FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes a folder containing a $I30 file, and a hardlinked picture. He shows that there is a reference in the index, FTK Imager doesn’t show the picture file, but Autopsy does. Autopsy and Realloc James Habben at 4n6IR has a couple of posts about identifying Object […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log. Esentutl and File copy James Habben at 4n6IR shows how to locate ObjectIDs in Encase. NTFS Object IDs in EnCase There were a couple of […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know. NTFS $ObjID and ObjectID Andrew Odendaal at […]

FORENSIC ANALYSIS @0x00A at DFIR X has started a blog, and shows how to convert a vmem image to raw for examination with Volatility How to prepare a VMWare memory image for Volatility analysis Oleg Afonin at Elcomsoft explains “how to access information stored in Apple iCloud with and without using forensic tools” Cloud Forensics: […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of tests of the $LogFile this week He tested using “$LogFile to check overwriting of the cluster.” NTFS $LogFile and DataRun He also had a look at the $LogFile when an ObjectID is set. NTFS $LogFile and ObjectID Oleg Afonin at Elcomsoft has […]