Articles dedicated to computer forensics (forensics).
Digital forensics – it's an identification process, conservation, extraction, data analysis and presentation, that have been processed electronically and stored on digital devices. This data, known as digital artifacts, can be found in computers and smartphones and may play a key role in Read More …
Description PoSh-R2PowerShell – this is a set of powershell scripts for Windows Management Instrumentation (WMI), which investigators and forensic analysts can use to extract information from compromised (or potentially compromised) Windows systems. The scripts use WMI to extract this information from the operating system. Hence, this Read More …
LinuxCheck– this is a small bash script to collect information, useful for emergency response on Debian and Centos systems. Characteristics: LinuxCheck– this is a separate script, capable of collecting a large set of information: CPU TOP10, memory TOP10 CPU usage boot time Hard disk information User information, information about passwd Read More …
Microsoft Windows uses page file (pagefile.sys), for storing memory blocks, which do not currently fit into physical memory. This file, is stored at %SystemDrive%pagefile.sys and is a hidden system file and cannot be read or accessed by the user, including Administrator on active system. This file Read More …
Memory analysis in Windows 10 very different from previous versions of Windows: new feature, called memory compression, makes a forensic tool necessary, capable of reading compressed memory pages. Memory compression in Windows 10 Latest Windows Releases 10 enable memory compression function, which Read More …
Data from Amcache and Shimcache can provide a timeline of whether, what program was executed, when it was first launched and last modified.
During forensic analysis of a Windows system, it is often important to understand, when and how a specific process was started.