Specialists say that this research plays a fundamental role in the investigation of cybercriminal incidents, although sometimes researchers face multiple questions and crossroads during the analysis, increasing the workload unnecessarily. That is why it is necessary to find a way to make these processes more efficient.

On this occasion, experts from the cyber forensics course of the International Institute of Cyber Security (IICS) will show you Hoarder, a script created to collect and analyze the most valuable elements for forensic investigations or incident response instead of creating images of the entire hard drive.

Available on GitHub, this tool can represent a great advantage for cyber forensics investigation, lightening the workload of experts and allowing defining the most characteristic features of a cyberattack.

Tool usage

Hoarder analyzes the Hoarder.yml configuration and produces an extensive help message for ease of use, mention the experts of the cyber forensics course.

For example, if you want to collect all the artifacts specified in Hoarder.yml, you must use the following commands:

> .\hoarder.exe –all or > .\hoarder.exe -a or just > .\hoarder.exe

At the end of the execution, a ZIP file called <HOSTNAME>.zip will be generated, which contains all the artifacts in addition to hoarder.log which contains the debug records of the script.

To collect all artifacts with group tag analysis, run the command:

> .\hoarder.exe -g parsing

Configuration

The tool has a default configuration (Hoarder.yml):

• If you are running from the binary executable: The default Hoarder.yml settings are embedded in it. if you place your own hoarder.yml next to hoarder.exe you use it instead of the default settings
• If you are running from the source, you can modify Hoarder.yml or rename it and name your own Hoarder.yml configuration

Here’s an example of collecting and analyzing files or folders:

• Events: Name of the artifact. this name will be used as an argument on the hoarder command line
• Output: Output folder for this artifact
• path32: Path to the artifact for 32-bit systems
• path64: Path to artifact for 64-bit systems
• Files: File names
• Groups: They function as tags and each artifact can be configured to be part of one or more groups
• Parsers: One or more parsers to run this artifact

Parsing

Starting with version 4.0.0, Hoarder has support for the analysis of collected artifacts. As mentioned in the IICS cyber forensics course, there are three main parts to the analysis:

• parsers.zip: Contains the binaries, scripts, and data files of your parser To add your own parsers, place a parsers.zip file next to hoarder.exe containing all the parsers used
• configuration: in Hoarder.yml, add your parser command
• command-line arguments: -pa for the accumulator to bring raw and analyzed artifacts, and -n for the accumulator to bring only analysis results

Commands and plugins

The researchers of the cyber forensics course mention that the tool contains the following features:

• Pluings: Preset functions within the script that can be called for specific results, such as processes and services
• Commands: Defined within Hoarder.yml to execute unique built-in commands

The tool also supports the execution of system commands. The following example shows the execution of the systeminfo command:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, and more information on the cyber forensics course feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to collect only valid evidence during forensic investigation and incident response processes instead of creating images of system memory appeared first on Information Security Newspaper | Hacking News.

This time, specialists from the International Institute of Cyber Security (IICS) will show you how to apply digital forensics to analyze PDF documents and determine if they are compromised with any variant of malicious content.

Before keep going, it is worth recalling that the attack chain via PDF usually begins by sending malicious documents via email. When these documents are opened on the affected system, in most cases JavaScript code is executed in the background capable of exploiting vulnerabilities in tools such as Adobe PDF Reader or storing executable files for later attack stages.

PDF documents, whether legitimate or malicious, have 4 main elements, mention digital forensics experts:

• Header: Contains information about the version of the document and other general data
• Body: Refers to the objects of the document. this element consists of flows that are used to store data
• Cross-reference table: pointing to each object
• Trailer: Element pointing to the cross-reference table

Now that we know the essential information about an attack via PDF documents, we will be able to review each way to analyze these elements.

PDF scanning using PDFiD

PDFiD is a component of Didier Stevens Suite capable of scanning PDF documents using a string list to detect JavaScript elements, embedded files, actions when opening files, and counting specific lines in a document.

In this example, we can see that PDFiD detected various objects, flows, JavaScript code, and OpenAction elements in the Report.pdf file. According to digital forensics experts, the presence of these elements suggests that the analyzed file contains JavaScript or Flash scripts. The /Embedded element indicates the presence of other formats within PDFs, while the /OpenAction, AA, and /Acroform elements initiate automatic actions when opening the file.

View the contents of PDF objects

We already know that there is JavaScript code inside the parsed PDF file. This will be the starting point of the research; to find an indirect JavaScript object, run the pdf-parser.py tool.

Based on the result of these scans, the hidden JavaScript code will execute the malware every time the file is opened, so the next step is to extract the malicious payload.

Extracting embedded files using Peepdf

This is a Python tool that contains all the necessary components for the validation and analysis of PDF files, mentioned digital forensics experts. To take full advantage of its capabilities enter the peepdf – i file_name.pdf command. The -i function will enable the interactive mode of the script:

To find more features, enter the –help command:

The scan result indicates that there is a file embedded in object 14. A closer inspection of this object allows you to see that it points to object 15; in turn, object 15 points to object 16. Finally, there are indications of the presence of a malicious file on object 17.

According to the content of the PDF, there is only one sequence in it, which also points to object 17. Therefore, object 17 is a sequence with an embedded file.

Stream 17 contains a file signature that begins with MZ and a hexadecimal value that begins with 4d 5a. According to digital forensics experts, these are signs that point to an executable file.

Next, we will save the sequence as a virus.exe executable.      

Behavioral analysis

Run the file in sup-tuals-tion using a 32-bit Windows 7 system.

As you can see from the Process Explorer window, virus.exe created two suspicious processes (zedeogm.exe, cmd.exe) that were interrupted after starting.

According to Process Monitor, the zedeogm.exe file was saved within running processes. Then he changed the rules set in Windows Firewall. The next step was to run the WinMail.exe file; after that, the program launched cmd.exe to run the tmpd849fc4d.bat file and stop the process.

Conclusion

The use of digital forensics techniques for the analysis of PDF documents can be essential to avoid interacting with malicious content. Together with other preventive measures, this practice can close one of the main vectors of threats today.

Other recommended measures to prevent this threat include:

• Verify the sender of a spam email
• Ignore links or attachments in unsolicited emails
• Keep your antivirus tools always up to date
• Check for typos, very common in malicious emails

As usual, we remind you that this material was prepared for informational purposes only and should not be taken as a call to action. IICS is not responsible for the misuse that may occur to the information contained herein.

To learn more about information security risks, malware variants, digital forensics, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to perform digital forensics of malicious PDF files? Easily checking if a PDF document has malware or backdoors appeared first on Information Security Newspaper | Hacking News.

On this occasion, experts from the International Institute of Cyber Security (IICS) will show us TCDUMP, a useful tool for capturing and analyzing network packets that allows you to see all incoming and outgoing packets from a specific interface, all from the command line.

According to digital forensics experts, this tool is very similar to WireShark, it also includes additional functions such as the storage of captured packets for later analysis, which can be done even with other hacking tools. However, right now we’ll just look at tcdump’s packet capture capabilities.

Before proceeding, we remind you that this article was prepared for informational purposes and should not be taken as a call to action. IICS is not responsible for the misuse that may occur to the information contained herein.

Installation

Many distributions come with the tcpdump command by default, but if your distribution doesn’t have it, you can easily install it from the official repositories. Below is an example for Ubuntu/Debian distributions:

sudo apt install tcpdum

For Fedora, Red Hat, and CentOS, we’ll use the following command:

sudo yum install tcpdump

Once the installation is complete, we can continue.

TCDUMP Commands

Before moving on to practical examples, digital forensics experts recommend reviewing the syntax and basic options of the tool. The command has the following syntax:

$ tcpdump options -i interface filters

When using the tool, remember to specify the interface to use, since failure to do so will use the first one in the default list. The options customize the display and basic functions of the utility and the filters allow you to filter out unwanted packets. Now let’s look at the main options:

• -A: displays all packages in ASCII format
• -c: closes the program after capturing the umpteenth number of packets
• -C: When writing packages to a file, it checks the size of the file, and if it is larger than specified, a new file is created
• -D: displays a list of available network interfaces
• -e: Displays connection level information for each packet
• -f: displays the domain name for IP addresses
• -F: reads packages from a file, not from an interface
• -G: Creates a new log file after a specific period of time
• -H: detects 802.11s headers
• -i: is the name of the interface for capturing packets. you can capture packets from all interfaces by specifying any
• -I: Switch the interface to monitor mode to capture all passing packets
• -j: Sets the timestamp format for recording packages
• -J: displays available timestamps
• -K: does not check package checksums
• -l: adds scrolling support to the output
• -L: Displays supported connection protocols for the interface
• -n: does not show domain names
• -r: reads packages from a file created with -w
• -v, -vv, -vvv: more detailed output
• -q: displays minimal information
• -w: writes output to a file
• -Z: the user on whose behalf the files will be created

These are not all options, but they will be enough for now. About filters, digital forensics experts mention that these can filter only the types of packets you want to see. You can filter by IP address, protocol, network, interface, and many other parameters.

Using the tool

Before you move on to using tcpdump, you need to see which network interfaces you can use. To do this, just run the command with the -D option:

$ sudo tcpdump –D

Let’s start looking at examples of tcpdump capturing traffic in the eth0 interface. The program needs superuser rights to work properly, so don’t forget to specify sudo:

$ sudo tcpdump -i eth0

Press Ctrl + C to stop the command. At the exit, you will immediately see all the captured packets. The recording format of each package will look like this:

13: 03: 41.795599 IP udp032919uds.hawaiiantel.net.6881 > 192.168.1.2.52055 : Flags [.], Seq 640160396: 640161844, ack 436677393, win 2050, options [nop, nop, TS val 3805626438 ecr 4677385], length 1448.

First the timestamp is displayed, then the protocol, then the IP address of the sender and the address of the recipient, in this case, our system. Then the additional tcp parameters appear and at the end the packet size in bytes. The verbosity of the output can be controlled with the -v options, for example:

$ sudo tcpdump -v -i eth0

There is already information about the IP protocol here:

IP (tos 0x0, ttl 64 , id 50309, offset 0, flags [DF], proto TCP (6) , length 64)

According to digital forensics experts, we can find information about the life of the TTL packet, the TCP version, and the length of the header field. The -vv option will print the contents and check the sum of the package in some cases. After the options, you can specify filters for packets. Here are the main parameters by which you can filter packets:

• host: host name
• ip: IP address
• proto: protocol
• net: network or subnet address
• port: port address
• src: sender-related parameter
• dst: parameter related to the recipient

The following protocols are available: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.

You can combine all this with each other to get the desired result. Let’s take a closer look at the examples. Let’s filter only the packages addressed to our system:

$ sudo tcpdump -i eth0 ip dst 192.168.1.2

We can also select packets sent to a specific node:

As you can see, these are DNS packets and, instead of TCP flags, it contains useful information, a request for the host’s IP address. You can also select response packets from a specific host:

$ sudo tcpdump -i eth0 src host google-public-dns-a.google.com

The full contents of the package are not here, if you want to get it, you should use the -v or -vv option, digital forensics experts recommend:

$ sudo tcpdump -vv -i eth0 host dst google-public-dns-a.google.com

With the ‘and’ operator, you can combine several filters into one:

$ sudo tcpdump -i eth0 dst host google-public-dns-a.google.com and src host google-public-dns-a.google.com

It is not necessary to specify the host, in many cases src or dst is enough, the utility will understand what it means by itself. Exactly the same design can be used for ports. For example, we can filter all requests or responses to DNS (on port 53), digital forensics experts point out:

$ sudo tcpdump -vv -i eth0 port 53

You can do exactly the same for http (port 80):

$ sudo tcpdump -vv -i eth0 port 80

Naturally, you can also use dst and src here for more specific results. You can filter not one port, but a wide range of ports:

$ sudo tcpdump portrange 21-23

If you specify one of the protocols, it will filter only packets from that protocol, for example, tcp, udp, or arp:

$ sudo tcpdump -vv arp

You can also select all udp packages:

$ sudo tcpdump -vv udp

A filter by network designation is also available:

$ sudo tcpdump net 129.168.1.1/24

In addition, you can filter packets by their size, for example, less than 32 bytes:

$ sudo tcpdump less 32

Superior packets can also be filtered, digital forensics experts noted:

$ tcpdump greater 128

Sometimes it is necessary to save the captured traffic in a file, for this the -w option is used:

$ sudo tcpdump -i eth0 -w file.pcap

This file can be opened with any program to read such files, for example, Wireshark. To open packages saved in a file, use the -r option:

$ sudo tcpdump -r file.pcap

There is one more thing worth paying attention to. This is the format for displaying the contents of packages. You can display the contents of a package in ASCII format using the -A option:

$ sudo tcpdump -A -i eth0

You can also display content in HEX and ASCII format, use -XX for this:

$ sudo tcpdump -XX -i eth0

Conclusions

As you can see, this tool can prove to be really useful for various digital forensics tasks. Before using it in real environments, remember to test in a secure environment or have the permission of the administrator of the scanned system. Use combined with other tools can make TCDUMP one of the best hacking tools at your disposal.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to do digital forensics of a hacked network with TCPDUMP appeared first on Information Security Newspaper | Hacking News.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you RegRipper, a tool for automatic registry analysis on the Windows system, which will provide you with this important information in a simple and convenient format for further investigation tasks. This tool is available on GitHub.

Digital forensics experts describe RegRipper as a set of open-source Perl scripts that operates thanks to the registry hive; a command is selected and as set a version of the system outputs is obtained in text format.

Install RegRipper

To get started, download the file from GitHub, unzip the file, and proceed to the menu items shown below. You will need to choose between two execution options: console (rip.exe) and windowed (rr.exe). The first option provides more flexible functions, while the second is the easier to use option.

We need the operating system log files. They can be removed from a non-system disk by simply copying them.

• Run the application with rr.exe
• Open the registry hive (let’s say SOFTWARE in this example)
• Indicate the output text file (SOFT. TXT)
• Click the Rip! button

One by one, all the commands relevant to the hive “SOFTWARE” will start to run (you can find out whether a plugin is suitable or not from its content, digital forensics experts mention).

The output file will contain information for each of the commands. The file obtained will be full of information of interest to researchers, but there are ways to obtain more specific information.

Working with RegRipper console version

This is where the interesting part begins, as we will be able to flexibly configure which plugins might work.

rip -r ..\reg\SOFTWARE -p networklist > networks.txt

The networklist command will run and display a list of networks and their installation data:

You can also find the target operating system version with the winver command:

You will be able to find the time of the user’s last login by entering lastloggedon:

To conclude, you can also automatically run all available commandss automatically. The required command appears when you open the help options (-h).

As you can see, this is a magnificent tool that will allow you to get a lot of information from the analyzed system. Remember that this material was prepared for informational purposes and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

To learn more about information security risks, malware variants, digital forensics, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to do digital forensics and reverse engineering on windows registries with free REGRIPPER tool appeared first on Information Security Newspaper | Hacking News.

As usual, we remind you that this material was prepared for informational purposes only, so IICS is not responsible for any misuse of this information.

CCZE

This is a tool to decorate system logs.

$ apt-get install ccze

Examples:

$ tailf / var / log / syslog | ccze

List of modules:

$ ccze –l

Save the record in HTML format:

tailf / var / log / syslog | ccze -h> /home/tux/Desktop/rajneesh.html

DSTAT

According to digital forensics experts, this is a flexible tool that can be used to monitor memory, processes, networks and more. Not a bad replacement for ifstat, iostat, dmstat and similar tools.

$apt-get install dstat

Detailed information about the processor, hard disk, and network:

$ dstat

Processor information only:

$ dstat –c

Learn more about the processor:

$ dstat -cdl -D sda1

Disk information:

$ dstat –d

FINDMNT

Digital forensics specialists use this command to find mounted file systems. The command displays a list of connected devices, as well as the option to connect and disconnect a device.

Examples:

$ findmnt

Output in list format:

$ findmnt –l

Sort by file type:

$ findmnt -t ext4

NMON

Nmon is a tool that displays information about system performance.

$ sudo apt-get install nmon
$ nmon 

The tool can display information about network, CPU, memory, and disk usage.

Processor Information:

Network information:

NCDU

The ‘du’ version with cursor support is used to analyze the disk space used.

$apt-get install ncdu
$ncdu / 

Final output:

RANWHEN.PY

A useful tool written in Python that can graphically display the system’s activity. The details are represented by colored bar charts.

Install Python:

$ sudo apt-add-repository ppa:fkrull/deadsnakes

Upgrade your system:

$ sudo apt-get update

Download Python:

$ sudo apt-get install python3.2

Download and unzip ranwhen.py:

$ unzip ranwhen-master.zip && cd ranwhen-master

Run the tool:

$ python3.2 ranwhen.py

SS

This is a good substitute for netstat and is even faster in certain circumstances.

Examples:

Output of all connections:

$ ss | less

Tcp traffic-only output:

$ ss -A tcp

Display of process names and pids:

$ ss –ltp

SAIDAR

This is another great utility for system monitoring.

$ sudo apt-get install saidar

Examples:

$ saidar

Colored output:

$ saider –c

SLURM

According to digital forensics experts, this is a CLI tool designed to monitor network interfaces.

$ apt-get install slurm

Examples:

$ slurm -i <interface>
$ slurm -i eth1

W

This utility lists the logged-on users and the processes they are running.

$w

Help:

$ w –h

Current user information:

$ w <username>

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Top 10 utilities for your Linux server to check if it is hacked and monitoring activities appeared first on Information Security Newspaper | Hacking News.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you a simple method to manually verify any suspicious documents and check if it is loaded with malware.

Broadly speaking, all file analysis techniques include the following elements:

• Check the document for dangerous tags and scripts
• Detect online code like shellcode, VBA macro, Javascript, Powershell and more
• Extract the suspicious code or object from the file
• If possible, delete the extracted code (although, with a very high degree of probability, the obfuscated code is harmful)

 Tools for analyzing Microsoft Office files

Oletools: This is a powerful Python toolkit for analyzing Microsoft OLE2 files, primarily Microsoft Office documents such as Word or Power Point files, mentioned by digital forensics experts.

For installation on Linux, simply run the following command:

sudo -H pip install -U oletools

On the other hand, if you want to install the tool on Windows systems, you must use the following command:

pip install -U oletools

In this package you can find many other tools, including:

• mraptor
• olebrowse
• oledir
• oleid
• olemap
• olemeta
• oleobj
• oletimes
• olevba
• pyxswf
• rtfobj

PCODEDMP: This is a document Pi code disassembler (essentially a shell code). Digital forensic experts mention that this tool requires oletooles to function properly.  

PDF analysis tools

PDF Stream Dumper: This is a Windows GUI utility for PDF analysis very popular among the cybersecurity specialists community.

PDF-parser: Using this tool allows digital forensic experts to extract individual elements from a PDF file, such as headers, links, and more, for detailed analysis.

PDFID: PDFID lists all objects in the scanned PDF file.

PEEPDF: This is a pretty powerful analysis framework that includes shellcode search, Javascript and more. PEEPDF is enabled by default in Kali Linux.

PDFxray: This tool has most of the necessary utilities in the form of separate Python scripts, but requires many dependencies, mentioned by digital forensic experts.

What should we look for when analyzing a PDF document?

First, digital forensic specialists recommend looking for the following parameters:

• /OpenAction and /AA, as they can run scripts automatically
• /JavaScript and /JS respectively run js
• /GoTo, since this action changes the visible page of the file, can automatically open and redirect to other PDF files
• /Launch is able to start a program or open a document
• /SubmitForm and /GoToR can send data by URL
• /RichMedia can be used to embed flash
• /ObjStm can hide objects

It is rare to find clean and non-merged code into malicious PDF files. The simplest types of obfuscation are HEX encoding such as /J s 61vaScript instead of /Javascript and line breaks:

/Ja\[/SIZE][/SIZE][/SIZE][/SIZE]
[SIZE=6][SIZE=4][SIZE=6][SIZE=4] vascr\
 Ipt

Security test

In this step, we will use a document loaded with malware to exploit the flaw tracked as CVE-2017-11882.

Let’s review the VBA scripts:

olevba exploit.doc

Immediately we will find tons of VBA script lines, and in the end they also show what it does. The next test is to analyze a PDF file using PDFID to view all the objects in the file.

As shown below, the PDF file contains /ObjStm objects. To ensure that they do not negatively impact our systems, we can extract these objects from the file and consider them separately using PDF-parser.

To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.

The post How to easily check if DOC, RTF, XLS, PPT, PPTX or PDF file has a malware without antivirus like a digital forensics expert appeared first on Information Security Newspaper | Hacking News.

Hacking groups are always looking for new attack variants, many of which could be unknown to unsuspecting users and even experienced system administrators.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you a method to access a computer remotely using FakeImageExploiter, a tool to embed payloads in image files.

This tool allows you to take an existing image.jpg file and a payload file.exe to create a new payload (agent.jpg.exe) that, when started, is downloaded from the 2 previous files stored on an apache2 web server (.jpg + payload.exe). This module also changes the agent icon to match a file.jpg. Then the ‘hide – known file extensions’ function is used to hide the .exe (final: agent.jpg.exe).

Using the tool

FakeImageExploiter stores all files in apache2, creates a file, starts apache2 and Metasploit services, and provides a URL to be sent to the target device, digital forensic experts mention. As soon as the user runs the file, the image will load and open in the default image viewer, then the malicious information will run and an active meterpreter session will start.

The tool also stores the agent in the FakeImageExploiter/output folder in case the user wants to use agent.jpg.exe in another attack variant. In addition, FakeImageExploiter also creates a cleaner.rc file to remove any remaining payloads on the target host.

The tool is compatible with distributions such as Linux Ubuntu, Kali, Mint and Parrot OS.

Dependencies

• Xterm, zenity, apache2, mingw32 [64], ResourceHacker
• Automatic installation of ResourceHacker.exe to .. /.wine/Program Files/…

Installation

To complete the installation, run the following commands:

git clone https://github.com/r00t3xp10it/FakeImageExploiter
cd FakeImageExploiter
chmod + x FakeNameExlpoiter.sh

Run the following commands:

> ./FakeImageExploiter.sh

Before you begin, you need to:

• Create a payload (using the methods available to you, Veil-Evasion, Metasploit, Venom, I have not listed the most reliable ones, but it will work for testing)
• Download any image in .jpg

To test, we’ll use Veil-Evasion, typing the following command:

python/meterpreter/rev_https

Everything is ready to create the final file – file:

We’ll combine these files into a single file for the release of FakeImageExploiter:

> ./FakeImageExploiter.sh

Click OK, choosing Windows 7. According to digital forensic experts, for the program to work properly you need ResourceHacker; If you have not installed this tool, the program will install it by itself:

When everything is ready, we launch the framework:

Once the necessary services are started, the tool will ask to select the payload first and then the image. To use the payload in the .exe format, you must change the following in the configuration file:

On:

By following the prompts, you can create a file and link to it on the web server:

Now we need to share the link with our target host:

Download the file:

We unpack and start to see the image:

An active meterpreter session will then open:

In Task Manager, this process is logged as well:

Remember that this material was made for teaching purposes. IICS digital forensics experts are not responsible for any misuse that may be given to these tools.

The post How to hack a computer with a picture? Taking control of scammers’ devices with jpeg file appeared first on Information Security Newspaper | Hacking News.

This marketplace, called Probiv, allows a criminal to find information for sale in order to rob an entire company or a jealous husband to get access to his wife’s cell phone, her location in real time and everything she has in her WhatsApp account.

Imagine this marketplace as the combination of Amazon and Fiverr. It is a site that already has a great established reputation and that anyone can access in order to obtain information, products or gigs at a very affordable price.

Amazon and Fiverr, as you probably know, are two very famous marketplaces in today’s digital world. The former is known for offering a wide variety of items for sale, usually located in different categories. Amazon is to where we go when we want to buy something that arrives directly at our doorstep, with just a few clicks. On the other hand, Fiverr is to where people turn when looking for a fast and cheap service or gig, as mentioned by digital forensics specialists. The gigs offered on Fiverr start at only $5.

Probiv is a combination of both these sites but with all kinds of services or information for sale, with absolutely no restrictions.

You can easily think that Probiv is only for experienced cybercriminals; however, this is not the case. This platform is used by many people, from beginner users to the most common people you can imagine, mainly because it is not in the deep web.

This platform was born in 2014, as a response to a demand of highly specialized sales, information, products and services that are often illegal. 

Probiv, which in Russian is a slang term for “search”, is a platform that currently hosts millions of posts and hundreds of thousands of members.  When it started, it was only a digital forensics and cybercriminal forum dedicated to the sale of specialized information. Today, it has not only grown in offers and categories for sale, but is available to almost anyone who is interested in joining. This is why currently its popularity has grown exponentially and it keeps on growing.

In Probiv you can find products or services listed at different prices. Services that could affect you or your company.

Its sales are basically divided into two categories. There is information or services offerings and product offerings, including products obtained in illegal ways.

Data or Service Offering

Digital forensics specialists mention that data offering on this platform offers up-to-date information that comes directly from the employees or former employees of an organization or company.

Here, prices vary depending on the sensibility of the information requested and the risk that could imply for the same provider, but generally their prices are not tahta high. In Provib, information is sold at prices that begin at only $10 per piece of data. Buyers and sellers usually communicate through private messages within the same forum, through Jabber IDs or Telegram accounts. 

Bank Services

There are cases in which people simply cannot open a bank account because they do not have all the required documents. There are people living illegally in a country or running from the law; however, through this platform they can have a normal bank account, like everyone else. This is possible because at Probiv, service vendors offer to open bank accounts for a fee. They obtain them with documents from other registered citizens or with the help of bank employees who do not mind slipping these accounts in order to obtain an extra income.

Within these services, there are also bank employees willing to sell customer data such as balances, withdrawals, payments, and account statements, digital forensics speciañists stated. Additionally, they offer to do illegal verifications on the banking history of a person or company.

Furthermore, if someone is applying for a loan but the bank has rejected it, sellers on Probiv see to it that it is approved. They do this with the help of bank employees, using a verifiable address from the country required.

Another type of information that is sold within these services is credit card information. The illegal sale of leaked credit card data may not something new; however, unlike other illegal forums in the deep web, the information sold in Probiv does not come from data leaks nor from banks that had suffered a cyberattack, but rather these are obtained by employees or former employees from the bank directly, making this information completely up-to-date.

Telecommunications Services

In this platform, there is also a wide variety of telecommunications service vendors. These are vendors with access to data from cell phone companies. Among the services they offer are providing call details, SMS records and the location of a targeted cell phone number. They obtain these from the client’s records of the companies they work for. Unfortunately, most of the buyers of these services are jealous spouses who want details of the calls and the real-time location of their husbands or wives.

Another service offered here is to get you a SIM card from any country without an official ID.

Some sellers in this section even offer to make ransom calls or fake calls for whatever purpose needed. The criminal who buys this service only has to specify the call he needs and a platform provider does it for a fee.

Just a few years ago, two support employees of a famous telecom company were convicted for photographing data on their phones and sending it to their customers they met within this marketplace.

Government agencies services

In many cases, people who work in government departments do not earn a high salary; however, the digital forensics specialists mention they do earn access to a great deal of important information.

For example, a very popular service in this marketplace comes from the Taxes department. Probiv sellers offer tax evasion services, which means they can modify your tax details in the system so that you don’t have to pay taxes anymore. They also sell details about companies and important people, mainly to competitors interested. Of course, these services are more expensive than others. As if that weren’t enough, some employees in these departments even offer financial secrets of companies for sale.

Another service is clearing criminal records

The HR department of a company will usually request you a criminal background check when you’re applying for a new job. At Probiv, vendors take care of erasing criminal records. There are even corrupt police officers who offer their services on this platform. In addition, some government employees offer their help in order to solve legal problems within a government department.

Other government vendors offer information from passport departments, personal information that can be found on driver’s licenses, real estate purchase records, etc. Digital forensics specialists mention that there are even advertisements on how to get free electricity. Apparently there are vendors willing to give courses on how to modify electricity meters.

Insider trading

At Probiv, business secrets are also for sale. This is because there are many companies interested in the secrets of their competitors, information such as what are their products under development, their new marketing strategies or even information about personal scandals that involve a company owner and that could affect the stock prices. This last piece of information can be used to buy or sell stocks before everyone knows it, thus obtaining great monetary benefits, as told by digital forensics specialists.

Independent services

There are also vendors on this marketplace who offer online votes, to win a popularity contest within a social network, for example. Another service that many people would be interested in is helping you clear online tests or telephone interviews. At Probiv, a vendor can clear the exam or interview you have to take over the phone or online, hence getting you the job or career of your dreams.

Product Offering

Product offering here is very similar to other illegal forums but accessible to anyone interested. Of course, prices will vary depending on the product, from hundreds to thousands of dollars. These products are mainly offered by employees working in specific companies or even at government departments.

Identification documents and illegal money exchange

This section includes the sale of passports, driver’s licenses and university degrees from different countries. They offer a wide variety of degrees, from bachelor’s to master’s degrees, as mentioned by digital forensics specialists. These have been purchased from employees working at different universities in many countries.

Recommendation letters

There are also vendors offering recommendation letters you can use to apply for a new job or in the process of entering a new school. Generally, sellers are insiders, working in different companies, who can give you a letter of recommendation with the original format of their company or institution.

Airline tickets and hotels reservations

There are many sellers of air tickets and hotel reservations at very low prices. These are regularly purchased using stolen mileage accounts or by taking advantage of vulnerabilities in booking sites. 

Medical devices and Supplements

In Probiv, you can also find access to illegal medicines, medical devices and health supplements for sale. Most of the vendors offering them are government hospital employees.

Additionally, stolen phones, supermarket products, clothing, computers, designer products and imitations are also sold.

Who provides all these services?

In this illegal marketplace, there are even job offers advertised. At Probiv they have an attractive job offer list that is meant for people looking for a second job, people who already have positions in banks, telecommunications companies, pharmaceutical companies and government departments such as immigration, etc. The typical person who would take a job offer in this marketplace is a young man or woman, working in a low position but in an important department or company, regularly with a low income and looking for an additional part-time job.

Those who have been caught selling illegal information in this type of marketplaces have been sales assistants, managers, employees of cell phone companies or banks, with easily available data, digital forensics experts mention.

Due to the nature of their work and the services being sold, they do not handle a large number of requests at once, which keeps them relatively safe. After all, the entire existence and process of Probiv is based on employees willing to risk their positions within an organization or company.

Payments

Payments at Probiv are generally made through escrows. According to digital forensics specialists, these are third-party intermediaries, who receive and disburse the money for the parties that carry out the transaction.

The deal regularly works this way, after a sale, service or job has been agreed upon, the buyer sends their funds to the neutral third party known as an escrow. Then, after the buyer has confirmed that the information, product or work received from the seller is what was agreed upon, the custodian delivers the money to the seller. The escrow also charges a percentage for the services rendered. This payment system helps to create guarantees and reduce the chances of a scam.

Now, knowing that this marketplace exists and that there are employees of the companies with which we work and hire services that we cannot trust, we must be very careful when protecting our data. We must also never be part of these sales systems. We should never, under no circumstances, use services or products that are offered in illegal forums or marketplaces like this, even if they are available to anyone, as there is always the possibility of getting into serious troubles.

Furthermore, we must demand the closure of these types of marketplaces to prevent the sale of illegal information or services that can affect us all.

The post PROBIV: The most famous Russian black market to find job or buy illegal things appeared first on Information Security Newspaper | Hacking News.

Although not a widely known phenomenon, it is a fact that law enforcement in the U.S. and other countries has widely adopted the use of MDFT for their entire justice system. Upturn information security specialists have conducted a thorough investigation, documenting the use of these tools by more than 2,000 law enforcement agencies, resulting in hundreds of thousands of information extractions made over the past 5 years.

A worrying fact in this regard is that this technology is not only used in cases related to major violations, but that any American citizen arrested for misdemeanors (minor theft, drug possession, poisoning, among others) may be subject to this severe scrutiny, not to mention that this practice can be applied without regard to any minority or as part of an incident of police brutality.  

Because today almost 90% of people in the U.S. own a smartphone, this can also be seen as a harmful extension of the powers attributed to law enforcement: “Mobile devices have become the most important source of investigation for U.S. law enforcement agencies, even when it comes to citizens who do not face legal processes” , the experts mention. 

The main problem is that the use of MDFT involves placing too much power in the hands of investigative agencies, so these tools should not be used only at the consideration of these agencies, so multiple groups of researchers, human rights defenders and political groups propose some measures to set specific limits on their use.

While these measures alone would not solve all the questions posed by the use of MDFT, experts believe that it is necessary to take the first steps towards the complete regulation of these tools, as well as to inform citizens in a concrete way about the real capabilities that these investigations may have on their lives.

The post 2,000 law enforcement agencies use these ten tools to unlock smartphones without password appeared first on Information Security Newspaper | Hacking News.

These companies operate with a wealth of personal and financial information from millions of people, as well as travel histories, reward program memberships, and more. Many companies have been attacked by these criminals, including British Airways, Easyjet, Travelex, Marriott and more; With this information in their possession, threat actors act as a kind of travel agents on deep web forums, selling airline tickets, hotel reservations, car rentals and even organizing weddings in high-demand tourist destinations, all at an extremely low cost. 

In a certain way, these black market travel agencies are helping many travelers, including cybercriminals, save up to 70% of what they would have paid at a conventional travel agency. 

In these illegal forums it is possible to find many underground travel agencies where great deals are offered for travel; however, there are always some that stand out for having thousands of customers around the world and having made millions selling airline tickets and hotel reservations illegally. These travel agencies are a paradise of offers for any traveler and among them stand out the following.

PATRIARH OR “THE PATRIARCH”

Новости Сервиса
https://t.me/patriarhservice

This is a very popular service within Russian criminal forums. In it you can make all kinds of reservations and within their ads they claim that they can get prices even 50% lower than those offered by companies like Booking.com, as mentioned by digital forensics experts.

Tickets on these clandestine forums are full of feedback from satisfied customers, who praise their services within the tourism industry. In these same forums the same customers post photos of their vacation along with regularly handwritten thank you notes and taken in front of a first class airplane seat or in a five-star hotel. These photos somehow function as proof that the service offered does work. 

Their prices vary and obviously depend on what you want to buy; However, as in all black, clandestine and illegal markets, anonymity is crucial, so your preferred payment method is in Bitcoin and other cryptocurrencies.

SERGIK00

Sergik00 is another clandestine forum that functions as a deep web travel agency. Unlike the previous position on the list, this platform also offers car rental, excursions and even VIP weddings at ridiculously low prices. As if that weren’t enough, your team also obtains and sells all kinds of illegal or fake documents you may need to travel to another country, including passports and document alterations.

Публикация Фото отзывов о работе сервиса от @sergik00 (Авиа, Отели, Депозиты, Прокат Авто, Экскурсии и многое другое)
https://t.me/sergik00_promo

Like Patriarh, this forum is full of testimonials from satisfied customers, who post photos from luxurious hotel rooms, airplanes, swimming pools, beaches and more tourist destinations. One curious thing about this platform is that the team behind Serggik00 even presumes to have served famous influencers. Its main base of operations is Telegram, although its deep web sites always show great activity.

BANTIK TRAVEL

Приветствуем на канале ,где почти все брони по 25% от стоимости ! Если хотите приобрести , пишите @batniksales
https://t.me/batniksales1

Bantik Travel is a black market travel agency that works differently from Patriarh and Sergik00. What they do is ask interested buyers to provide details of the trip they are looking to book with examples of Expedia or any other site that sells airline tickets and hotel reservations indirectly. Once customers provide that information, the operators of this platform are responsible for creating a custom list so that the customer decides what they prefer to buy.

Similar to Patriarh and Sergik00, these vendors use Telegram and conventional offline platforms.

MOON WELL TRAVEL & MOONBEAM TRAVEL

In their ads, these platforms ensure that they are part of a team of professionals dedicated to providing their customers with convenient and comfortable stays. Among its services are the sale of coupons for prepaid services and promise that if it is not possible to specifically book the hotel that interests the user, they can get an equivalent replacement or even a better quality hotel at no extra cost. At the moment, your payment method is restricted to the Monero cryptocurrency.

Now that we know of the existence of these clandestine travel agencies, it is also important to understand where they get the hotel reservations and air tickets they offer for sale. According to digital forensics experts, there are currently several methods, some of which we will review below.

AIRLINE ACCOUNTS

In these forums that function as underground markets we can also find for sale cards from stolen airlines. These tend to be sold in auction and wholesale processes; this is no surprise, as conventional credit cards have years to be sold on many underground forums and black markets.

GIFT CARDS

Another way cybercriminals and travel agents exploit the airline industry is by purchasing certificates and gift cards with massive discounts that reach up to 50% of the original value. Additionally, in order to generate higher profits, these gift cards are usually purchased with airline points from stolen accounts.

Redeeming points from stolen accounts to buy gift cards is an easy way for cybercriminals to earn money fast. Gift cards can also be purchased directly with stolen frequent flyer points or may even have been stolen directly, including their security codes and everything you need to use them instantly.

INDIRECT BOOKING SITES

In these illegal markets, in addition to directly attacking airlines and hotel chains, cybercriminals exploit booking search engine companies. Some users even share exploit methods for sites like Expedia or Kayak, where they take advantage of vulnerabilities on their sites.

Although this is a profitable business for criminals, some of them like to say that they attack such third-party booking companies for a moral issue, saying that because they take advantage of customers by not offering any kind of refund, they do the same.  It’s definitely an easy way to sell something obtained at no cost.

Protect your airline accounts and loyalty programs with hotels

Just imagine that one of these hackers steals your miles or your hard-earned traveler points. To keep this from happening to you, follow the tips presented below by the International Institute of Cyber Security (IICS):

• Always use strong passwords: Also remember to use two-factor authentication when available
• Stay alert to phishing cyberattacks: Even if your airline’s mail looks like, if you’re asked for personal information about your account, you’d better contact them directly by the means you already know
• Don’t expose your frequent flyer number: On your boarding passes, as well as hotel bills, the printed loyalty account number is usually included, so always be sure to shredder these documents at the end of the trip. Additionally, never share photos of your boarding passes on social media
• Stay on top of your rewards or points accounts: It’s easy to forget about loyalty accounts or points we generate until we finally want to use them.  To prevent theft, it is always important to check them from time to time, as well as to be aware of recent news about data leaks within different companies

Implementing these measures can significantly reduce the risk of compromised your traveler information.

The post How Russian Are Hacking Skyscanner, Expedia, booking.com & trivago to get Cheap Deals appeared first on Information Security Newspaper | Hacking News.

By using CAPA, researchers will be able to encode, recognize, and share information about the behavior of multiple malware variants, forming one of the largest databases of reverse engineering information, which will help predict the functions of previously unidentified malware variants. Below we will discuss some of the most important aspects of CAPA, which is now available to interested users.

Even though any forensics investigator can quickly understand how a file works in general, there are elements that escape even out of the experts’ view. Knowing if a program is malicious, understanding how it works during an attack, or determining developers’ intentions require greater malware reverse engineering skills.

While less specialized analysts have problems at this point in an investigation, a malware expert will be able to perform unknown binary classifications in no time, making it easier to get clues about the malware variant analyzed, a critical element in guiding successful research. Unfortunately, traditional analysis tools (string viewers/FLOSS) have several limitations, forcing users to obtain information by other methods.

It is necessary to remember that malware analysis is a complex task, because sometimes the most important elements in an unidentified variant are hidden through a binary that could include thousands of functions, not to mention that malware reverse engineering evolves at all times, so the learning curve extends to unsuspected levels. Therefore, researchers need to accumulate knowledge across multiple levels and concepts, including information about the internal components of an operating system.

This should not mean those interested in malware analysis have to lose hopes and enthusiasm, as with sufficient study and practice it is possible to recognize the most important and less obvious capabilities in a malicious program, taking into account repetitive patterns of API calls, strings, among other elements. By using CAPA, experts can automate the collection of research-relevant information, reducing workloads significantly.

CAPA provides users with a unique, but able to adapt, method for coding knowledge about malware variants, in order to make it available to the cybersecurity community. When running CAPA, the tool will recognize some features and patterns just as the best malware analysts would, which is critical for further investigations.

An example of this can be seen when CAPA recognizes the unencrypted HTTP communication capability in the scanned software; for CAPA, this is a pass-through flag for proxy logs or other network traces.

CAPA developers believe that the cybersecurity community requires the creation of tools like this to significantly advance the most sophisticated malware variants in combat. Regardless of the level of research experience, CAPA contains more than a decade of knowledge and experience about the capabilities of the most dangerous programs created by hackers, facilitating combat to the most threatening cybercriminal practices. CAPA is available at the following link.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post CAPA, Fireye’s open source tool to analysis malware capabilities & functioning appeared first on Information Security Newspaper | Hacking News.

Forensics has evolved over decades through various branches of forensic science, and it has have become a very important part of law enforcement all around the world. To fight cybercrime and protect digital assets on the Internet, forensics is definitely essential. 

Digital Forensic tools help investigators extract those crucial pieces of evidence from electronic devices so they can be presented to the authorities. 

So, when doing a forensic investigation, for whatever purpose, you need to use the right tools.

Here you will find 21 forensic investigator tools that are totally available for free.

1- Autopsy

Autopsy will help you locate many of the open source programs and plugins used in The Sleuth Kit. 

It is actually used by law enforcement, military, and corporates when they want to investigate what happened on a computer. But you can even use it to recover photos from a memory card.

2- Magnet Encrypted Disk Detector

Magnet Encrypted Disk Detector is a command-line tool that can quickly and non-intrusively checks for encrypted volumes on a computer system.  

This is a very useful tool during incident response, because what Encrypted Disk Detector does is check the local physical drives on a system for encrypted volumes. 

And of course, you don’t have to pay anything to use it, because it is totally free.

3- Wireshark

Wireshark is an open source network capturer and analyzer tool, which will help you to see what’s happening in your network at a microscopic level. 

It is also used across many commercial and non-profit enterprises, government agencies, and educational institutions, and it can be handy when investigating network-related incidents, network troubleshooting, analysis, software and communications protocol development, or simply for education. 

It is also totally free and it works thanks volunteer contributions of networking experts around the globe. 

4- Magnet RAM Capture

Magnet RAM Capture is a tool from Magnet Forensics and is designed to capture the physical memory of a suspect’s computer. 

Doing this it can allow you, during an investigation, to recover and analyze valuable data that is found in the memory.

It also gives you the option to export the captured memory data in Raw format for easily upload into other analysis tools. And it is also a free tool.

5- Network Miner

Network miner is a network forensic analyzer that can be used to detect OS, hostname, sessions, and open ports through packet sniffing or by PCAP file. 

Companies and organizations all over the world, like in incident response teams and law enforcement, use today and it has no cost at all since there is a free version of it. 

6- NMAP

NMAP or Network Mapper is one of the most popular networks and security auditing tools. Network administrators to scan ports and map networks use it. It can identify in which ports certain software is running and it can discover available hosts as well as what services they are offering. 

It also appears in a lot of movies that you might have seen like Matrix, Snowden, Ocean’s 8, and many more, and is an excellent tool that can be easily implemented on your server without having to pay anything for it.

7- RAM Capturer

RAM Capturer by Belkasoft is also a tool that will help you to dump the data from a computer’s volatile memory. 

It is compatible with Windows OS and it doesn’t require installation, it can be executed from an usb. 

Memory dumps can be a valuable source of volatile evidence and information. Mostly because in them you can sometimes find passwords to encrypted volumes. This tool is also available for free.

8-FAW 

FAW or Forensics Acquisition of Websites is a tool to acquire web pages for forensic investigation.

It lets you use side scrolling and a horizontal cursor so you can decide the web page area to be analyzed. It also captures all types of images, it captures HTML source code of the web page and it can be integrated with Wireshark, and it is also a free tool for forensic investigators.

9- HashMyFiles

HashMyFiles will help you to calculate the MD5 and SHA1 hashes.

By finding out the hash information on your files, you will be able to calculate their integrity.

Unfortunately, there is no help file available and the interface definitely needs some improvements but only from the visual point of view, but, hey, it’s still free.

10- CrowdResponse

Response is a windows application by Crowd Strike that will help you gather system information for incident response and security engagements. 

CrowdResponse is ideally suited to non-intrusive data gathering from multiple systems when positioned across the network.  According to iicybersecurity experts CrowdResponse is also available totally for free.

11- ExifTool

ExifTool will help you to read, write, and edit Meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.

So what ExifTool is, is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. 

It supports many different metadata formats and some of its features include its Geotags images from GPS track log files with time drift correction, and that the fact that it generates track logs from geotagged images.

And of course, it is also available for free.

12- SIFT

SIFT, which stand for SANS investigative forensic toolkit, is a whole suite of forensic tools you need and one of the most popular open source incident response platforms.

The SIFT Workstation contains a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of situations. 

And if that does not seem not enough, it is freely available and frequently updated.

13- Browser History Capturer by Foxton and Browser History viewer

Browser History Viewer (BHV) is a forensic software tool for extracting and viewing Internet history from the main desktop web browsers. And Browser History Examiner is a browser forensic tool usually used for capturing, extracting, and analyzing the web browsing history data of a web browser. And these are both free tools.

14- Sleuth Kit

The Sleuth Kit is a collection of command-line tools to investigate and analyze volume and file systems used for digital forensic investigations. With its modular design, it can be used to carve out the right data and find evidence.

It’s usage is commonly in criminal investigations, or digital forensics as I was saying, or simply for file system analysis. 

And, of course it is completely and totally free to use.

15- CAINE

CAINE is a complete forensic environment with a friendly graphical interface. This is a complete digital forensics platform and graphical interface that works with other digital forensics tools.

Some of the tools included with CAINE are: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec and Fsstat. Some of them already explained here.

According to International Institute of Cyber Security experts it is also a free software. 

16- Volatility Framework

Also built into SIFT, which we already explained in this article, Volatility is another open-source memory forensics framework for incident response and malware analysis. 

While their releases may seem few and far between, Volatility Framework is a really unique forensic tool that lets investigators analyze the runtime state of a device. This by using system information found in the volatile memory or RAM. According to International Institute of Cyber Security experts its one of the best tool.

And what’s best, it is available for free.

17- Paladin Forensic Suite

PALADIN is an Ubuntu based tool that enables you to simplify a range of forensic tasks. In it, you will find a bunch of precompiled open-source forensic tools that can be used to perform various tasks. It actually provides more than 100 useful tools for investigating any malicious material. It can help you simplify your forensic task quickly and effectively.

And the best part is that is a courtesy of SUMURI, which means it is free for everyone.

18- FTK Imager

AccessData FTK Imager is a forensics tool for Windows whose main purpose is to preview recoverable data from a disk of any kind. It can also create perfect copies, called forensic images, of that data. 

Additional features and functions like the possibility to create file hashes or mount already created disk images are other important advantages to discuss here.

Even when AccessData FTK Imager looks like a very professional tool created only for advanced forensics procedures, it’s actually very friendly. Furthermore, it is completely free.

19-Bulk_Extractor

Bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files.

The results it gives can be easily inspected and analyzed with automated tools. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications. Bulk_extractor is usually distinguished from other forensic tools by its speed. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel. And it is also a free tool.

20- LastActivityView

LastActivityView is a portable software application that will enable you to view the latest activity recorded by a computer. 

However in this tool, there is an important aspect to take into account and is that the Windows registry does not get updated with new entries.

But well, let’s reviews the pros. LastActivityView has a very good response time. It is actually capable of detecting activity prior to its first run, and it also runs on a very low amount of CPU and RAM, so it won’t affect your computer’s overall performance.

It also has an overall simplicity and of course, it is totally free.

21-FireEye RedLine

FireEye’s premier is an endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis.  

It is available from OS X and Linux environments.

Some of its features include auditing and collecting all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history. 

Also, it can be very useful in-depth analysis because it allows the user to establish the timeline and scope of an incident, besides being completely free software.

These 21 tools for digital forensic will aid you in your investigation to make informed decisions regarding the case under review. 

The post 21 BEST FREE DIGITAL FORENSIC INVESTIGATION TOOLS appeared first on Information Security Newspaper | Hacking News.