Forensics-Analysis
Found 5 related articles.
Back to Categories- 2025-03-23
Volatility3 Analysis of STRELASTEALER via Rundll32 Proxy Execution
Detailed forensic analysis of a Windows memory dump using Volatility3 to investigate a compromise at a financial institution. The analysis identifies a hidden malicious PowerShell process (powershell.exe -windowstyle hidden) abusing WebDAV to execute a second-stage payload (3435.dll) via rundll32.exe. This activity aligns with MITRE ATT&CK sub-technique T1218.011. The investigation determines the attacker's C2 IP (45.9.74.32), the compromised user ('Elon'), and correlates the C2 infrastructure with the STRELASTEALER malware family.
- 2025-02-23
The Crime - Mobile Forensics with ALEAPP to Reconstruct a Crime Timeline
Detailed mobile forensics writeup solving a murder case by analyzing an extracted Android device using ALEAPP. The analysis successfully traces the victim's final actions, identifying the primary financial stressor (Olymptrade and a 250,000 EGP debt owed to 'Shady Wahab'), the victim's final known location ('The Nile Ritz-Carlton'), planned escape route ('Las Vegas' flight ticket), and a final scheduled meeting location ('The Mob Museum') based on Discord chat logs.
- 2025-02-17
Network Forensics of LLMNR/NBT-NS Poisoning Attacks
Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.
- 2025-02-06
WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration
Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.
- 2024-12-05
Volatility3 Analysis of a Credential Stealer Trojan
Detailed forensic analysis of a Windows memory dump compromised by the Amadey Trojan. This investigation utilizes Volatility3 to identify the main malicious process (lssass.exe), determine its location on the filesystem (Temp folder), confirm its nature via VirusTotal, track its C2C network connections (41.75.84.12), and discover persistence mechanisms (Scheduled Tasks and DLL payload execution via rundll32.exe).