Digital Forensics & Incident Response
Search
⌃
K
Digital Forensics & Incident Response
Search
⌃
K
Welcome
General Notes
Install and Configure ZeroTier client
S3FS Fuse and MinIO
Enable nested VT-X/AMD-V
mitm proxy
Exploring Volume Shadow Copies Manually
Resize VMDK/VDI
Resize VMDK on ESXi
Convert raw to vmdk
Favicon hashing and hunting with Shodan
WinRM/RemotePS
MinIO/S3/R2 ghost files
Mount E01 containing VMDK/XFS from RHEL system
Disk images for various filesystems and configurations
VirtualBox adapters greyed out
Microsoft Defender KQL
Introduction to KQL
Windows Forensics
PsExec
Security Patch/KB Install Date
Linux Forensics
Inspecting RPM/DEB packages
Common Locations
ESXi Forensics
Understanding ESXi
General Notes
Triage and Imaging
ESXi VMFS Exploration
Export OVF from ESXi using OVF Tool
Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
Memory Forensics
Volatility
Acquisition
ESXi / VMware Workstation snapshots
DumpIt
WinPMem
Linux / AVML
Incident Response
VirusTotal & hash lists
Unix-like Artifacts Collector (UAC)
Acquiring Linux VPS via SSH
AVML dump to SMB / AWS
China Chopper webshell
Logging Powershell activities
Compromised UniFi Controller
AnyDesk Remote Access
Mounting UFS VMDK from NetScaler/Citrix ADC
iOS Forensics
Checkm8 / checkra1n acquisitions/extractions
CTF / Challenges
DEFCON 2019 forensics
Tomcat shells
Magnet Weekly CTF
DFIR Madness CTF
Log Files
Windows
Malware Analysis
Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
PDF Analysis
Walking the VAD tree
OpenCTI
What is CTI/OpenCTI?
Setting up OpenCTI
Container Management
Configure Connectors
Vulnerability Management
Setting Up Nessus (Essentials)
Troubleshooting
Privacy
Powered By
GitBook
ESXi / VMware Workstation snapshots
Snapshots generate
.vmem
and
.vmsn
files
Suspended VMs commit memory to
.vmem
and
.vmss
files
These are both required in the operating directory when using Volatility for analysis.
Memory Forensics - Previous
Acquisition
Next
DumpIt
Last modified
10mo ago