The Ghost in the Logs: DFIR Through a Palimpsest Lens

Source: Stories by Nasreddine Bencherchali on Medium

Author: Nasreddine Bencherchali

URL: https://nasbench.medium.com/the-ghost-in-the-logs-dfir-through-a-palimpsest-lens-b592ef733f4f

ONE SENTENCE SUMMARY:

Palimpsests in history and DFIR reveal how overwritten traces can be uncovered, aiding digital forensic investigations despite attack obfuscation.

MAIN POINTS:

1. A palimpsest is a manuscript with overwritten traces beneath new text.
2. The Archimedes Palimpsest was uncovered using advanced imaging techniques.
3. Attackers hide traces by deleting logs and overwriting files in DFIR.
4. Deleted or cleared logs and files still leave artifacts in systems.
5. Tampering with tools and services can still be detected by anomalies.
6. Absence of evidence often indicates a disruption or manipulation.
7. Sophisticated attackers avoid common telemetry triggers.
8. Investigators often face challenges due to lack of traditional logs.
9. A “palimpsestic” mindset helps reveal hidden forensic evidence.
10. Registry, $MFT, and other system artifacts hold valuable investigative data.

TAKEAWAYS:

1. Palimpsests illustrate how overwritten information can be revealed.
2. Forensic echoes linger despite attackers’ deletion efforts.
3. A “palimpsestic” perspective aids detection of subtle traces.
4. Advanced imaging uncovers hidden historical texts.
5. Investigative success often depends on understanding system artifact persistence.