THIS MONTH IN 4N6 – October – 2017

A monthly wrap-up of the DFIR news for October 2017. Any Patreon donations this month will be donated to Lifehouse in memory of my late colleague John. I’m also going to move the show notes over to the Patreon page. Special thanks to my friend Jeff (Animatic on Soundcloud) for letting me use one of his tracks. Thanks for […]

Week 43 – 2017

I wanted to start this post slightly differently; last week a colleague lost his fight with cancer – he was one of the founding members of the organisation that I work at, and the lack of his presence will be noticed across the command. Some people have been very kind to donate to my work on […]

Week 42 – 2017

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated. $LogFile (1) Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install […]

Week 41 – 2017

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal. $JとUSN Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10. USN と range tracking Adam Harrison at 1234n6 took a look […]

Week 40 – 2017

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file. Security Id と $Secure Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal […]

Week 39 – 2017

FORENSIC ANALYSIS Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice. HEIF Image […]