I created a thank you page for all of those that have thrown me a few dollaridoos to help run the site. Just to recognise and say thanks to those who give a little back FORENSIC ANALYSIS Alexis Brignoni at ‘Initialization vectors’ examines the Dropbox app for iOS Profiling user activity in Dropbox for iOS […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog demonstrates amcache activity for process tracking on Win10 USB and Amcache Justin Boncaldo examines the Win10 Netflix app Netflix -Windows 10 Appstore Forensics Brian Moran at BriMor Labs walks through his process of parsing Skype Lite data Skype Hype/Gripe Oleg and Vladimir at Elcomsoft have written […]

FORENSIC ANALYSIS Ashley Hernandez at Blackbag Technologies shares a number of useful tips for collecting data from Macs with T2 chips (although there are also tips for general Mac acquisition as well worth noting – particularly surrounding mounting dirty APFS volumes, and clearing fsevents accidentally). It also appears that live data collection will require additional […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows the File ID on ReFS. Examining this ID may be useful in identifying timestomping. ReFS and File ID Marcus Thompson at Professor Bike demonstrates various issues he has come up against whilst parsing MFT records. Applying the Precision Testing Methodology to the Master File Table […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the USN Journal on ReFS, which can be queried but FTK Imager doesn’t seem to parse the file system, and he was unsuccessful with carving for USN records Refs and USN Journal Further research indicated that USN_RECORD_V3 is used on ReFS. Refs and USN […]

Paul Sanderson advised that Sanderson Forensics is closed until further notice due to family health concerns. Sending well wishes and hopefully, everything gets better soon. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the “Audit PNP Activity” event logging with regards to USB device connection. Audit PNP Activity and ID […]

Links only this week. Sorry! I assure you I have a good excuse 🙂 FORENSIC ANALYSIS Dave Cowen Daily Blog #513: solution Saturday 10/20/18 Daily Blog #514: Sunday Funday 10/21/18 Daily Blog #515: Asking for your input regarding future testing Daily Blog #516: Forensic Lunch Test Kitchen 10/23/18 Daily Blog #517: Forensic Lunch Test Kitchen […]