Overview If it works, don’t touch it! How many times have we heard this phrase? How many memes have we shared around it? And yet, change is inevitable. There will always be need of code refactor. There will always be bugs in software whether they are related to security or some function. If there’s no bug, then the design will go obsolte at some point in time. But the story doesn’t end here.

Pipes are fun. Pipes are cool. All the cool kids use pipes for communication. You are probably thinking - wait a minute! I thought signals were used for IPC and for triggering specific actions in processes. And you’d be right. Signals are used to communicate b/w 2 processes. Signals like SIGINT, SIGTERM, SIGKILL can be used to communicate and alter state of processes. However, Pipes can be also be used for IPC.

Based on 360 memory dumps of running Linux systems. A number of inconsistencies were observed. Almost 1/3 of all the memory dumps had an empty process list - meaning those dumps were incomplete. Results are based on a new way of determining causal inconsistency in memory dumps. While the factors are unclear, but in general they correlate with the level of concurrency. Obtaining memory dump Two main approaches for this - clean and dirty approaches.

Let’s talk about the reliability of file systems from a #forensic investigator’s perspective. Our candidate will be #ntfs. Because Windows, even with all its quirks, still has huge market. So, to identify how reliable this file system is. We need to answer following questions: Questions Q1. If a “secure” file deleting tool is used, then what are the chances of recovering the file in question? Q2. What file system features will help us in recovering the file?

Overview Memory forensics has a special place in my heart. Mostly because research papers associated with it are usually more from an engineering perspective than an investigative one. So, I read this super cool paper about analysing processes running in WSL on a Windows 10 machine. AVs understand PE32+ executables very well. Windows memory data-structures are also well understood. However, processes running in WSL are a different ball game. Same problems plague memory forensics tools.