Triage Collection and Timeline Analysis with KAPE
Вставка
- Опубліковано 5 лип 2024
- Overview
As hard drive sizes get larger and larger, conducting full disk forensics is becoming a thing of the past. Why spend hours analyzing a disk image when you can analyze a handful of core Windows artifacts to build your case in a matter of minutes. In this webcast, learn how to use the free tool KAPE to collect key operating system files from a live system or a forensic image. Once the data is collected, KAPE can be leveraged to parse various artifacts and build a mini-timeline. In addition, learn how to customize KAPE by writing your own custom modules for your workflow.
Speaker Bio
Mari DeGrazia
Mari DeGrazia brings her puzzle-solving skills to her position as Senior Director of Incident Response at Kroll Cyber Security, where she leads high-profile incident response cases and helps clients find and respond to attackers in their environment. In her role as a SANS instructor for FOR500: Windows Forensic Analysis (sans.org/FOR500), Mari draws on nearly 20 years of experience in the IT industry, including 10 years in Digital Forensics and incident Response (DFIR). - Наука та технологія
Great free tools and great information on this video. It is always good to know the sources of the artifacts (hives, timestamps, logs). But AXIOM fill do the same thing with out these extra steps, these open tools are good tho. After acquiring an image, I just triage it by using FTK Imager and Eric's program Register Explorer, just to have an idea of what I will come across in the case after is done processed, which is pretty much what is going on in this video but with out the creation of timelines.
Few things here. Is the drive you are obtaining information from write protected? Second, if you are not obtaining a full disk image, then where is unallocated?
well, minitimeline is no longer in the list of available modules, isn't that nice.
They are on her Github, but have not been updated since 2019.