Let’s Connect | LinkedIn | Twitter One of the main challenges in live forensics is to deal with in-use or locked files and resources. Unlike the traditional forensics investigation, we are not making a full forensics image of the hard disk during system live analysis. In fact, we are interacting…

Let’s Connect | LinkedIn | Twitter So far, we have discussed user account creation, deletion, privileges, and associated folders and settings such as users profile and AppData folders, and user-specific environment variables. The above information is essential for an investigator to identify the existing and deleted user accounts. …

Let’s Connect | LinkedIn | Twitter As discussed in part 6, the user account forensics roadmap consists of three phases: Data collection and validation, User categorization and profiling, and Deep-dive analysis. The deep-dive analysis phase focuses on detailed analysis of user settings and behaviours to obtain information about: This part…

Let’s Connect | LinkedIn | Twitter Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows: Valid Users with Valid Groups and permissions Valid Users with odd groups…

Let’s Connect | LinkedIn | Twitter In part 5, I have shared few techniques to retrieve information related to user accounts, their groups, and privileges. Digital forensics and incident response are not about obtaining the data only. …

Let’s Connect | LinkedIn | Twitter Have you enjoyed reading the previous parts? The needs for system live analysis, rules, and some required tools, the checklist to carry out Windows live investigation, and how to retrieve the system information and configuration. This part will discuss one of the most exciting…

Let’s Connect | LinkedIn | Twitter I have discussed the need for system live analysis, rules, and some required tools, and the checklist to carry out Windows live investigation in the previous parts. Let's dive into technical aspects from this part onwards. As illustrated in the checklist, identifying system information…

Let’s Connect | LinkedIn | Twitter In part one, I have discussed the differences between dead-box and live box analysis and why the system live analysis is an offer we can’t refuse! Besides, I explained the role of Ioc and IoA for an investigation. Part two covers the rules and…

Let’s Connect | LinkedIn | Twitter Hope you enjoy reading part one of this series: Part 1: Blue Team: System Live Analysis - A Proactive Hunt!. Part two will cover some rules and tools that can be employed to conduct live forensics analysis on the Windows platform. …