Week 33 – 2018

FORENSIC ANALYSIS Justin Boncaldo walks through a few of the artefacts that are useful for tracking USB devices on a Windows system. Justin also described his recent internship at Califorensics DFS# 03: Was a USB drive inserted into my Windows computer? Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times […]

Week 32 – 2018

Links only this week! On the way home back from Vegas after an exciting few days of DFIR (and FIFA) FORENSIC ANALYSIS @port139 Jumplist and Clear File Explorer history Archer Forensics Dissecting Official Reddit App, What Your Tools Don’t Tell You DF Challenge Digital Forensic Challenge DME Forensics 10 Tips for a Nonworking DVR Dave […]

Week 31 – 2018

Just an FYI I’m over in Las Vegas next week for DEF CON; two things. 1) If you’re around, shoot me a message on Twitter or through the contact form. Some people have reached out after I’ve been state-side and said things like “oh you looked busy”; if I’m busy, I’ll tell you, otherwise come […]

This Month In 4n6 – July – 2018

A monthly wrap-up of the DFIR news for July 2018. Thank you to those Patreon donors for the last month. I decided to go with the value-for-value model rather than advertising. Alternatively, it would be great if you could leave an iTunes review. If you are a Patreon donor the show notes can be found here. Special thanks to […]

Week 30 – 2018

FORENSIC ANALYSIS Adam Harrison at 1234n6 answers Dave’s latest Sunday Funday challenge on identifying historical timezone configuration changes. Adam’s submission also won Methods to identify historical Time Zone configuration associated with a Windows PC Matt at Bit of Hex shares a short Python script “which will brute-force binary data looking for valid dates and times” […]

Week 29 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looked into NTFS $REPARSE_POINTs and symbolic links, and by doing so was able to identify a bug in MFTECmd. NTFS $REPARSE_POINT and Symbolic link NTFS $REPARSE_POINT and Symbolic link(2) Dan Pullega at 4n6k describes how he investigated a previously unknown GUID identified in Shellbags. Dan also […]

Week 28 – 2018

FORENSIC ANALYSIS Adam Harrison at 1234n6 shares his answer to the recent Sunday Funday challenge regarding o365 logging. Adam’s solution also won him the challenge Investigating Office365 Account Compromise without the Activities API Brian Gerdon at Arsenal Recon walks through his process for cracking the password of a Windows XP domain account. An Adventure in […]