Hello there, I'm new to the forum and I'm sure there are so many of useful sources and things and tips to read on and some missed, so any suggestions on where to start on the forum for fresher?
the once I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam) for example a question on How are you supposed to know what’s suspicious on an endpoint you never seen?
I have so such to talk about these and I will, just not in this post :D.Â
regards
Silentell
Welcome!
How are you supposed to know what’s suspicious on an endpoint you never seen?
You're not 'supposed' to do anything that. If you are able to, it's hopefully because you have a lot of experience and know what can be considered suspicious, or because there's solid research that points in that direction ... but you always have to evaluate the case on its own merits.
I once investigated a server after a suspected intrusion, and immediately found lots of indications of suspicious behavior. However ... the server was in a kind of limbo between organization A, which had managed it for around five years, and who had officially handed it over to organization B which was supposed to take over its management, but for some reason had not officially accepted it. No-one really managed it anymore. And people had logged into the server who had not been active for close to five years (aha! suspicious!) from IP addresses half around the world (very suspicious!), and people were trying to login who did not have accounts (aha! again). They were just A and B people (one at a congress half around the world), who tried to do their best in a bad situation, and who felt a bit guilty about the poor handover of the system. Which is what can be expected, and is not really suspicious at all.
How are you supposed to know what’s suspicious on an endpoint you never seen?
As you gain experience in computer forensics, you learn the file structure of various operating systems. You will learn what folders are standard in a file system and where they belong. In addition to this, if you work in a corporate environment that uses a gold/standard image across their enterprise, you will get familiar with the standard files and folders that are on your corporate endpoints. One of the first steps I take in my analysis is, reviewing the file system and folder structure. If I notice folders and files outside of what is normal, I will start with reviewing those first depending on the case.Â
I am researching about digital forensics psychology and mental health, and now thinking of (Mac forensics, forensics value for Mac forensics exam)
Do you have a reference source defining "digital forensics psychology and mental health"?
if you work in a corporate environment that uses a gold/standard image across their enterprise
Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?
if you work in a corporate environment that uses a gold/standard image across their enterprise
Do you have a reference to a guide/document/standard for "gold/standard image" you can confirm?
I assume he just means any image that's pushed out to PCs in bulk for corporate environments. So it'll be different for every company. And he's just referring to either manually, or by hash, ignoring all the standard things from the company's default/base installation and focussing on the new/modified/unusual data.