Index

A

• Address Resolution Protocol (ARP)
  • about / Using Scapy during an investigation, Analyzing networking information
• algorithms
  • about / Algorithms
  • MD5 / MD5
  • SHA256 / SHA256
  • SSDEEP / SSDEEP
• Android
  • examining / Android
  • manual examination / Manual Examination
  • automated examination, with ADEL / Automated Examination with the help of ADEL
  • movement profiles, creating / Movement profiles
• Android Data Extractor Lite (ADEL)
  • used, for automated examination of Android / Automated Examination with the help of ADEL
  • design guidelines / Idea behind the system
  • implementation / Implementation and system workflow
  • system workflow / Implementation and system workflow
  • working with / Working with ADEL
  • URL / Working with ADEL
• Android Software Development Kit (Android SDK)
  • about / Implementation and system workflow
• AndroTotal
  • about / Manual Examination
• AppExtract
  • about / Mobile Malware
  • URL / Mobile Malware
• Apple iOS
  • about / Apple iOS
  • keychain, obtaining from jailbroken iDevice / Getting the Keychain from a jailbroken iDevice
  • manual examination, with libimobiledevice / Manual Examination with libimobiledevice
• Application Compatibility Shim Cache
  • about / Shim Cache Parser
• atom
  • about / Ubuntu
  • URL / Ubuntu

B

• bare-metal hypervisor
  • about / Virtualization as an additional layer of abstraction

C

• capability flags
  • about / Understanding inode
• C data types
  • about / C data types
• central log system
  • log information, collecting / Cloning of systems
• clustering, file information
  • about / Clustering file information
  • histograms, creating / Creating histograms
• Context Triggered Piecewise Hashing (CTPH)
  • about / SSDEEP
• cryptographic hash function
  • about / Algorithms
  • properties / Algorithms
• ctypes
  • about / Introduction to Python ctypes
  • Dynamic Link Libraries (DLL) / Working with Dynamic Link Libraries
  • C data types / C data types
  • Unions, defining / Defining Unions and Structures
  • Structures, defining / Defining Unions and Structures
• Cydia App Store
  • about / Manual Examination with libimobiledevice

D

• Dalvik Virtual Machine (DVM)
  • about / Volatility for Android
• Data center as a Service (DCaaS)
  • about / Detecting rogue network interfaces
• decoders
  • dns / Using Dshell during an investigation
  • reservedips / Using Dshell during an investigation
  • large-flows / Using Dshell during an investigation
  • rip-http / Using Dshell during an investigation
  • protocols / Using Dshell during an investigation
  • synrst / Using Dshell during an investigation
• desktop virtualization
  • about / Virtualization as an additional layer of abstraction
• direct hardware access
  • detecting / Detecting direct hardware access
• Directory Table Base (DTB)
  • about / Analyzing processes and modules
• directory trees
  • hash sums, creating / Creating hash sums of directory trees
• discretionary access control
  • about / Evaluating POSIX ACLs with Python
• disk images
  • snapshots, using as / Using snapshots as disk images
• Dshell
  • using / Using Dshell during an investigation
  • URL / Using Dshell during an investigation
• Dynamic Host Configuration Protocol (DHCP)
  • about / Analyzing networking information
• Dynamic Link Libraries (DLL)
  • about / Working with Dynamic Link Libraries

E

• eclipse
  • about / Ubuntu
• Emerging Threats
  • URL / Using Dshell during an investigation
• ESXi servers
  • about / Creation of rogue machines
• Event Log (EVT)
  • about / The Windows Event Log
  • files / The Windows Event Log
  • reference link / The Windows Event Log
  • parsing, for IOC / Parsing the Event Log for IOC
  • python-evtx / The python-evtx parser
  • Log2timeline / The plaso and log2timeline tools
  • plaso / The plaso and log2timeline tools

F

• file capabilities
  • reading, with Python / Reading file capabilities with Python
  • permitted set (p) / Reading file capabilities with Python
  • inheritable set (i) / Reading file capabilities with Python
  • effective set (e) / Reading file capabilities with Python
• file meta information
  • analyzing / Analyzing file meta information
  • inode / Understanding inode
  • basic file metadata, reading with Python / Reading basic file metadata with Python
  • POSIX ACLs, evaluating with Python / Evaluating POSIX ACLs with Python
  • file capabilities, reading with Python / Reading file capabilities with Python
• file mode, inode (index node)
  • read (r) / Understanding inode
  • write (w) / Understanding inode
  • execute (x) / Understanding inode
  • sticky (t) / Understanding inode
  • set id on execution (s) / Understanding inode
• Firewall
  • about / Detecting rogue network interfaces
• forensic copy
  • investigating / Supporting the chain of custody
  • hash sums, creating of full disk images / Creating hash sums of full disk images
  • hash sums, creating of directory trees / Creating hash sums of directory trees
• full disk images
  • hash sums, creating / Creating hash sums of full disk images
• Fuzzy Hashing
  • about / SSDEEP

G

• General Public License (GPL)
  • about / Understanding Volatility basics
• GnuPG
  • using / Creating hash sums of directory trees
  • URL / Creating hash sums of directory trees
• GnuPlot
  • about / Using Scapy during an investigation
• guest OS
  • about / Virtualization as an additional layer of abstraction

H

• hash function
  • about / Algorithms
• hash sums
  • creating, of full disk images / Creating hash sums of full disk images
  • creating, of directory trees / Creating hash sums of directory trees
• histograms
  • creating / Creating histograms
  • disadvantages / Advanced histogram techniques
  • advanced techniques / Advanced histogram techniques
• host OS
  • about / Virtualization as an additional layer of abstraction
• hypervisor
  • about / Virtualization as an additional layer of abstraction

I

• inode (index node)
  • about / Understanding inode
  • index number / Understanding inode
  • file owner / Understanding inode
  • file group / Understanding inode
  • file mode / Understanding inode
• Inter-Process Communication (IPC)
  • about / Analyzing networking information
• International Mobile Subscriber Identity (IMSI)
  • about / Implementation and system workflow
• Investigative Process Model
  • for smartphones / The investigative model for smartphones
  • steps / The investigative model for smartphones
• IOC
  • Event Log (EVT), parsing for / Parsing the Event Log for IOC
  • Windows Registry, parsing for / Parsing the Registry for IOC

J

• jailbroken iDevice
  • iOS keychain, obtaining / Getting the Keychain from a jailbroken iDevice

K

• kernels
  • reference link / LiME and the recovery image

L

• labenv
  • about / Python virtual environment (virtualenv)
• lab environment
  • setting up / Setting up the Lab
  • Ubuntu / Ubuntu
  • virtualenv / Python virtual environment (virtualenv)
• libimobiledevice
  • about / Apple iOS
  • used, for manual examination of Apple iOS / Manual Examination with libimobiledevice
• LibreOffice Calc
  • about / Mobile Malware
• LiME
  • about / LiME and the recovery image
  • using / LiME and the recovery image
• Linux Memory Extractor (LiME) format
  • about / Understanding Volatility basics
• Linux specific checks
  • implementing / Implementing Linux specific checks
  • integrity of local user credentials, checking / Checking the integrity of local user credentials
  • file meta information, analyzing / Analyzing file meta information
  • file information, clustering / Clustering file information
• Loadable Kernel Module (LKM)
  • about / Using Volatility on Android
• local user credentials
  • integrity, checking / Checking the integrity of local user credentials
• Log2timeline
  • about / The plaso and log2timeline tools

M

• machine learning algorithms
  • about / Advanced histogram techniques
• mako kernel
  • about / LiME and the recovery image
• matplotlib module
  • about / Creating histograms
  • URL / Creating histograms
• MD5
  • about / Algorithms, MD5
• Mobile-Sandbox
  • about / Mobile Malware, Manual Examination
  • URL / Mobile Malware
• Mobile Malware
  • about / Real-world scenarios
  • example / Mobile Malware

N

• National Software Reference Library (NSRL)
  • about / Real-world scenarios, NSRLquery
  • URL / NSRLquery
• Network Interfaces Card (NIC)
  • about / Capturing network traffic
• network traffic
  • capturing / Capturing network traffic
• nsrllookup
  • about / Writing a client for nsrlsvr in Python
  • URL / Writing a client for nsrlsvr in Python
• NSRLquery
  • example / NSRLquery
  • nsrlsvr, downloading / Downloading and installing nsrlsvr
  • nsrlsvr, installing / Downloading and installing nsrlsvr
• nsrlsvr
  • installing / Downloading and installing nsrlsvr
  • downloading / Downloading and installing nsrlsvr
  • URL / Downloading and installing nsrlsvr
  • installing, in non-default directory / Downloading and installing nsrlsvr
  • client, writing / Writing a client for nsrlsvr in Python
  • commands / Writing a client for nsrlsvr in Python

P

• packet capture (pcap) file
  • about / Using Dshell during an investigation
• PhotoRec
  • about / Volatility for Android
• plaso
  • URL / Parsing the Event Log for IOC
  • about / The plaso and log2timeline tools
• POSIX Access Control Lists (POSIX ACLs)
  • about / Understanding inode
• POSIX ACLs
  • evaluating, with Python / Evaluating POSIX ACLs with Python
• pylibacl library
  • about / Evaluating POSIX ACLs with Python
  • URL / Evaluating POSIX ACLs with Python
• python-evtx
  • URL / Parsing the Event Log for IOC, The python-evtx parser
  • about / The python-evtx parser
• pyVmomi
  • about / Creation of rogue machines
  • URL / Creation of rogue machines
  • sample code / Creation of rogue machines

R

• RAM content
  • forensic copies, creating / Creating forensic copies of RAM content
• real-world scenarios
  • Mobile Malware / Real-world scenarios
  • NSRLquery / Real-world scenarios, NSRLquery
• recovery image
  • creating / LiME and the recovery image
• regular expression
  • about / Checking the integrity of local user credentials
  • re module / Checking the integrity of local user credentials
• rip-smb-uploads decoder
  • about / Using Dshell during an investigation
• rogue machines
  • creating / Creation of rogue machines
• rogue network interfaces
  • detecting / Detecting rogue network interfaces

S

• Scapy
  • using / Using Scapy during an investigation
  • URL / Using Scapy during an investigation
• scikit-learn
  • about / Advanced histogram techniques
  • URL / Advanced histogram techniques
• sdb
  • about / Creating hash sums of full disk images
• Secure Shell (SSH)
  • about / Apple iOS
• SHA256
  • about / Algorithms, SHA256
• shared objects (SO)
  • about / Working with Dynamic Link Libraries
• Shim Cache Parser
  • about / Parsing the Registry for IOC, Shim Cache Parser
  • reference link / Parsing the Registry for IOC
  • URL / Shim Cache Parser
• smartphones
  • Investigative Process Model / The investigative model for smartphones
• smart pointer
  • about / Reading file capabilities with Python
• snapshots
  • about / Virtualization as an additional layer of abstraction
  • using, as disk images / Using snapshots as disk images
• SSDEEP
  • about / Algorithms, SSDEEP
  • URL / SSDEEP
• stat module
  • reference link / Reading basic file metadata with Python
• strings
  • about / Volatility for Android
• Structures
  • defining / Defining Unions and Structures

T

• Tor2Web service
  • about / Using Dshell during an investigation
• Tor network
  • about / Using Dshell during an investigation
• Tor Onion Services
  • about / Using Dshell during an investigation
• Type 1 hypervisor
  • about / Virtualization as an additional layer of abstraction
• Type 2 hypervisor
  • about / Virtualization as an additional layer of abstraction

U

• Ubuntu
  • setting up / Ubuntu
  • URL / Ubuntu
• Unions
  • defining / Defining Unions and Structures

V

• Vawtrak malware
  • about / Using Dshell during an investigation
• vCenter Server
  • about / Virtualization as an additional layer of abstraction
• virtualenv
  • about / Setting up the Lab, Python virtual environment (virtualenv)
  • setting up / Python virtual environment (virtualenv)
  • installing / Python virtual environment (virtualenv)
• virtualization
  • as new attack surface / Considering virtualization as a new attack surface
  • as additional layer of abstraction / Virtualization as an additional layer of abstraction
  • rogue machines, creating / Creation of rogue machines
  • systems, cloning / Cloning of systems
  • used, as source of evidence / Using virtualization as a source of evidence
  • forensic copies, creating of RAM content / Creating forensic copies of RAM content
  • snapshots, using as disk images / Using snapshots as disk images
  • network traffic, capturing / Capturing network traffic
• virtual networks
  • visualizing / Detecting rogue network interfaces
• virtual resources
  • misuse, searching / Searching for misuse of virtual resources
  • rogue network interfaces, detecting / Detecting rogue network interfaces
  • direct hardware access, detecting / Detecting direct hardware access
• VirusTotal
  • about / Mobile Malware
• VMware vSphere
  • about / Creation of rogue machines
• VMX file
  • hardware configuration, extracting / Detecting direct hardware access
• Volatility
  • about / Understanding Volatility basics
  • URL / Understanding Volatility basics
  • profile / Understanding Volatility basics
  • plugins / Understanding Volatility basics
  • malware, searching with YARA / Malware hunting with the help of YARA
• Volatility, on Android
  • using / Using Volatility on Android
  • LiME / LiME and the recovery image
  • recovery image, creating / LiME and the recovery image
  • using, with ARM support / Volatility for Android
  • data, reconstructing / Reconstructing data for Android
  • call history, obtaining / Call history
  • keyboard cache / Keyboard cache
• Volatility, on Linux
  • using / Using Volatility on Linux
  • memory acquisition / Memory acquisition
  • profiles, using / Volatility for Linux
  • data, reconstructing / Reconstructing data for Linux
  • processes, analyzing / Analyzing processes and modules
  • modules, analyzing / Analyzing processes and modules
  • networking information, analyzing / Analyzing networking information
• vSphere Distributed Switch (VDS)
  • about / Capturing network traffic
• vSphere Web Service API
  • about / Creation of rogue machines
• vSphere Web Services SDK
  • URL / Creation of rogue machines
• vtype
  • about / Volatility for Android

W

• Windows Event Log
  • analyzing / Analyzing the Windows Event Log
  • about / The Windows Event Log
  • types / Interesting Events
• Windows Event Log (EVTX)
  • about / The Windows Event Log
• Windows Registry
  • analyzing / Analyzing the Windows Registry
  • structure / Windows Registry Structure
  • parsing, for IOC / Parsing the Registry for IOC
  • Connected USB Devices / Parsing the Registry for IOC, Connected USB Devices
  • User Histories / Parsing the Registry for IOC, User histories
  • Startup Programs / Parsing the Registry for IOC, Startup programs
  • System Information / Parsing the Registry for IOC, System Information
  • subkeys / User histories
  • Shim Cache Parser / Shim Cache Parser

Y

• YARA
  • used, for searching malware / Malware hunting with the help of YARA
  • references / Malware hunting with the help of YARA