TLDR; $SDS is an artifact for NTFS file systems. This artifact contain security descriptors to all files and folders on the drive, which means it will contain information of the file owner and permissions of the file. I also wrote a Rust 🦀 parser for this artifact that you can download from my Github.
Analysing the digital forensics artifacts for the Impacket tool smbexec.py
I decided to start a new blog post series that will focus on windows forensic artifacts. In these posts, I will try to go through all windows artifacts (at least until I get bored 😁), understand its structure, and write a rust parser for them.
certutil is a build-in tool on windows systems that is used to manage certificates. However certutil could be used to download files from the internet. In this blog we will take a look at the artifacts generated by certutil when downloading a file
Analysing the digital forensics artifacts for the Impacket tool atexec.py
fennec is an artifact collection tool written in Rust to be used during incident response on *nix based systems
Rhaegal is a tool used to scan Windows Event Logs for suspicious logs. Rhaegal uses custom rule format to detect suspicious/malicious logs
