Just a reminder that the nominations for the Forensic 4Cast awards are still open and if you haven’t already, head over here to submit your nominations. If you’d like to nominate this blog it would be very much appreciated 🙂 FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog continues to look at the Bam […]

  I’ve been told I need to promote the Patreon link. It’s here if you’re interested 🙂 FORENSIC ANALYSIS Kasasagi at ‘Apprentice forensic ‘s note’ has identified the ‘bam’ key in the Windows registry that stores the full path of an executable and the last execution time. It is indicated that this is only written […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog utilises Teru Yamazaki’s USN parsing utility to identify deleted files and folders in the journal USN Analytics と Folder Arsenal Consulting has shared a couple of articles (one was from last week and I missed it, sorry!) They have put together an infographic on the Windows […]

FORENSIC ANALYSIS There were a few posts by Cyber Forensicator this week They shared a link to Florian Roth’s APT simulator APT Simulator They shared a thesis by Thomas Schreck titled “IT Security Incident Response: Current State, Emerging Problems, and New Approaches” IT Security Incident Response: Current State, Emerging Problems, and New Approaches They shared […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows the affects some file actions have on an NTFS MFT record’s Fixup value and update sequence. Fixup と Update Sequence Number Adam Harrison at 1234n6 walks through the process of rebuilding a hardware RAID in Encase 7/8. As a side note, Adam wrote this post […]

For anyone in Sydney, I’ve started a Google Group for those in DFIR to meet up every so often and have a drink. If you want to join just submit a request, it’s open to all. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the relationship between $INDEX_ALLOCATION (0xA0) and the Virtual […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $BITMAP attribute of a folder. Folderと$BITMAP (0xB0)  Dan Pullega at 4n6k looks into an unknown entry in the debugfs stat output on Linux ext4. Forensics Quickie: Methodology for Identifying Linux ext4 Timestamp Values in debugfs `stat` Command  Digital Forensics Corp shared […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog took a look at the Win10 Thumbnail index database, thumbcache_idx.db. Win10 と Thumbnail Index  Brian Maloney stumbled across a Windows event log, Microsoft-Windows-MBAM/Operational, that tracks RemovableDriveMounted and RemovableDriveDismounted (event ID 39 and 40) Check out @bmmaloney97’s Tweet  There were a few posts on the Cyber Forensicator […]

Happy New Year! It was a bit hectic last week posting a few times on New Year’s Eve; in case you missed it, I posted my monthly podcast episode, as well as a wrap up for the year. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of times this week The […]

Another year has passed! I figured I did a wrap-up post last year so I decided I would do it again. (Most people relax on Sundays right? I wonder what that’s like…) This year has been as interesting as last year from a personal growth and development perspective. I decided to change a few things about […]