Links only this week! FORENSIC ANALYSIS Port139 ActivitiesCache.dbとアクティビティ削除(2) Cloudy Forensics How to run Yara Rules during Incident Response Cyber Forensicator Darwin-Collector – collect key files for macOS investigations Windows Phone Physical Imaging Without JTAG and Chip-off Cyber Triage Using Volatility in Cyber Triage to Analyze Memory DFIR Science Testing File Systems for Digital Forensic Imaging […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog deletes some items out of the Win10 Timeline and shows that these events remain in the timeline database for a period (of unknown length) after the deletion. It would be good if he was to check the deleted records after a week or two and see […]

One more week of (vendor) campaigning for the Forensic 4Cast Awards! This will be my last mention of it before the actual awards, so if you haven’t already, head over here to vote! Magnet Forensics lists a few reasons why they deserve the Phone forensic tool of the year. 5 Reasons Magnet AXIOM Is Forensic […]

  Magnet Forensics wrote a blog post reminding you to go and vote in the Forensic 4Cast Awards. Only a couple more weeks till voting closes! 3 Reasons to Vote Magnet Forensics for Forensic 4:cast Digital Forensic Organization of the Year Brett Shavers at DFIR.Training shared some stats for the site, as well as asked […]

FORENSIC ANALYSIS Matt at ‘Bit of Hex’ takes a look at the memory artefacts left behind by “a user running Tor Browser Bundle (TBB) on an external USB drive to access webmail, and a Tor hidden service.” Memory Forensics &Tor Igor and Oleg at Cyber Forensicator examine the artefacts created by the “pCloud desktop application […]

There were a few more requests for votes for Forensic 4Cast Awards. Belkasoft – Phone Forensic Software, and Computer Forensic Software of the Year AboutDFIR – Digital Forensic Investigator, and Digital Forensic Resource of the Year Magnet Forensics – Digital Forensic Organization, Phone Forensic Software, and Computer Forensic Software of the Year FORENSIC ANALYSIS Hideaki […]

Campaigning for the 4Cast Awards is in full swing; I think I got three emails about it last week! The link to vote is here. FORENSIC ANALYSIS Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator take a look at the artefacts created by a couple of desktop apps for cloud storage providers. Cloud Forensics: Analyzing […]

Lee Whitfield at Forensic 4Cast has opened up voting for the 2018 Forensic 4Cast awards, held at the SANS DFIR Summit in Austin, Texas. Thanks to everyone that nominated ‘This Week in 4n6’ for blog of the year. Voting ends May 25th, so I’ll post this up a couple times before then to remind people […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of times this week First, he takes a look at the Property store data block of a LNK file. Hideaki indicates that this data is not parsed in Plaso. LNK と Property Store Next, he looks at some of the timestamps stored in […]

Last chance to nominate this site for the 2018 Forensic 4Cast Awards. If you have already, it’s very much appreciated. FORENSIC ANALYSIS Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator tested how various actions affect the 8 timestamps on an NTFS volume on a Win10 host. This test shows that there are minor differences compared to […]