Disconnect your VM from the network.
Locate your Logs folder.
All the tools will be downloadable from Eric Zimmerman's Tools website.
Parse the .evtx logs.
Locate your SRUDB.dat.
Parse them.
Locate your Prefetch.
Parse the Prefetch.
Get the ADS stream from the malware zip folder.
And finally parse the MFT. Now, have fun to understand how you have been powned ;) You can find a write-up here: https://github.com/wocsa/WOCSA_Ethical_Hacking_Workshop/blob/main/Forensic/Windows/Infostealer/writeup/writeup.md
Comments
0
Please log in to add comments.