FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog creates a test file on an NTFS file system to see how the $LogFile is populated. $LogFile (1) Adam Harrison at 1234n6 continues his investigation into the Windows subsystem for Linux. After a recent update, Adam was able to confirm that “an individual user can install […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks into the USN Journal on NTFS. He creates a test file and monitors what happens to the journal. $JとUSN Hideaki also takes a look at the ‘enablerangetracking’ feature of the fsutil command on Win10. USN と range tracking Adam Harrison at 1234n6 took a look […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file. Security Id と $Secure Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal […]

FORENSIC ANALYSIS Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice. HEIF Image […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute. Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file. $INDEX_ROOT と $I30 Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog walks through the process of creating a deleted record in NTFS $I30. For more information about NTFS index attributes I found this article useful (although the pictures don’t appear to display any more for some reason). NTFS $I30 と Deleted record There were a few posts […]

FORENSIC ANALYSIS Glenn Edwards Jr at Hidden Illusion has a post on enumerating prefetch filename hashes to brute force the original path of an executable. He also lists various use-cases where this may be helpful. Go Prefetch Yourself Jim Hoerricks at Amped Software discusses when someone should seize a DVR and provides some resources for […]

FORENSIC ANALYSIS Adam Harrison has started a new blog, 1234n6, and wrote a couple of articles regarding the analysis of volumes with data deduplication enabled. The “first post serves as an introduction to Data Deduplication and speaks to how to identify whether a system or disk image has Data Deduplication enabled” Windows Server Data Dedupliction and […]

FORENSIC ANALYSIS The guys at Cyber Forensicator shared an article by Timothy Opsitnick, Joseph Anguilano and Trevor Tucker on how computer forensics can be used to assist to investigate employee data theft. Using Computer Forensics to Investigate Employee Data Theft There were a couple of posts on Elcomsoft’s blog this week Olga Koksharova at Elcomsoft […]

FORENSIC ANALYSIS There were a few posts on Cyber Forensicator this week They shared a paper by Andrew Case, Arghya Kusum Das, Seung-Jong Park, J. (Ram) Ramanujam and Golden G.Richard III from DFRWS US 2017 titled “Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks” Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks They […]