GitBook: [master] 46 pages modified

SUMMARY.md

@@ -421,29 +421,28 @@
   * [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
   * [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
   * [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
-* [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
-  * [Memory dump analysis](forensics/basic-forensics-esp/memory-dump-analysis/README.md)
-    * [Volatility - CheatSheet](forensics/basic-forensics-esp/memory-dump-analysis/volatility-examples.md)
-  * [Specific Software/File-Type Tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/README.md)
-    * [.pyc](forensics/basic-forensics-esp/specific-software-file-type-tricks/.pyc.md)
-    * [Browser Artifacts](forensics/basic-forensics-esp/specific-software-file-type-tricks/browser-artifacts.md)
-    * [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
-    * [Local Cloud Storage](forensics/basic-forensics-esp/specific-software-file-type-tricks/local-cloud-storage.md)
-    * [Office file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/office-file-analysis.md)
-    * [PDF File analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/pdf-file-analysis.md)
-    * [PNG tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/png-tricks.md)
-    * [Video and Audio file analysis](forensics/basic-forensics-esp/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
-    * [ZIPs tricks](forensics/basic-forensics-esp/specific-software-file-type-tricks/zips-tricks.md)
-  * [Partitions/File Systems/Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/README.md)
-    * [File/Data Carving Tools](forensics/basic-forensics-esp/partitions-file-systems-carving/file-data-carving-tools.md)
-    * [NTFS](forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md)
-  * [Windows Artifacts](forensics/basic-forensics-esp/windows-forensics/README.md)
-    * [Interesting Windows Registry Keys](forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md)
-  * [Anti-Forensic Techniques](forensics/basic-forensics-esp/anti-forensic-techniques.md)
-  * [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
-  * [Image Adquisition & Mount](forensics/basic-forensics-esp/image-adquisition-and-mount.md)
-  * [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
-  * [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)
+* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
+  * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
+    * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
+  * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
+    * [.pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+    * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
+    * [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
+    * [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
+    * [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
+    * [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
+    * [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
+    * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
+    * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
+  * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
+    * [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
+    * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
+  * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
+    * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
+  * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
+  * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
+  * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
+  * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
 
 ## Physical attacks
 

forensics/basic-forensic-methodology/README.md

@@ -1,4 +1,4 @@
-# Basic Forensics \(ESP\)
+# Basic Forensic Methodology
 
 In this section of the book we are going to learn about some **useful forensics tricks**.  
 We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.
@@ -30,6 +30,10 @@ I want to do a special mention to the page:
 
 {% page-ref page="specific-software-file-type-tricks/browser-artifacts.md" %}
 
+## Memory Dump Inspection
+
+{% page-ref page="memory-dump-analysis/" %}
+
 
 
 

forensics/basic-forensic-methodology/linux-forensics.md

@@ -298,6 +298,31 @@ Note that you can also **take a look to this information reading the logs**.
 * **MySQL**: User accounts may have a _**∼/.mysql\_history**_ file that contains queries executed using MySQL.
 * **Less**: User accounts may have a _**∼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
 
+### USB Logs
+
+ [**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files \(`/var/log/syslog*` or `/var/log/messages*` depending on the distro\) for constructing USB event history tables.
+
+It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" \(the use of USBs that aren't inside that list\).
+
+### Installation
+
+```text
+pip3 install usbrip
+usbrip ids download #Downloal USB ID database
+```
+
+### Examples
+
+```text
+usbrip events history #Get USB history of your curent linux machine
+usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
+#Search for vid and/or pid
+usbrip ids download #Downlaod database
+usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
+```
+
+More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
+
 ## Review User Accounts and Logon Activities
 
 Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.  

forensics/basic-forensics-esp/usb-logs-analysis.md

@@ -1,27 +0,0 @@
-# USB logs analysis
-
-## USBrip
-
- **usbrip** is a small piece of software written in pure Python 3 which parses Linux log files \(`/var/log/syslog*` or `/var/log/messages*` depending on the distro\) for constructing USB event history tables.
-
-It is interesting to know all the USBs that have been used and it will be more usefull if you have an authorized list of USB to find "violation events" \(the use of USBs that aren't inside that list\).
-
-### Installation
-
-```text
-pip3 install usbrip
-usbrip ids download #Downloal USB ID database
-```
-
-### Examples
-
-```text
-usbrip events history #Get USB history of your curent linux machine
-usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
-#Search for vid and/or pid
-usbrip ids download #Downlaod database
-usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
-```
-
-More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
-