 |
| Investigative Scenario |
Chris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right).
First off, you can find the scenario posted on X/Twitter, and here on LinkedIn.
Now, let’s go ahead and kick this off. In this scenario, a threat actor remotely wiped a laptop, and the sole source of evidence we have available is a backup of “the Windows Registry”, made just prior to the system being wiped.
Goals
I try to make sure I have the investigative goals written out where I can see them and quickly refer back to them.
Per the scenario, our goals are to determine:
1. How the threat actor accessed the system?
2. What were their actions on objectives, prior to wiping the system?
Investigation
The first thing I’d do is create a timeline from the Software and System hive files, in order to establish a pivot point. Per the scenario, the Registry was backed up “just before the attacker wiped the system”. Therefore, by creating a timeline, we can assume that the last entry in the timeline was from just prior to the system being wiped. This would give us a starting point to work backward from, and provide an “aiming stake” for our investigation.
The next thing I’d do is
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: