Week 42 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at file system tunnelling on the C drive File System Tunneling and C:\ Adam Harrison at 1234n6 has written a post on Windows execution artefacts across a variety of desktop and server versions of Windows, and subsequently also (is going to be the winning, yes […]

Week 41 – 2018

  Early post this week, just in case I didn’t have time to finish it tomorrow. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the effects of file system tunnelling on the USN journal File System Tunneling and E:\ Faisal AM Qureshi at ‘Deriving Cyber Threat Intelligence and Threat Hunting’ demonstrates how […]

Week 40 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog explores whether he can “find timestamp changes using [the] USN Journal” Timestamp and USN_REASON_BASIC_INFO_CHANGE ADF have a post describing how to acquire memory using an ADF collection key RAM Dump Forensics Justin Boncaldo takes a look at the database that stores apps installed with the Windows […]

This Month In 4n6 – September – 2018

A monthly wrap-up of the DFIR news for September 2018. Thank you to those Patreon donors for the last month. I decided to go with the value-for-value model rather than advertising. Alternatively, it would be great if you could leave an iTunes review. If you are a Patreon donor the show notes can be found here. Special thanks to […]

Week 39 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes a folder containing a $I30 file, and a hardlinked picture. He shows that there is a reference in the index, FTK Imager doesn’t show the picture file, but Autopsy does. Autopsy and Realloc James Habben at 4n6IR has a couple of posts about identifying Object […]

Week 38 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log. Esentutl and File copy James Habben at 4n6IR shows how to locate ObjectIDs in Encase. NTFS Object IDs in EnCase There were a couple of […]

Week 37 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know. NTFS $ObjID and ObjectID Andrew Odendaal at […]