randrada, Author at eyehatemalwares.com

Peepdf

Posted on March 19, 2025March 19, 2025 by randrada

Document Forensics Tool - Peepdf

Peepdf is a specialized forensic tool designed for analyzing PDF documents, particularly useful in the fields of digital forensics and malware analysis. Unlike standard PDF viewers, Peepdf enables investigators to dissect the structure of PDF files, allowing them to uncover hidden content, scripts, and embedded objects that could indicate malicious activity. This makes it an essential tool for identifying potential threats in documents that may be used to deliver malware or engage in fraud.

One of the standout features of Peepdf is its ability to extract and analyze JavaScript and other actions embedded within PDF files. This functionality helps forensic experts detect risks associated with suspicious documents and understand how they might operate. Peepdf operates in a read-only mode, ensuring that the original PDF file remains intact during the examination process. Additionally, it generates detailed reports summarizing the findings, which can be crucial for documenting evidence in legal contexts. Widely used in cybercrime investigations and incident response, Peepdf serves as a reliable resource for professionals tasked with evaluating the security and integrity of PDF documents.

The Sleuth Kit Tools

Thunderbird

Posted on March 19, 2025March 19, 2025 by randrada

Email Forensics Tool - Thunderbird

Thunderbird Email Forensics Tool is a dedicated solution for analyzing and investigating email data from Mozilla Thunderbird. It allows forensic professionals to extract and examine emails, attachments, metadata, and even deleted messages, making it a valuable tool for digital investigations. Unlike standard email viewers, this tool enables direct analysis of MBOX and Maildir file formats, providing access to crucial details such as timestamps, sender and recipient information, and message headers. It also includes advanced recovery options to retrieve emails that may have been deleted or corrupted.

To ensure the integrity of the investigation, the tool operates in a read-only mode, preventing any accidental modifications to the original data. Investigators can use powerful search and filtering options to quickly locate relevant emails based on keywords, date ranges, or specific contacts. Additionally, it offers the ability to generate detailed forensic reports, which are essential for legal cases and compliance audits. This tool is widely used in cybercrime investigations, corporate audits, and incident response cases, making it a reliable choice for professionals handling email-based evidence.

The Sleuth Kit Tools

MemProcFS

Posted on March 19, 2025March 21, 2025 by randrada

Digital Forensics Tool - MemProcFS

MemProcFS is a forensic tool designed for real-time memory analysis by mounting RAM dumps as a virtual file system. Unlike traditional memory forensics tools that require manual data extraction, MemProcFS organizes memory structures into a readable file-based format, making it easier for investigators to analyze system artifacts.

The tool supports Windows memory dumps and provides access to key forensic data such as running processes, open network connections, registry hives, and loaded modules. By dynamically translating raw memory into structured files, MemProcFS allows for faster investigations without requiring extensive scripting or database queries.

MemProcFS is particularly useful for detecting malicious activity, including hidden processes and injected code, making it valuable in malware investigations and incident response. Since it operates in read-only mode, it ensures that the original memory dump remains unaltered, preserving forensic integrity. Often used alongside tools like Volatility, MemProcFS offers an efficient and interactive approach to memory forensics, making it a useful tool for forensic professionals and cybersecurity analysts.

The Sleuth Kit Tools

PhotoRec

Posted on March 19, 2025March 21, 2025 by randrada

Digital Forensics Tool - PhotoRec

PhotoRec is a well-known open-source tool designed for recovering lost files from a variety of storage devices. Unlike many recovery tools that rely on file system metadata, PhotoRec scans the disk at a deeper level, identifying file signatures to recover lost documents, images, videos, and other types of data—even from damaged or reformatted drives.

The tool supports multiple file systems, including FAT, NTFS, exFAT, HFS+, and ext, making it a versatile option for forensic investigators and data recovery specialists. It works with hard drives, USB flash drives, memory cards, and even optical media like CDs and DVDs. To ensure forensic integrity, PhotoRec operates in read-only mode, preventing any modifications to the original data source.

PhotoRec is commonly used in digital forensics, incident response, and personal data recovery. While it has a command-line interface, the step-by-step recovery process is straightforward, making it accessible to both experienced professionals and casual users. As a free and open-source tool, it remains a valuable resource for anyone needing to recover lost or deleted data.

The Sleuth Kit Tools

Autopsy Forensics

Posted on March 19, 2025March 19, 2025 by randrada

Digital Forensics Tool - Autopsy Forensics

Autopsy is a widely used open-source digital forensic tool designed for analyzing hard drives, disk images, and mobile devices. Known for its user-friendly interface, it provides investigators with a powerful yet accessible way to examine digital evidence. Law enforcement agencies, cybersecurity professionals, and forensic analysts rely on Autopsy for tasks like recovering deleted files, analyzing user activity, and identifying potential threats.

The tool supports various disk image formats, including E01, AFF, and raw, allowing investigators to uncover hidden partitions, metadata, and other crucial forensic artifacts. Built-in features include keyword searching, timeline analysis, and hash matching to detect known malicious files. Autopsy also offers email analysis and registry examination, making it a versatile choice for digital investigations.

A key advantage of Autopsy is its modular design, allowing users to integrate additional plugins for enhanced functionality. It also automates reporting, making case documentation more efficient. Whether used for incident response, criminal investigations, or corporate forensics, Autopsy provides a reliable and cost-effective alternative to commercial forensic software.

The Sleuth Kit Tools

Volatility3

Posted on March 18, 2025March 19, 2025 by randrada

Digital Forensics Tool - Volatility3

Volatility 3 (Volatility3) is a powerful open-source memory forensics tool designed to analyze RAM captures from compromised systems. It is the latest version of the well-known Volatility framework, rebuilt for better performance, flexibility, and compatibility with modern operating systems.

Unlike traditional forensic tools that focus on disk analysis, Volatility3 specializes in extracting critical data from memory dumps, such as running processes, open network connections, loaded drivers, registry entries, and even traces of fileless malware. This makes it especially useful for detecting advanced threats like rootkits and in-memory attacks that leave little to no trace on the hard drive.

Built with Python 3, Volatility3 offers improved modularity, allowing investigators to create custom plugins for specific forensic needs. It supports memory dumps from Windows, Linux, and macOS, making it a versatile tool for incident response, malware analysis, and cybersecurity investigations. The tool is widely used by law enforcement, security professionals, and forensic analysts to uncover key evidence and generate detailed reports that can be used in legal proceedings.

The Sleuth Kit Tools

vshadowmount

Posted on March 18, 2025March 18, 2025 by randrada

Digital Forensics Tool - vshadowmount (ubuntu)

vshadowmount is a specialized forensic utility designed to mount and analyze Volume Shadow Copies (VSS) in Linux environments, particularly Ubuntu. Volume Shadow Copies are snapshots of data created by the Windows Volume Shadow Copy Service (VSS) at specific points in time. These snapshots are invaluable in digital forensics because they often contain historical versions of files, deleted data, or evidence of system changes that are no longer present on the live system.

Unlike traditional tools that require a Windows environment to access VSS, vshadowmount allows forensic investigators to mount and analyze Volume Shadow Copies directly in Ubuntu. This makes it an essential tool for cross-platform forensic investigations, enabling examiners to work with Windows-based evidence in a Linux environment.

The Sleuth Kit Tools

ewfinfo

Posted on February 26, 2025March 19, 2025 by randrada

Digital Forensics Tool - ewfinfo (expert witness format)

ewfinfo is a specialized forensic utility designed to extract and display metadata from disk images stored in the Expert Witness Format (EWF), commonly referred to as the EnCase Image File Format. While many forensic tools focus on mounting or analyzing disk images, ewfinfo is uniquely tailored to provide detailed insights into the contents and integrity of EWF files. This makes it an indispensable tool for forensic investigators who need to verify the authenticity of evidence, extract case-related metadata, or troubleshoot issues with EWF files.

As part of the libewf library—an open-source project that provides tools for reading and writing EWF files—ewfinfo is widely used in digital forensics to ensure the integrity of forensic images. It plays a critical role in supporting the chain of custody by delivering verifiable metadata, which is essential for maintaining the credibility of evidence in legal and investigative contexts.

The Sleuth Kit Tools

BTLO The Key

Posted on January 17, 2025April 29, 2025 by randrada

Blue Team Labs Online - The Key Walkthrough

Read Lab Instruction

Blue Team Labs Online

Lab Walkthrough

Scenario: Peter, a programmer by profession, was always fascinated by Superhero movies from his childhood. He started a secret project at work without informing his Boss. Peter stored all the project files in his cloud account. His boss came to know about Peter’s secret project and asked the security team to investigate Peter’s laptop. But here comes the real headache, Peter’s secret drive is encrypted!

Tool: FTK Imager, NirLauncher, Arsenal Image Mounter, FRED

Question 1: What is the TimeZone of Peter’s Machine? [hint: Find the Registry Key]

Question 2: Superhero stories were introduced to Peter at his school. What is the name of Peter’s school?

Question 3: What is Peter’s favorite quote?

Question 4: What is Peter’s IP address and Computer Name?

Question 5: What is the name of the programming language Peter is learning?

Question 6: According to Peter’s Day plan, which task is “In progress”?

Question 7: Peter connected with this partner using TeamViewer. What is the Peter’s partner’s TeamViewer ID and Display Name?

Question 8: What is Peter’s TeamViewer ID and Display name?

Question 9: What is the Password Manager used by Peter?

Question 10: What is the VPN service used by Peter?

Question 11: What is the name of Peter’s ‘Secret Project’?

Question 12: According to Peter’s documentation, what is the theme of the project?

Question 13: What is Peter’s cloud credentials?

Question 14: Peter accessed some files from a remote machine using a file transfer service. what is the login name and IP address of the remote location?

Question 15: What is the Bitlocker Recovery Key?

Question 16: What is the Bitlocker password? [Hint: Question 2]

Nirlauncher

Posted on January 17, 2025April 29, 2025 by randrada

Digital Forensics Tool - Nirlauncher by Nirsoft

Nirlauncher is a comprehensive suite of more than 200 portable utility tools developed by NirSoft, designed to assist in system administration, network monitoring, and forensic investigations. These lightweight tools include password recovery, internet browsing history retrieval, network traffic analysis, and system information gathering.

NirLauncher provides a centralized interface to easily access and launch the tools, which are especially useful for IT professionals and digital forensics analysts to troubleshoot and diagnose issues on Windows systems. Since all the utilities are portable, they can be run from external drives without installation, making NirLauncher an ideal choice for live system investigation.

The suite is commonly used in forensics to gather evidence related to user activity, network configurations, and system-level changes, with outputs that can be saved and analyzed further in post-incident reviews or legal cases.

The Sleuth Kit Tools

Use Cases: Retrieving Security Questions

NirLauncher is a collection of tools and one of them that is valuable for forensics investigation is Password Recovery Tools, which might be used to unlock the suspect’s system.

Here, we can see the “SecurityQuestionsView”.

To use this tool, right click and “run as administrator”.

Then, select “Load security questions from an external drive.”

Then, load the SYSTEm registry key from C:\Windows\system32\config