GitBook: [master] 7 pages and 6 assets modified

SUMMARY.md

@@ -425,13 +425,13 @@
 * [Volatility - CheatSheet](forensics/volatility-examples.md)
 * [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
   * [Partitions/File Systems/Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/README.md)
+    * [File/Data Carving](forensics/basic-forensics-esp/partitions-file-systems-carving/file-extraction.md)
     * [NTFS](forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md)
   * [Windows Forensics](forensics/basic-forensics-esp/windows-forensics/README.md)
     * [Interesting Windows Registry Keys](forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md)
   * [Anti-Forensic Techniques](forensics/basic-forensics-esp/anti-forensic-techniques.md)
   * [Cloud Storage](forensics/basic-forensics-esp/cloud-storage.md)
   * [Image Adquisition & Mount](forensics/basic-forensics-esp/image-adquisition-and-mount.md)
-  * [File Extraction](forensics/basic-forensics-esp/file-extraction.md)
   * [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
   * [Browser Artifacts](forensics/basic-forensics-esp/browser-artifacts.md)
   * [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)

forensics/basic-forensics-esp/README.md

@@ -1,6 +1,24 @@
 # Basic Forensics \(ESP\)
 
-* 
+In this section of the book we are going to learn about some **useful forensics tricks**.  
+We are going to talk about partitions, file-systems, carving, memory, logs, backups, OSs, and much more.
+
+So if you are doing a professional forensic analysis to some data or just playing a CTF you can find here useful interesting tricks.
+
+## Inspecting an Image
+
+if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** \(even deleted ones\). Learn how in:
+
+{% page-ref page="partitions-file-systems-carving/" %}
+
+
+
+
+
+
+
+
+
 **Linux/Unix**
 
 En linux cualquier cosa es un archivo. Por ejemplo la RAM es un archivo llamado **/dev/mem**

forensics/basic-forensics-esp/partitions-file-systems-carving/README.md

@@ -158,7 +158,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
 
 Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it.
 
-There are several tools that you can use for file Carving indicating them the file-types you want search for like:
+There are several tools that you can use for file Carving indicating them the file-types you want search for 
 
 * \*\*\*\*[**PhotoRec**](https://www.cgsecurity.org/wiki/TestDisk_Download)\*\*\*\*
 * \*\*\*\*[**Binwalk**](https://github.com/ReFirmLabs/binwalk)\*\*\*\*

forensics/basic-forensics-esp/partitions-file-systems-carving/file-extraction.md

@@ -1,9 +1,6 @@
-# File Extraction
+# File/Data Carving
 
-In some occasions \(a forensics or stego case\) you will have a file \(disk image,  memory dump, zip file, image...\) that **will have more files embedded on it** \(especial efforts may have made to hide them\). In these cases, there are a bunch of tools you can try to extract all of the embedded files.  
-**Remember that it's possible that each tools will uncover different files.**
-
-## Extraction tools
+## Carving tools
 
 ### Autopsy
 
@@ -51,7 +48,17 @@ This tool can scan an image and will **extract pcaps** inside it, **network info
 bulk_extractor memory.img -o out_folder
 ```
 
-Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcaps-analysis/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
+Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../../pcaps-analysis/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
+
+### PhotoRec
+
+You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
+
+It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for.
+
+![](../../../.gitbook/assets/image%20%28524%29.png)
+
+## Specific Data Carving Tools
 
 ### FindAES
 

forensics/basic-forensics-esp/partitions-file-systems-carving/ntfs.md

@@ -179,7 +179,7 @@ Every **directory** in the file system contains an **`$I30`** **attribute** that
 
 You can get the `$I30` file of a directory from the **FTK Imager** and inspect it with the tool [Indx2Csv](https://github.com/jschicht/Indx2Csv).
 
-![](../../../.gitbook/assets/image%20%28526%29.png)
+![](../../../.gitbook/assets/image%20%28527%29.png)
 
 With this data you can find **information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this logs. However, you can see that **last modified date** of the **`$I30` file**, and if the **last action performed** over the directory is the **deletion** of a file, the times may be the same.
 
@@ -187,7 +187,7 @@ With this data you can find **information about the file changes performed insid
 
 The **`$BitMap`** is a special file within the NTFS file system. This file keeps **track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location is uses is marked out in the `$BitMap`.
 
-![](../../../.gitbook/assets/image%20%28525%29.png)
+![](../../../.gitbook/assets/image%20%28526%29.png)
 
 ### ADS \(Alternate Data Stream\)
 
@@ -196,11 +196,11 @@ In this [page you can see different ways to create/access/discover alternate dat
 
 Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate_data_streams.html) you can search and export all the files with some ADS.
 
-![](../../../.gitbook/assets/image%20%28527%29.png)
+![](../../../.gitbook/assets/image%20%28528%29.png)
 
 Using the FTK imager and double clicking in a file with ADS you can **access the ADS data**:
 
-![](../../../.gitbook/assets/image%20%28528%29.png)
+![](../../../.gitbook/assets/image%20%28529%29.png)
 
 If you find an ADS called **`Zone.Identifier`** \(see previous image\) this usually contains **information about how was the file downloaded**. There would be a "ZoneId" field with the following info:
 

forensics/basic-forensics-esp/windows-forensics/README.md

@@ -228,7 +228,7 @@ These backups are usually located in the `\System Volume Information` from the r
 
 Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow_copy_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups.
 
-![](../../../.gitbook/assets/image%20%28524%29.png)
+![](../../../.gitbook/assets/image%20%28525%29.png)
 
 The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` contains the files and keys **to not backup**:
 
@@ -400,7 +400,7 @@ The Status and sub status information of the event s can indicate more details a
 
 ### Recovering Windows Events
 
-It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../file-extraction.md#bulk-extractor) indicating the **evtx** extension.
+It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-extraction.md#bulk-extractor) indicating the **evtx** extension.
 
 ## Identifying Common Attacks with Windows Events