Notifications
Clear all

New member

Silentell
(@silentell)
New Member

Hello there, I'm new to the forum and I'm sure there are so many of useful sources and things and tips to read on and some missed, so any suggestions on where to start on the forum for fresher?

the once I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam) for example a question on How are you supposed to know what’s suspicious on an endpoint you never seen?

I have so such to talk about these and I will, just not in this post :D. 

regards

Silentell

Quote
Topic starter Posted : 09/06/2020 2:15 pm
athulin
(@athulin)
Community Legend

Welcome!

How are you supposed to know what’s suspicious on an endpoint you never seen?

You're not 'supposed' to do anything that.  If you are able to, it's hopefully because you have a lot of experience and know what can be considered suspicious, or because there's solid research that points in that direction ... but you always have to evaluate the case on its own merits.

I once investigated a server after a suspected intrusion, and immediately found lots of indications of suspicious behavior.  However ... the server was in a kind of limbo between organization A, which had managed it for around five years, and who had officially handed it over to organization B which was supposed to take over its management, but for some reason had not officially accepted it. No-one really managed it anymore.  And people had logged into the server who had not been active for close to five years (aha! suspicious!) from IP addresses half around the world (very suspicious!), and people were trying to login who did not have accounts (aha! again). They were just A and B people (one at a congress half around the world), who tried to do their best in a bad situation, and who felt a bit guilty about the poor handover of the system. Which is what can be expected, and is not really suspicious at all.

ReplyQuote
Posted : 09/06/2020 5:22 pm
kastajamah
(@kastajamah)
Active Member
Posted by: @silentell

How are you supposed to know what’s suspicious on an endpoint you never seen?

As you gain experience in computer forensics, you learn the file structure of various operating systems.  You will learn what folders are standard in a file system and where they belong.  In addition to this, if you work in a corporate environment that uses a gold/standard image across their enterprise, you will get familiar with the standard files and folders that are on your corporate endpoints.  One of the first steps I take in my analysis is, reviewing the file system and folder structure.  If I notice folders and files outside of what is normal, I will start with reviewing those first depending on the case. 

This post was modified 2 years ago by kastajamah
ReplyQuote
Posted : 11/06/2020 2:27 pm
trewmte
(@trewmte)
Community Legend
Posted by: @silentell

I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam)

Do you have a reference source defining "digital forensics psychology and mental health"?

ReplyQuote
Posted : 11/06/2020 3:46 pm
trewmte
(@trewmte)
Community Legend
Posted by: @kastajamah

if you work in a corporate environment that uses a gold/standard image across their enterprise

Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?

ReplyQuote
Posted : 11/06/2020 3:50 pm
Rich2005
(@rich2005)
Senior Member
Posted by: @trewmte
Posted by: @kastajamah

if you work in a corporate environment that uses a gold/standard image across their enterprise

Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?

I assume he just means any image that's pushed out to PCs in bulk for corporate environments. So it'll be different for every company. And he's just referring to either manually, or by hash, ignoring all the standard things from the company's default/base installation and focussing on the new/modified/unusual data.

ReplyQuote
Posted : 11/06/2020 4:50 pm
kastajamah
(@kastajamah)
Active Member

@rich2005 that is correct. Sorry @silentell for not being more specific.

ReplyQuote
Posted : 11/06/2020 4:56 pm
Share:
Share to...