Notifications
Clear all

New member

7 Posts
5 Users
0 Likes
1,633 Views
(@silentell)
Posts: 5
Active Member
Topic starter
 

Hello there, I'm new to the forum and I'm sure there are so many of useful sources and things and tips to read on and some missed, so any suggestions on where to start on the forum for fresher?

the once I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam) for example a question on How are you supposed to know what’s suspicious on an endpoint you never seen?

I have so such to talk about these and I will, just not in this post :D. 

regards

Silentell

 
Posted : 09/06/2020 2:15 pm
(@athulin)
Posts: 1155
Noble Member
 

Welcome!

How are you supposed to know what’s suspicious on an endpoint you never seen?

You're not 'supposed' to do anything that.  If you are able to, it's hopefully because you have a lot of experience and know what can be considered suspicious, or because there's solid research that points in that direction ... but you always have to evaluate the case on its own merits.

I once investigated a server after a suspected intrusion, and immediately found lots of indications of suspicious behavior.  However ... the server was in a kind of limbo between organization A, which had managed it for around five years, and who had officially handed it over to organization B which was supposed to take over its management, but for some reason had not officially accepted it. No-one really managed it anymore.  And people had logged into the server who had not been active for close to five years (aha! suspicious!) from IP addresses half around the world (very suspicious!), and people were trying to login who did not have accounts (aha! again). They were just A and B people (one at a congress half around the world), who tried to do their best in a bad situation, and who felt a bit guilty about the poor handover of the system. Which is what can be expected, and is not really suspicious at all.

 
Posted : 09/06/2020 5:22 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 
Posted by: @silentell

How are you supposed to know what’s suspicious on an endpoint you never seen?

As you gain experience in computer forensics, you learn the file structure of various operating systems.  You will learn what folders are standard in a file system and where they belong.  In addition to this, if you work in a corporate environment that uses a gold/standard image across their enterprise, you will get familiar with the standard files and folders that are on your corporate endpoints.  One of the first steps I take in my analysis is, reviewing the file system and folder structure.  If I notice folders and files outside of what is normal, I will start with reviewing those first depending on the case. 

This post was modified 3 years ago by kastajamah
 
Posted : 11/06/2020 2:27 pm
(@trewmte)
Posts: 1877
Noble Member
 
Posted by: @silentell

I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam)

Do you have a reference source defining "digital forensics psychology and mental health"?

 
Posted : 11/06/2020 3:46 pm
(@trewmte)
Posts: 1877
Noble Member
 
Posted by: @kastajamah

if you work in a corporate environment that uses a gold/standard image across their enterprise

Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?

 
Posted : 11/06/2020 3:50 pm
(@rich2005)
Posts: 534
Honorable Member
 
Posted by: @trewmte
Posted by: @kastajamah

if you work in a corporate environment that uses a gold/standard image across their enterprise

Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?

I assume he just means any image that's pushed out to PCs in bulk for corporate environments. So it'll be different for every company. And he's just referring to either manually, or by hash, ignoring all the standard things from the company's default/base installation and focussing on the new/modified/unusual data.

 
Posted : 11/06/2020 4:50 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

@rich2005 that is correct. Sorry @silentell for not being more specific.

 
Posted : 11/06/2020 4:56 pm
Share: