🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  1. Digital Forensics

Memory, Pagefile and Hibernation file

Memory

  • A device used to store information for immediate use in a computer

  • This is an analysis of volatile data to find data which is not easily detectable on a hard drive

  • A memory dump is a snapshot or capture of computer memory from a specific instant

  • Attack data can often only exist in system memory instead of file memory.

Pagefile

  • Pagefile.sys is used within windows OS to store date from RAM when it becomes full

  • Can change size or be deleted which will change the speed of the computer.

  • If deleted the system will not operate properly but it can be configured to store it on a different hard drive

Swapfile

  • Linux version of page file

  • Traditionally this is a partition but can be set up as a swapfile

  • Easier to change size of swapfile than partition

  • Sudo fallocate -l [filesize] /swapfile changes size of swapfile once swapfile is temporarily disabled

  • To work out how much space is available use free -h

  • Swapon -show can identify is its a file or partition

  • Can also adjust how frequently the swap space gets used

Hibernation file

  • Introduced in windows 2000

  • Allows OS to store current state of operation when computer is turned off

  • This copies everything from memory to a file called hiberfil.sys on the disk

Hashing and Integrity

  • Hash values are text strings

  • They provide a unique identifier for a file

  • In forensics, a hash will be taken before a system is copied. A hash of the copied system will then be taken. If both are the same then these are exact copies.

  • Hashcat can be used to perform dictionary attacks against hashes

  • This is most often used against credentials

  • Hashcat -m 0 <hashfile.txt> <wordlist.txt>

PreviousDigital Evidence and HandlingNextDigital Evidence Collection

Last updated 2 years ago