Office 365 Forensics (1)

(Just for my reference)

When an attacker gets the office 365 portal admin access, the first thing he is going to delegate a user to get full access to the user’s account, contact and calendar etc.

To get the full access of another user’s account, Login to https://outlook.office365.com/ecp/,

Select “recipients” -> “Mailboxes”.

Double click the user that need to be full access, on the “Edit User Mailbox” window, Under “Full Access”, add the compromised email account.

Then the attacker can open the user’s mailbox through File -> Open -> Other User’s Folder

To see if someone access your mailbox, Login to https://outlook.office365.com/ecp/, select “compliance management” -> “auditing” -> “Run a non-owner mailbox access report”

On the popup window, select start day and end date, on “Search for access by” dropdown list, select “All non-owners”, click “Search”.

Forensics Android APKs on the phone

(Just for my reference)

Purpose: Check .apk files in the phone using VirusTotal.

Tools:

1.     VirusTotal website: https://virustotal.com

2.     MOBILedit Forensic Express 7

3.     sigcheck64: https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck

Steps:

1.     Use MOBILedit to create a full report

2.     Open a command line window and Go to the report folder Run sigcheck64 -h -a -c -w ..\apks.csv -u -s .\*.apk

3.     Run sigcheck64 -c -w .\samsung.csv -vrs -vt -o .\apks.csv to get these

4.     Open the csv file and analyze the output.