Forensics and Prevention in the New Reality by Paula J – Q&A Session

Find out answers for the most interesting questions from our last webinar “Forensics & Prevention in the New Reality”

The advantage of great forensics investigators is a deep understanding of how technology really works. This helps to be always up-to-date with the fast-paced cybersecurity world. There are things you can discover on your own, and there are things you can ask us and we are happy to answer them.

We were positively amazed by the number of questions that popped up in the chat section during our last webinar “Forensics & Prevention in the New Reality”. We gathered the most interesting ones and we are sharing the answers to them below in the form of Q&A.

Missed out the “Forensics & Prevention in the New Reality” webinar? You can still watch the replay here.

What software do you recommend to collect information and forensic investigation?

Please note that there is no perfect tool. It depends on what you are looking for. We usually use a set of opensource, as well as commercial tools, according to what we need for the current project we’re working on. GRR is something you might found interesting. Try also Encase or some tools from Fireeye. Remember that it is necessary to adjust the toolkit you are using to the problem you are facing.

What do you think about Volatility 3 (based on Python 3)?

We still have been using Volatility 2, but keeping our fingers crossed for the next releases of Vol. 3. At the moment, switching from version 2 to 3 is quite challenging as old habits die hard! 

Is there any tool to fix corrupted checksums for ISO type?

Unfortunately, there is no possibility to repair corrupted ISO.

Can I extract the password from Chrome extension password manager like LastPass/BitWarden etc.?

No, as CQURE and Nirsoft tools are extracting passwords only from the built-in password managers for Chrome. It doesn’t mean that such tools don’t exist for other passwords managers. Although, it depends on the type of manager and the way it protects passwords.

What kind of evidence (from the ones that you presented) cybercriminals / pentesters most often forget to clear?

They mostly forget to clear forwarded to centralized server event logs, also they forget to clear automatic destinations and prefetch.

Is using hashcat the only way to break in keypass?

Not really, it depends on how the kdbx file is protected. If you use windows authentication, you can use our tools to decrypt the master password stored in DPAPI blob.

If Keepass is connected with our Windows Credentials, can we unlock the Keepass list?

Yes, we can. But only if we have access to DPAPI backup key of domain.

How to get user windows password from disk dump (no RAM dump)?

You need to have access to SYSTEM and SAM files from c:\Windows\System32\config. Of course, it will work only with the NT hash of the password and only for local users.

Do you prefer Windows or Linux for cyber forensics?

We usually use a combination of Windows and Linux tools. We like to test and try new solutions!

What do you think about rainbow tables?

Rainbow tables are very useful for password cracking during pentests.

Can a normal windows OS user, after taking your 30-day Course, do forensics in Windows like a professional?

I would like to kindly inform you that the 30-Day Course is not focusing on Forensics but on Windows Cybersecurity, so unfortunately no.

How can I detect ZombieLoad attack vulnerability related to intel CPU? Can you recommend any tools?

In general, CPU attacks are based on various cache or timing vulnerabilities, way below traditional operating system runs (that’s why they typically affect any OS). Such attacks are not based on a single vulnerability that could be easily fixed or detected – often microcode update or just an entirely new generation of CPU architecture is needed to mitigate the issue – at the cost of lowered performance, etc. 

Technically it is possible to detect such attacks using some machine-learning AV software, but we haven’t seen any working solution. The available tools allow you to identify if the ZombieLand (or others) attack affects your CPU and provides URL to necessary mitigations. You cannot reliably detect attacks, though. Also, check out their project page and FAQ on the bottom of the page. …and also

Paula, how did you get access to the windows source code? (lots of the TRUST I belive ;-))

It was possible thanks to the status of MVP (assigned to outstanding IT professionals who make an intellectual contribution to the development of technical communities) and participation in security programs. I received it during the release of Windows XP, which is about 11 or 12 years ago. Perhaps this gives my company more advantages because we can always test our hypotheses, while other experts have it more difficult. This is a cool thing!

Can you link where your statistics are quoted from?

You can find them under this link:

Be prepared for the challenges of tomorrow!

Hungry for more knowledge regarding forensics? Take the intensive 1 day Forensics and Prevention Mastery Course.