FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at file system tunnelling on the C drive File System Tunneling and C:\ Adam Harrison at 1234n6 has written a post on Windows execution artefacts across a variety of desktop and server versions of Windows, and subsequently also (is going to be the winning, yes […]

  Early post this week, just in case I didn’t have time to finish it tomorrow. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the effects of file system tunnelling on the USN journal File System Tunneling and E:\ Faisal AM Qureshi at ‘Deriving Cyber Threat Intelligence and Threat Hunting’ demonstrates how […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog explores whether he can “find timestamp changes using [the] USN Journal” Timestamp and USN_REASON_BASIC_INFO_CHANGE ADF have a post describing how to acquire memory using an ADF collection key RAM Dump Forensics Justin Boncaldo takes a look at the database that stores apps installed with the Windows […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes a folder containing a $I30 file, and a hardlinked picture. He shows that there is a reference in the index, FTK Imager doesn’t show the picture file, but Autopsy does. Autopsy and Realloc James Habben at 4n6IR has a couple of posts about identifying Object […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log. Esentutl and File copy James Habben at 4n6IR shows how to locate ObjectIDs in Encase. NTFS Object IDs in EnCase There were a couple of […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know. NTFS $ObjID and ObjectID Andrew Odendaal at […]