Jump to content
×
×
  • Create New...

Dipanshu-Pandey

Members
  • Posts

    3
  • Joined

  • Last visited

  • Days Won

    2

Dipanshu-Pandey last won the day on November 26 2021

Dipanshu-Pandey had the most liked content!

About Dipanshu-Pandey

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Dipanshu-Pandey's Achievements

Rookie

Rookie (2/14)

  • Week One Done
  • One Month Later
  • Conversation Starter

Recent Badges

8

Reputation

  1. All About SIEM If you have heard about SIEM, but do not have idea what it is and how it works then you are at the Right place. In this article I would be explaning what SIEM is and how it works. Full Form of SIEM The Full Form of SIEM is Security Incident and Event Management. As it's name suggests it is used for Security Management of an Enterprise. It is basically related to real-time analysis of logs through various sources. What is SIEM ? SIEM is a log management solutions which is used to collect logs from different sources such as firewall logs, windows Event logs , IDS Logs and logs from various services like FTP, SSH, SMTP, SSL etc.... These all logs are collected to a centralized location via SIEM and then we can use those logs can be used for generating a timeline of when which event happened and this can be very helpful in Incident Response process. Some modern SIEM solutions can also be integrated to cloud and then gather logs from AWS and Azure and other cloud services. Their are also forwarders available which can be used to forward logs from one system to another. Where SIEM is used ? SIEM is used in enterprise to track performance of their website. For example they can see how many users visited their log in and then Payment page so that they can keep a track on their user behavior weather they are buying products or not. Also it is used to manage and collect logs so if any incident is reported the timeline of malicious events can be made and it can be determined what malicious activities happened so that they can be mitigated. Some of the SIEM solutions which I would recommend is , Splunk, QRadar, GrayLog. -Dipanshu Pandey
  2. Windows Recycle Bin is one of the most interesting and useful artifact while analyzing Microsoft Windows evidences. What is recycle bin ? I think so you all must be knowing what Recycle bin is but then also I am telling you that Recycle bin is a place in Windows where all the deleted files are stored when we delete a file from our computer. One interesting thing is that our files are not deleted but it moved to another location which we all call as recycle bin. Location of Recycle Bin -> Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion. What Happens When We Delete a File ? When a file is deleted $I and $R files are made assosiated with it Once we delete a file it is moved to $RecycleBin folder which contain 2 file. ‘$I’ file is created with some random string which contain actual file data and '$R’ with same random string as of '$I’ file and contain metdata. $I Parser is a tool used to parse $I files. RifiUti can also be used for Recycle Bin forensic. $I Parser Link to Download -> https://df-stream.com/download/321/ It is a GUI Tool which can help us to recover the deleted files and help in Forensic investigation. $I Parse is a tool for parsing $I (index) files from the Recycle Bin of Windows Vista and later. There are two modes of operation: directory and file. Directory mode allows you to point $I Parse to a directory of $I files; file mode parses an individual $I file. How It Helps Us in Forensic ? 1. It can help us to figure out what files was deleted at what time , and hence reduces false positives. 2. By searching deleted files we can also make an assumption that one of them could be a malware and helps to narrow down the scope of our investigation. - Dipanshu Pandey download.jfif
  3. What is Prefetch ? Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. So In Short, Windows Prefetch is nothing but a file which contains all the dependencies such as exe and DLL of a executable which help to run them correctly. Let's take a example that we have app.exe and when we run it a Prefetch file would be created which would contain all the required DLL and EXE files which would be needed to run that app.exe correctly without any errors. Location of Windows Prefetch File is C:\Windows\Prefetch . The Extension of a Windows Prefetch file is .pf. For example the Name of Prefetch file of app.exe would be app-A679D4C2.pf. Here we first have the name of exe and hash of the path the file resides in, seperated with a hyphen. How To Investigate a Prefetch File ? Their are many tools which are used to investigate the Prefetch file but my favourite tool to analyse the Prefetch file is WinPrefetchView.exe and this tool is very easy to use and it is provided to us by NirSoft. Link To Download -> https://www.nirsoft.net/utils/winprefetchview-x64.zip To use this tool we simply need to open the tool and put an .exe file of our choice and then the tool would nearly display us all the .EXE and .DLL files which were required to run that file. How This Will Help in Forensic ? If you have a malware sample in a infected system so you can get it's .pf file and investigate it's dependencies to know it's functionality. This could help you also to decrease the false postivies. - Dipanshu Pandey