Week 38 – 2017

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute. Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file. $INDEX_ROOT と $I30 Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the […]

Week 37 – 2017

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog walks through the process of creating a deleted record in NTFS $I30. For more information about NTFS index attributes I found this article useful (although the pictures don’t appear to display any more for some reason). NTFS $I30 と Deleted record  There were a few posts […]

Week 36 – 2017

FORENSIC ANALYSIS Glenn Edwards Jr at Hidden Illusion has a post on enumerating prefetch filename hashes to brute force the original path of an executable. He also lists various use-cases where this may be helpful. Go Prefetch Yourself Jim Hoerricks at Amped Software discusses when someone should seize a DVR and provides some resources for […]

Week 35 – 2017

FORENSIC ANALYSIS Adam Harrison has started a new blog, 1234n6, and wrote a couple of articles regarding the analysis of volumes with data deduplication enabled. The “first post serves as an introduction to Data Deduplication and speaks to how to identify whether a system or disk image has Data Deduplication enabled” Windows Server Data Dedupliction and […]

Week 34 – 2017

FORENSIC ANALYSIS The guys at Cyber Forensicator shared an article by Timothy Opsitnick, Joseph Anguilano and Trevor Tucker on how computer forensics can be used to assist to investigate employee data theft. Using Computer Forensics to Investigate Employee Data Theft There were a couple of posts on Elcomsoft’s blog this week Olga Koksharova at Elcomsoft […]

Week 33 – 2017

FORENSIC ANALYSIS There were a few posts on Cyber Forensicator this week They shared a paper by Andrew Case, Arghya Kusum Das, Seung-Jong Park, J. (Ram) Ramanujam and Golden G.Richard III from DFRWS US 2017 titled “Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks” Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks They […]