Lee Whitfield at Forensic 4Cast has opened up voting for the 2018 Forensic 4Cast awards, held at the SANS DFIR Summit in Austin, Texas. Thanks to everyone that nominated ‘This Week in 4n6’ for blog of the year. Voting ends May 25th, so I’ll post this up a couple times before then to remind people […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of times this week First, he takes a look at the Property store data block of a LNK file. Hideaki indicates that this data is not parsed in Plaso. LNK と Property Store Next, he looks at some of the timestamps stored in […]

Last chance to nominate this site for the 2018 Forensic 4Cast Awards. If you have already, it’s very much appreciated. FORENSIC ANALYSIS Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator tested how various actions affect the 8 timestamps on an NTFS volume on a Win10 host. This test shows that there are minor differences compared to […]

If you like my work and would like to nominate me for a 4Cast Award for Blog of the year that would be greatly appreciated. Nominations close at the end of this month. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the “the Shell item structure of the LNK file.” […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the ‘Access Bits’ in a Windows 10 registry hive. RegistryとAccess bits Sebastian Neef at 0day Work shares his findings from pulling apart the .DS_Store file format. Parsing the .DS_Store file format Marco Fontani at Amped Software shows “what Griffeye Analyze DI Pro […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows how to repair a dirty registry hive manually so that it can be examined by Log2timeline. Registry Transaction LogとPlaso Scar at Forensic Focus has posted an article on using Oxygen to examine drone onboard/SD card and Cloud data. Oxygen Drone Forensics Alexis Brignoni at ‘Initialization […]