viruses/
Hope this helps.
Ftk imager n autopsy is does same work?
No Buddy. Autopsy is used for analyzing a captured forensic dump. It's more of a forensic analysis helper. It can't help in acquisition. Whereas FTK comes handy in acquisition and to some extend to parse captured dump for analysis.
Great explanation. Can you create one for dedicate Ftk imager?
Thanks. Sure will do one soon! Please stay tuned
Thanks for the dfir videos! Just a curious question do usually change the usb's that you use after an engagement like is there a risk that the USB you use to acquire data from an infected machine to be infected itself?
Thanks for the feedback Buddy!
Nothing as such, as long as you take the measure properly. 😊
Tips:
1. Your forensic workstation MUST be isolated from Corporates network.
2. It needs to have a working internet connection, but not from backbone.
3. If you don't have a dedicated machine, always use a VM and network in Bridged mode.
@@BlackPerl awesome! thanks for the great feedback 👍
@@AkAk-jv7ig You are welcome.
Loved it 👍.
Thanks Buddy!!
bro to start career in soc (blue teamer) where i need to start ? i completed mca , i dont know where to start ? what of things i need to brush up to get a job ? is there any course that provide basic foundation in security operation center analyst ? please help , where i need to start ?
Hey, Thanks for reaching out. So for SOC, if you are interested in doing Incident Response, you can follow my playlist- ruclips.net/p/PLjWEV7pmvSa4yvhzNsCjOJovOn1LLyBXB
Now a days, more you practice, more you will learn and grow. So, do the hands on exercise on letsdefend, blueteam lab online, cyberdefenders.org
They provide amazing scenario based learning and you need to perform the analysis.
So, plan accordingly what you need to learn at first. At first, there is no need to go for any certification. Grab the basic knowledge on these areas.
Build your network in LinkedIn, this is most important.
And keep watching my videos, I hope they will help.
@@BlackPerl thank you dear bro... I am so sad that skills dont matter nowdays... Coz many big mnc companies visit private colleges to hire students... Most of the students they hire are underskilled, but still they go there like routine(do they get commission?) ... I am trying offcampus job(very difficult to get it with basic skills) ... Sad that many companies shortlisting criteria are unknown... and havent got any call yet, so...now am trying hard to earn more skills and try again in Soc analyst role... 🙏🏻❤️ thank you bro... I will follow all your updates.... For freshers like me certification without job is not affordable too 😭
@@CS-wi3ff Yeh, criteria for mncs keep varying. Stay focused on your study and upskill yourself for SOC. There are plenty of opening out there. You will land in no time!
@@BlackPerl ❤️ thank you brother for positivity. God will bless you... I hope atleast few mnc gives preference to skills than fancy degrees....
@@BlackPerl even though am a Post graduate, my college placements are very less, but few private colleges have more placements and also one of my school mate who doesnt even know basics of security land job jus because of placements.... In RSA security... I doubt private universities pay companies to hire from there college.... I wish this system in india should need to be changed... Instead companies should give more weightage to skills more and also give oppertunity to offcampus students... They are also humans... They too have family 😞
How to create image or dump file in Android
Honestly, I haven't done much work on Android. So can't help much there. But you can try to use dumpsys from ADB.
@@BlackPerl if i use adb... It must be debugging mode on... If debugging mode is off. And my phone is broken then how to investigate mobile
@@Saxena_abhiraj Have you tried FINALMobile Forensics ?
@@BlackPerl yes but old version
@@Saxena_abhiraj How was the usability?
I think you are inspired by network chuck
Spot on!! I'm one of Chuck's biggest follower!! Don't know if he knows it. LOL..
TRY Binalyze. Muchhhh better than these tools. Besides, it can do everything that these tools do.
Thanks for the Suggestion, will surely try it. But I guess it's a paid one and you get trials only for a limited period of time! But worth validating..
@@BlackPerl There is a trial or free version either.
@@BlackPerl We would love your review. Get a free trial at www.binalyze.com/air or contact us on contact@binalyze.com for a chat
@@hakankkilic Yep, will check it out.
@@Binalyze Thanks. Sure, we will talk! In a conversation via email. 😊