GitBook: [master] 11 pages modified

SUMMARY.md

@@ -416,31 +416,31 @@
 ## Forensics
 
 * [Malware Analysis](forensics/malware-analysis.md)
-* [Memory dump analysis](forensics/memory-dump-analysis.md)
 * [Pcaps analysis](forensics/pcaps-analysis/README.md)
   * [Wifi Pcap Analysis](forensics/pcaps-analysis/wifi-pcap-analysis.md)
   * [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
   * [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
   * [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
-* [Volatility - CheatSheet](forensics/volatility-examples.md)
 * [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
+  * [Memory dump analysis](forensics/basic-forensics-esp/memory-dump-analysis/README.md)
+    * [Volatility - CheatSheet](forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md)
   * [Specific Software/File-Type Tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md)
-    * [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
+    * [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
+    * [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
+    * [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
+    * [Local Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md)
     * [Office file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/office-file-analysis.md)
     * [PDF File analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/pdf-file-analysis.md)
+    * [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
     * [Video and Audio file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
-    * [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
-    * [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
     * [ZIPs tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/zips-tricks.md)
-    * [USB logs analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/usb-logs-analysis.md)
-    * [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
-    * [Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/cloud-storage.md)
   * [Partitions/File Systems/Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/README.md)
     * [File/Data Carving Tools](forensics/basic-forensics-esp/partitions-file-systems-carving/file-data-carving-tools.md)
     * [NTFS](forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md)
   * [Windows Artifacts](forensics/basic-forensics-esp/windows-forensics/README.md)
     * [Interesting Windows Registry Keys](forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md)
   * [Anti-Forensic Techniques](forensics/basic-forensics-esp/anti-forensic-techniques.md)
+  * [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
   * [Image Adquisition & Mount](forensics/basic-forensics-esp/image-adquisition-and-mount.md)
   * [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
   * [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)

forensics/basic-forensics-esp/README.md

@@ -11,6 +11,25 @@ if you are given a **forensic image** of a device you can start **analyzing the
 
 {% page-ref page="partitions-file-systems-carving/" %}
 
+Depending on the used OSs and even platform different interesting artifacts should be searched:
+
+{% page-ref page="windows-forensics/" %}
+
+{% page-ref page="linux-forensics.md" %}
+
+{% page-ref page="docker-forensics.md" %}
+
+## Deep inspection of specific file-types and Software
+
+If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.  
+Read the following page to learn some interesting tricks:
+
+{% page-ref page="specific-software-file-type-tricks/" %}
+
+I want to do a special mention to the page:
+
+{% page-ref page="specific-software-file-type-tricks/browser-artifacts.md" %}
+
 
 
 

forensics/basic-forensics-esp/memory-dump-analysis/README.md

@@ -1,6 +1,6 @@
 # Memory dump analysis
 
-Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](malware-analysis.md).
+Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../../malware-analysis.md).
 
 ## [Volatility](volatility-examples.md)
 
@@ -11,17 +11,17 @@ From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.
 
 When the dump is small \(just some KB, maybe a few MB\) the it's probably a mini dump crash report and not a memory dump.
 
-![](../.gitbook/assets/image%20%28305%29.png)
+![](../../../.gitbook/assets/image%20%28305%29.png)
 
 If you hat Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
 
-![](../.gitbook/assets/image%20%28164%29.png)
+![](../../../.gitbook/assets/image%20%28164%29.png)
 
 You can also load the exception and see the decompiled instructions
 
-![](../.gitbook/assets/image%20%282%29.png)
+![](../../../.gitbook/assets/image%20%282%29.png)
 
-![](../.gitbook/assets/image%20%28149%29.png)
+![](../../../.gitbook/assets/image%20%28149%29.png)
 
 Anyway Visual Studio isn't the best tool to perform a analysis in depth of the dump.
 

forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md

@@ -130,7 +130,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*
 
 ## Hashes/Passwords
 
-Extract SAM hashes, [domain cached credentials](../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
+Extract SAM hashes, [domain cached credentials](../../../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
 
 {% tabs %}
 {% tab title="vol3" %}

forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md

@@ -1,2 +1,24 @@
 # Specific Software/File-Type Tricks
 
+Here you can find interesting tricks for specific file-types and/or software:
+
+{% page-ref page=".pyc.md" %}
+
+{% page-ref page="browser-artifacts.md" %}
+
+{% page-ref page="desofuscation-vbs-cscript.exe.md" %}
+
+{% page-ref page="local-cloud-storage.md" %}
+
+{% page-ref page="office-file-analysis.md" %}
+
+{% page-ref page="pdf-file-analysis.md" %}
+
+{% page-ref page="png-tricks.md" %}
+
+{% page-ref page="video-and-audio-file-analysis.md" %}
+
+{% page-ref page="zips-tricks.md" %}
+
+
+

forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md

@@ -1,4 +1,4 @@
-# Cloud Storage
+# Local Cloud Storage
 
 ## OneDrive