Digital forensic investigation requires verification of artifacts collected at the scene. one way of checking the integrity of collected evidence from the suspect machine is through analysis made Random-Access Memory (RAM) fingerprints ensuring evidence belonging to the stated owner is critical. Confirming the memory, in fact, belongs to the individual helps to establish the case. For this reason, this forensic memory analysis helps to detect the active operating system running at the time of evidence collection on the machine memory. Moreover, this memory investigation assists in visualizing malware and a live triage of the system in a forensics examination to acquire hidden evidence in the volatile digital artifacts of the machine. The e-discovery is used to find implicating evidence that will be used to vindicate innocence or prosecute digital crime in the organization the suspect is involved in. The screen captures included in the laboratory report are used as part of the e-discovery of the result of forensics tools such as Volatility and Redline.
socks can show open ports. In order to understand what ports and connections are legitimate, it is important to see connection types such as UDP, TCP4, and if the IP addresses are associated with any malware
connection to 192.168.1.110:12345 ESTABLISHED 2156 wintroj.exe
In the windows operating system, the Local Security Authority (LSA) is a covered repository used Local Security Authority (LSA) to protect important information safe from authorized access (Dolan-Gavitt, 2018). The Syskey ensures these secrets are obfuscated. however, once the mechanism is known, it is possible to group from the registry. see functions $MACHINE.ACC: for the default password, L$KM: to encrypt the cached password of the domain, and L$RTMTIMEBOMB for the date. the NL$KM is located at SECURITY\Policy\Secrets\NL$KM.
Comments