INCIBE-CERT

In the digital forensic analysis of Windows systems, artefacts such as event logs, prefetch files, LNK files or the Windows Registry are essential for the investigation of cyber incidents. These artefacts are characterised by the storage of detailed information about system and user activities, allowing the identification of malicious actions, the tracking of attackers' movements and the reconstruction of timelines of critical events. Thanks to these, attack techniques such as command execution, persistence and evasion of system defences can be detected. Knowledge about the collection and analysis of these artefacts ensures accurate and efficient analysis. Therefore, contextualising the relevance of these artefacts helps cybersecurity professionals to strengthen their detection and response capabilities, thus ensuring the integrity of collected evidence and improving the effectiveness of digital forensic investigations.

Nmap (Network Mapper) is a widely recognized tool in the field of computer security and network administration. Its popularity lies in its ability to map networks and detect active services on connected devices. Since its inception in 1997, by Gordon Lyon, Nmap has been one of the most trusted tools for performing security analysis, identifying open ports, and services available on remote hosts. Over the years, the tool has evolved and adapted to the growing demands of the cybersecurity field.

Memory corruption vulnerabilities are critical flaws in programs that occur when software improperly manipulates memory. These failures can allow a program to write data to unintended memory locations or access areas of memory that are out of range. An attacker controlling this data could trigger unexpected behavior on the system, such as causing the program to crash or, in the worst case, gaining full control over the affected system. In part, this is because initially computer systems were not designed with security in mind, so the memory addresses used by programs and operating systems were static and predictable. This meant that every time a program was run, memory locations, such as the stack, heap,  and shared libraries, were always in the same direction. This predictability made it easier for attackers to exploit memory vulnerabilities, such as buffer overflows and libc return-back attacks, as they could anticipate exactly where the data or code they wanted to manipulate to execute malicious code would be located. In this article, we will look at how the ASLR technique helps combat these vulnerabilities.