Logging is important for all sorts of purposes. Windows event logs help in detecting intrusions. EDR/IDS/IPS/Firewall logs help in catching malware. But these logs can contain sensitive information. What if you end up typing your password in the username field? Rookie mistake. However, it can cost a lot. Windows Event 4625 is going to report it. Almost every other application that logs failed login attempts is going to log this bit of info.
Overview In one of the previous posts we talked about how File Shredders Aren’t Perfect. How they leave behind some signs that can be picked during file system forensic analysis. In this article we’ll be talkining about all those things
Note Our analysis will be limited to just FAT32 & NTFS file systems File System Forensics The art and science of understanding how file systems work to unearth artefacts left by interacting with the underlying storage.
So, you’ve used a file shredder tool to securely delete all the files from your #windows machine and formatted the hdd just for good measure.
That makes you secure. Right?
Not really. Without getting into the specifics. Modern operating systems and file systems record everything.
File shredder tools leave behind their own signatures. These signatures aka digital tool markers (dtm) can be detected and can even be used to attribute them to some specific file shredding utilities.
Spoiler Alert! We are not talking about Emergency Medical Aid or First Aid 😁
Questions/Answers Question 1 What do you normally think of when you hear this term? File name sub string matches File content/metadata YARA matches File type filter Question 2 Or something more advanced? System generated file/User generated file detection Log analysis with pre-defined rules Weighted score file ranking with multiple algorithms running behind the scenes designed for filtering files While all these methods are legitimate.
“Triage is a term widely used to denote the prioritization of work according to a quality inherent in the objects being acted upon”
~ Simson L. Garfinkel
