FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looked into NTFS $REPARSE_POINTs and symbolic links, and by doing so was able to identify a bug in MFTECmd. NTFS $REPARSE_POINT and Symbolic link NTFS $REPARSE_POINT and Symbolic link(2) Dan Pullega at 4n6k describes how he investigated a previously unknown GUID identified in Shellbags. Dan also […]
FORENSIC ANALYSIS Adam Harrison at 1234n6 shares his answer to the recent Sunday Funday challenge regarding o365 logging. Adam’s solution also won him the challenge Investigating Office365 Account Compromise without the Activities API Brian Gerdon at Arsenal Recon walks through his process for cracking the password of a Windows XP domain account. An Adventure in […]
I’ve decided to formalise the support page for the project, which can now be accessed from the top menu. I figured that it would be a good idea to put it all in the one place. I’m still holding out from the advertising model, although I think that’s more of a personal preference more than […]
FORENSIC ANALYSIS Chris Sanders describes “some different packet analysis tool filtering capabilities, some of the filters [he uses] when whittling down PCAPs, and some tricks for applying them effectively” Analyzing Large Capture Files 4: Whittling with Filters The guys at Cyber Forensicator wrote a few articles this week. Oleg Skulkin shared his answer to Dave […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog tests out Erics MFTECmd in examining a file stored in NTFS’s $ EA attribute. MFTECmd γ¨ $EA Somehow I missed Mari’s post last week so it’s here this week! Mari’s post covers PowerShell scripts that may be hiding in the registry as their persistence mechanism. Malicious […]
I’m back! Thankfully was able to get the post done today before jetlag set in. I’ll probably do a recap of the trip this week if I get a chance to jot down some thoughts. Overall it was fantastic and I had a great time, but it’s good to get home; 4 weeks away is […]
Another week of links only; I’m going to try get back to scheduled programming next week but that may be tough. Will do my best π FORENSIC ANALYSIS Port139 ActivitiesCache.dbγ¨γ’γ―γγ£γγγ£ει€(3) Arsenal Consulting Quick Look Cache Parsing Arsenal Quick Look Cache Parsing Collecting Quick Look Data From a Live macOS System Cyber Forensicator TrueCrypt Container […]
Links only this week! FORENSIC ANALYSIS Port139 ActivitiesCache.dbγ¨γ’γ―γγ£γγγ£ει€(2) Cloudy Forensics How to run Yara Rules during Incident Response Cyber Forensicator Darwin-Collector β collect key files for macOS investigations Windows Phone Physical Imaging Without JTAG and Chip-off Cyber Triage Using Volatility in Cyber Triage to Analyze Memory DFIR Science Testing File Systems for Digital Forensic Imaging […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes some items out of the Win10 Timeline and shows that these events remain in the timeline database for a period (of unknown length) after the deletion. It would be good if he was to check the deleted records after a week or two and see […]
One more week of (vendor) campaigning for the Forensic 4Cast Awards! This will be my last mention of it before the actual awards, so if you havenβt already, head over here to vote! Magnet Forensics lists a few reasons why they deserve the Phone forensic tool of the year. 5 Reasons Magnet AXIOM Is Forensic […]
