Week 7 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog utilises Teru Yamazaki’s USN parsing utility to identify deleted files and folders in the journal USN Analytics と Folder Arsenal Consulting has shared a couple of articles (one was from last week and I missed it, sorry!) They have put together an infographic on the Windows […]

Week 6 – 2018

FORENSIC ANALYSIS There were a few posts by Cyber Forensicator this week They shared a link to Florian Roth’s APT simulator APT Simulator They shared a thesis by Thomas Schreck titled “IT Security Incident Response: Current State, Emerging Problems, and New Approaches” IT Security Incident Response: Current State, Emerging Problems, and New Approaches They shared […]

Week 5 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows the affects some file actions have on an NTFS MFT record’s Fixup value and update sequence. Fixup と Update Sequence Number Adam Harrison at 1234n6 walks through the process of rebuilding a hardware RAID in Encase 7/8. As a side note, Adam wrote this post […]

This Month In 4n6 – January – 2018

A monthly wrap-up of the DFIR news for January 2018. Thank you to those Patreon donors for the last month. I decided to go with the value-for-value model rather than advertising. If you get a little bit of value from the show, then I appreciate those that decide to give a little back. Alternatively, it would be great if […]

Week 4 – 2018

For anyone in Sydney, I’ve started a Google Group for those in DFIR to meet up every so often and have a drink. If you want to join just submit a request, it’s open to all. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the relationship between $INDEX_ALLOCATION (0xA0) and the Virtual […]

Week 3 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $BITMAP attribute of a folder. Folderと$BITMAP (0xB0)  Dan Pullega at 4n6k looks into an unknown entry in the debugfs stat output on Linux ext4. Forensics Quickie: Methodology for Identifying Linux ext4 Timestamp Values in debugfs `stat` Command  Digital Forensics Corp shared […]

Week 2 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog took a look at the Win10 Thumbnail index database, thumbcache_idx.db. Win10 と Thumbnail Index  Brian Maloney stumbled across a Windows event log, Microsoft-Windows-MBAM/Operational, that tracks RemovableDriveMounted and RemovableDriveDismounted (event ID 39 and 40) Check out @bmmaloney97’s Tweet  There were a few posts on the Cyber Forensicator […]