Just to start, I’ve signed up to Amazon’s Affiliate program so if you click on the Amazon links I’ll get a referral bonus. That being said, I’m going to be providing the non-referral link, as well, for anyone that wants to use that. Also; apologies for the formatting and if some posts from the week […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the effect on a file/folders MFT entry when sdelete is used. Win 10 と sdelete Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator take a look at a few artefacts on OSX that may assist in identifying files copied to a connected volume. They […]

Just wanted to say thanks first up to the Patreon donors for the latest podcast episode. For those that didn’t see last weeks post, I’ll be donating the proceeds from this months show to the Lifehouse cancer research and treatment centre. FORENSIC ANALYSIS Dan Pullega at 4n6k posts how he identified the answer to a […]

I wanted to start this post slightly differently; last week a colleague lost his fight with cancer – he was one of the founding members of the organisation that I work at, and the lack of his presence will be noticed across the command. Some people have been very kind to donate to my work on […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated. $LogFile (1) Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal. $JとUSN Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10. USN と range tracking Adam Harrison at 1234n6 took a look […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file. Security Id と $Secure Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal […]

FORENSIC ANALYSIS Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice. HEIF Image […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute. Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file. $INDEX_ROOT と $I30 Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog walks through the process of creating a deleted record in NTFS $I30. For more information about NTFS index attributes I found this article useful (although the pictures don’t appear to display any more for some reason). NTFS $I30 と Deleted record There were a few posts […]