Index
A
- Address Resolution Protocol (ARP)
- algorithms
- about / Algorithms
- MD5 / MD5
- SHA256 / SHA256
- SSDEEP / SSDEEP
- Android
- examining / Android
- manual examination / Manual Examination
- automated examination, with ADEL / Automated Examination with the help of ADEL
- movement profiles, creating / Movement profiles
- Android Data Extractor Lite (ADEL)
- used, for automated examination of Android / Automated Examination with the help of ADEL
- design guidelines / Idea behind the system
- implementation / Implementation and system workflow
- system workflow / Implementation and system workflow
- working with / Working with ADEL
- URL / Working with ADEL
- Android Software Development Kit (Android SDK)
- AndroTotal
- about / Manual Examination
- AppExtract
- about / Mobile Malware
- URL / Mobile Malware
- Apple iOS
- about / Apple iOS
- keychain, obtaining from jailbroken iDevice / Getting the Keychain from a jailbroken iDevice
- manual examination, with libimobiledevice / Manual Examination with libimobiledevice
- Application Compatibility Shim Cache
- about / Shim Cache Parser
- atom
B
- bare-metal hypervisor
C
- capability flags
- about / Understanding inode
- C data types
- about / C data types
- central log system
- log information, collecting / Cloning of systems
- clustering, file information
- about / Clustering file information
- histograms, creating / Creating histograms
- Context Triggered Piecewise Hashing (CTPH)
- about / SSDEEP
- cryptographic hash function
- about / Algorithms
- properties / Algorithms
- ctypes
- about / Introduction to Python ctypes
- Dynamic Link Libraries (DLL) / Working with Dynamic Link Libraries
- C data types / C data types
- Unions, defining / Defining Unions and Structures
- Structures, defining / Defining Unions and Structures
- Cydia App Store
D
- Dalvik Virtual Machine (DVM)
- about / Volatility for Android
- Data center as a Service (DCaaS)
- decoders
- dns / Using Dshell during an investigation
- reservedips / Using Dshell during an investigation
- large-flows / Using Dshell during an investigation
- rip-http / Using Dshell during an investigation
- protocols / Using Dshell during an investigation
- synrst / Using Dshell during an investigation
- desktop virtualization
- direct hardware access
- detecting / Detecting direct hardware access
- Directory Table Base (DTB)
- about / Analyzing processes and modules
- directory trees
- hash sums, creating / Creating hash sums of directory trees
- discretionary access control
- disk images
- snapshots, using as / Using snapshots as disk images
- Dshell
- Dynamic Host Configuration Protocol (DHCP)
- about / Analyzing networking information
- Dynamic Link Libraries (DLL)
E
- eclipse
- about / Ubuntu
- Emerging Threats
- ESXi servers
- about / Creation of rogue machines
- Event Log (EVT)
- about / The Windows Event Log
- files / The Windows Event Log
- reference link / The Windows Event Log
- parsing, for IOC / Parsing the Event Log for IOC
- python-evtx / The python-evtx parser
- Log2timeline / The plaso and log2timeline tools
- plaso / The plaso and log2timeline tools
F
- file capabilities
- reading, with Python / Reading file capabilities with Python
- permitted set (p) / Reading file capabilities with Python
- inheritable set (i) / Reading file capabilities with Python
- effective set (e) / Reading file capabilities with Python
- file meta information
- analyzing / Analyzing file meta information
- inode / Understanding inode
- basic file metadata, reading with Python / Reading basic file metadata with Python
- POSIX ACLs, evaluating with Python / Evaluating POSIX ACLs with Python
- file capabilities, reading with Python / Reading file capabilities with Python
- file mode, inode (index node)
- read (r) / Understanding inode
- write (w) / Understanding inode
- execute (x) / Understanding inode
- sticky (t) / Understanding inode
- set id on execution (s) / Understanding inode
- Firewall
- forensic copy
- investigating / Supporting the chain of custody
- hash sums, creating of full disk images / Creating hash sums of full disk images
- hash sums, creating of directory trees / Creating hash sums of directory trees
- full disk images
- hash sums, creating / Creating hash sums of full disk images
- Fuzzy Hashing
- about / SSDEEP
G
- General Public License (GPL)
- about / Understanding Volatility basics
- GnuPG
- GnuPlot
- guest OS
H
- hash function
- about / Algorithms
- hash sums
- creating, of full disk images / Creating hash sums of full disk images
- creating, of directory trees / Creating hash sums of directory trees
- histograms
- creating / Creating histograms
- disadvantages / Advanced histogram techniques
- advanced techniques / Advanced histogram techniques
- host OS
- hypervisor
I
- inode (index node)
- about / Understanding inode
- index number / Understanding inode
- file owner / Understanding inode
- file group / Understanding inode
- file mode / Understanding inode
- Inter-Process Communication (IPC)
- about / Analyzing networking information
- International Mobile Subscriber Identity (IMSI)
- Investigative Process Model
- for smartphones / The investigative model for smartphones
- steps / The investigative model for smartphones
- IOC
- Event Log (EVT), parsing for / Parsing the Event Log for IOC
- Windows Registry, parsing for / Parsing the Registry for IOC
J
- jailbroken iDevice
- iOS keychain, obtaining / Getting the Keychain from a jailbroken iDevice
K
- kernels
- reference link / LiME and the recovery image
L
- labenv
- lab environment
- setting up / Setting up the Lab
- Ubuntu / Ubuntu
- virtualenv / Python virtual environment (virtualenv)
- libimobiledevice
- about / Apple iOS
- used, for manual examination of Apple iOS / Manual Examination with libimobiledevice
- LibreOffice Calc
- about / Mobile Malware
- LiME
- about / LiME and the recovery image
- using / LiME and the recovery image
- Linux Memory Extractor (LiME) format
- about / Understanding Volatility basics
- Linux specific checks
- implementing / Implementing Linux specific checks
- integrity of local user credentials, checking / Checking the integrity of local user credentials
- file meta information, analyzing / Analyzing file meta information
- file information, clustering / Clustering file information
- Loadable Kernel Module (LKM)
- about / Using Volatility on Android
- local user credentials
- integrity, checking / Checking the integrity of local user credentials
- Log2timeline
- about / The plaso and log2timeline tools
M
- machine learning algorithms
- about / Advanced histogram techniques
- mako kernel
- about / LiME and the recovery image
- matplotlib module
- about / Creating histograms
- URL / Creating histograms
- MD5
- about / Algorithms, MD5
- Mobile-Sandbox
- about / Mobile Malware, Manual Examination
- URL / Mobile Malware
- Mobile Malware
- about / Real-world scenarios
- example / Mobile Malware
N
- National Software Reference Library (NSRL)
- about / Real-world scenarios, NSRLquery
- URL / NSRLquery
- Network Interfaces Card (NIC)
- about / Capturing network traffic
- network traffic
- capturing / Capturing network traffic
- nsrllookup
- NSRLquery
- example / NSRLquery
- nsrlsvr, downloading / Downloading and installing nsrlsvr
- nsrlsvr, installing / Downloading and installing nsrlsvr
- nsrlsvr
- installing / Downloading and installing nsrlsvr
- downloading / Downloading and installing nsrlsvr
- URL / Downloading and installing nsrlsvr
- installing, in non-default directory / Downloading and installing nsrlsvr
- client, writing / Writing a client for nsrlsvr in Python
- commands / Writing a client for nsrlsvr in Python
P
- packet capture (pcap) file
- PhotoRec
- about / Volatility for Android
- plaso
- POSIX Access Control Lists (POSIX ACLs)
- about / Understanding inode
- POSIX ACLs
- evaluating, with Python / Evaluating POSIX ACLs with Python
- pylibacl library
- python-evtx
- pyVmomi
- about / Creation of rogue machines
- URL / Creation of rogue machines
- sample code / Creation of rogue machines
R
- RAM content
- forensic copies, creating / Creating forensic copies of RAM content
- real-world scenarios
- Mobile Malware / Real-world scenarios
- NSRLquery / Real-world scenarios, NSRLquery
- recovery image
- creating / LiME and the recovery image
- regular expression
- rip-smb-uploads decoder
- rogue machines
- creating / Creation of rogue machines
- rogue network interfaces
- detecting / Detecting rogue network interfaces
S
- Scapy
- scikit-learn
- sdb
- Secure Shell (SSH)
- about / Apple iOS
- SHA256
- about / Algorithms, SHA256
- shared objects (SO)
- Shim Cache Parser
- about / Parsing the Registry for IOC, Shim Cache Parser
- reference link / Parsing the Registry for IOC
- URL / Shim Cache Parser
- smartphones
- Investigative Process Model / The investigative model for smartphones
- smart pointer
- snapshots
- about / Virtualization as an additional layer of abstraction
- using, as disk images / Using snapshots as disk images
- SSDEEP
- about / Algorithms, SSDEEP
- URL / SSDEEP
- stat module
- reference link / Reading basic file metadata with Python
- strings
- about / Volatility for Android
- Structures
- defining / Defining Unions and Structures
T
- Tor2Web service
- Tor network
- Tor Onion Services
- Type 1 hypervisor
- Type 2 hypervisor
U
- Ubuntu
- Unions
- defining / Defining Unions and Structures
V
- Vawtrak malware
- vCenter Server
- virtualenv
- about / Setting up the Lab, Python virtual environment (virtualenv)
- setting up / Python virtual environment (virtualenv)
- installing / Python virtual environment (virtualenv)
- virtualization
- as new attack surface / Considering virtualization as a new attack surface
- as additional layer of abstraction / Virtualization as an additional layer of abstraction
- rogue machines, creating / Creation of rogue machines
- systems, cloning / Cloning of systems
- used, as source of evidence / Using virtualization as a source of evidence
- forensic copies, creating of RAM content / Creating forensic copies of RAM content
- snapshots, using as disk images / Using snapshots as disk images
- network traffic, capturing / Capturing network traffic
- virtual networks
- visualizing / Detecting rogue network interfaces
- virtual resources
- misuse, searching / Searching for misuse of virtual resources
- rogue network interfaces, detecting / Detecting rogue network interfaces
- direct hardware access, detecting / Detecting direct hardware access
- VirusTotal
- about / Mobile Malware
- VMware vSphere
- about / Creation of rogue machines
- VMX file
- hardware configuration, extracting / Detecting direct hardware access
- Volatility
- about / Understanding Volatility basics
- URL / Understanding Volatility basics
- profile / Understanding Volatility basics
- plugins / Understanding Volatility basics
- malware, searching with YARA / Malware hunting with the help of YARA
- Volatility, on Android
- using / Using Volatility on Android
- LiME / LiME and the recovery image
- recovery image, creating / LiME and the recovery image
- using, with ARM support / Volatility for Android
- data, reconstructing / Reconstructing data for Android
- call history, obtaining / Call history
- keyboard cache / Keyboard cache
- Volatility, on Linux
- using / Using Volatility on Linux
- memory acquisition / Memory acquisition
- profiles, using / Volatility for Linux
- data, reconstructing / Reconstructing data for Linux
- processes, analyzing / Analyzing processes and modules
- modules, analyzing / Analyzing processes and modules
- networking information, analyzing / Analyzing networking information
- vSphere Distributed Switch (VDS)
- about / Capturing network traffic
- vSphere Web Service API
- about / Creation of rogue machines
- vSphere Web Services SDK
- vtype
- about / Volatility for Android
W
- Windows Event Log
- analyzing / Analyzing the Windows Event Log
- about / The Windows Event Log
- types / Interesting Events
- Windows Event Log (EVTX)
- about / The Windows Event Log
- Windows Registry
- analyzing / Analyzing the Windows Registry
- structure / Windows Registry Structure
- parsing, for IOC / Parsing the Registry for IOC
- Connected USB Devices / Parsing the Registry for IOC, Connected USB Devices
- User Histories / Parsing the Registry for IOC, User histories
- Startup Programs / Parsing the Registry for IOC, Startup programs
- System Information / Parsing the Registry for IOC, System Information
- subkeys / User histories
- Shim Cache Parser / Shim Cache Parser
Y
- YARA
- used, for searching malware / Malware hunting with the help of YARA
- references / Malware hunting with the help of YARA