A monthly wrap-up of the DFIR news for October 2017. Any Patreon donations this month will be donated to Lifehouse in memory of my late colleague John. I’m also going to move the show notes over to the Patreon page. Special thanks to my friend Jeff (Animatic on Soundcloud) for letting me use one of his tracks. Thanks for […]
I wanted to start this post slightly differently; last week a colleague lost his fight with cancer – he was one of the founding members of the organisation that I work at, and the lack of his presence will be noticed across the command. Some people have been very kind to donate to my work on […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated. $LogFile (1) Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal. $JとUSN Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10. USN と range tracking Adam Harrison at 1234n6 took a look […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file. Security Id と $Secure Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal […]
This Month In 4n6 for September 2017,
Special thanks to Animatic on Soundcloud for letting me use one of his tracks in the opening.
FORENSIC ANALYSIS Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice. HEIF Image […]