A monthly wrap-up of the DFIR news for November 2018. Thank you to those Patreon donors for the last month. I decided to go with the value-for-value model rather than advertising. Alternatively, it would be great if you could leave an iTunes review. If you are a Patreon donor the show notes can be found here. Special thanks to […]
FORENSIC ANALYSIS Ashley Hernandez at Blackbag Technologies shares a number of useful tips for collecting data from Macs with T2 chips (although there are also tips for general Mac acquisition as well worth noting – particularly surrounding mounting dirty APFS volumes, and clearing fsevents accidentally). It also appears that live data collection will require additional […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows the File ID on ReFS. Examining this ID may be useful in identifying timestomping. ReFS and File ID Marcus Thompson at Professor Bike demonstrates various issues he has come up against whilst parsing MFT records. Applying the Precision Testing Methodology to the Master File Table […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the USN Journal on ReFS, which can be queried but FTK Imager doesn’t seem to parse the file system, and he was unsuccessful with carving for USN records Refs and USN Journal Further research indicated that USN_RECORD_V3 is used on ReFS. Refs and USN […]
Paul Sanderson advised that Sanderson Forensics is closed until further notice due to family health concerns. Sending well wishes and hopefully, everything gets better soon. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the “Audit PNP Activity” event logging with regards to USB device connection. Audit PNP Activity and ID […]
This Week In 4n6 