Summary
In this chapter, we saw prominent examples of the special properties of Microsoft Windows and Linux (and Linux-like) systems. You are now able to extract information from the Windows event log, the Windows registry, Linux files, and the Linux filesystem. Using Python, all of this information can be automatically and semiautomatically analyzed for the Indicators of Compromise, reconstructing the recent system activity, and signs of exfiltration.
Furthermore, reading the filesystem capabilities shows us how to use ctype to load the native libraries to assist the filesystem analysis.
In the clustering of file information, we provided the first example on how to use the basic machine learning algorithms to support the forensic analysis.
Now that we took a look at the local systems, we will go to the next chapter and take a look at the network traffic and how to search for the Indicators of Compromise (IOC) there.