Inforensics

  Introduction: Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research. Downloading and Installation: Requirements: Python 3.5.3 or higher Pefile 2017.8.1 or later. Download volatility from   here  or run the following command in command line to clone the repository. git clone https://github.com/volatilityfoundation/volatility3.git RAM Image Creation: To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from here . Also, we can use ftkimager to create a memory dump, which can be downloaded from  here . To creat...

  Manual NTFS File Recovery Approach What is File System? File system provide a mechanism for users to store data in a hierarchy of files and directories. A File system consists of structural and user data that are organized such that the computer knows where to find them [1]. How files gets recovered despite being permanently deleted? Operating systems keeps track of where files are on a hard drive through reference to file that tells the OS as to where the file begins and ends. When we delete the data the reference is only deleted marking its space as available instead of actually erasing the file. Why the computer doesn’t just erase files when you delete   them? Deleting a file’s reference and marking its space as available is an extremely fast operation. In contrast, actually erasing a file by overwriting its data takes significantly longer. For example, if you’re deleting a 10 GB file, that would be near-instantaneous. To actually erase the file’s contents, it...

 Disk Partition Analysis (DOS Partition) In this post we will briefly go through the process of understanding the disk partition scheme and how we can parse information out of it.  The first thing we need is partition table. W e can obtain partition table (MBR information) from the starting 512 byte section of the disk or we can search for sector ending with 0x55AA. We can obtain the partition table sector through multiple process, however the following process is demonstrated using 'dd'. Let's have a look inside - This section contain three important information- bootstrap code area (assembly boot code), partition table and boot signature. The MBR layout is shown in table below. Partition table value lie between 0x1BE to 0x1FD containing entries of multiple partitions (16-Bytes each) as shown below: From the above details we can analyse our partition, lets consider entries for 2 primary partitions- 8004 0104 83FE C2FF 0008 0000 0070 E109 00FE C2FF 05FE C2FF FE7F...