Links only this week. Sorry! I assure you I have a good excuse 🙂 FORENSIC ANALYSIS Dave Cowen Daily Blog #513: solution Saturday 10/20/18 Daily Blog #514: Sunday Funday 10/21/18 Daily Blog #515: Asking for your input regarding future testing Daily Blog #516: Forensic Lunch Test Kitchen 10/23/18 Daily Blog #517: Forensic Lunch Test Kitchen […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at file system tunnelling on the C drive File System Tunneling and C:\ Adam Harrison at 1234n6 has written a post on Windows execution artefacts across a variety of desktop and server versions of Windows, and subsequently also (is going to be the winning, yes […]

  Early post this week, just in case I didn’t have time to finish it tomorrow. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the effects of file system tunnelling on the USN journal File System Tunneling and E:\ Faisal AM Qureshi at ‘Deriving Cyber Threat Intelligence and Threat Hunting’ demonstrates how […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog explores whether he can “find timestamp changes using [the] USN Journal” Timestamp and USN_REASON_BASIC_INFO_CHANGE ADF have a post describing how to acquire memory using an ADF collection key RAM Dump Forensics Justin Boncaldo takes a look at the database that stores apps installed with the Windows […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes a folder containing a $I30 file, and a hardlinked picture. He shows that there is a reference in the index, FTK Imager doesn’t show the picture file, but Autopsy does. Autopsy and Realloc James Habben at 4n6IR has a couple of posts about identifying Object […]