FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog examines the Security ID of a file and then looks for that ID in the $Secure file. Security Id と $Secure Eric Zimmerman has a post regarding the recent updates to Amcache on Windows 10’s Fall Creators update. He has also updated his AmcacheParser to deal […]
This Month In 4n6 for September 2017,
Special thanks to Animatic on Soundcloud for letting me use one of his tracks in the opening.
FORENSIC ANALYSIS Martino Jerian at Amped Software shares some information about Apple’s move to the HEIF file format in iOS 11. Interestingly, the file’s format may be switched back to JPEG when transferring the file. From the image in the post it looks like the file also keeps its EXIF data which is nice. HEIF Image […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute. Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file. $INDEX_ROOT と $I30 Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the […]
FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog walks through the process of creating a deleted record in NTFS $I30. For more information about NTFS index attributes I found this article useful (although the pictures don’t appear to display any more for some reason). NTFS $I30 と Deleted record There were a few posts […]
FORENSIC ANALYSIS Glenn Edwards Jr at Hidden Illusion has a post on enumerating prefetch filename hashes to brute force the original path of an executable. He also lists various use-cases where this may be helpful. Go Prefetch Yourself Jim Hoerricks at Amped Software discusses when someone should seize a DVR and provides some resources for […]
FORENSIC ANALYSIS Adam Harrison has started a new blog, 1234n6, and wrote a couple of articles regarding the analysis of volumes with data deduplication enabled. The “first post serves as an introduction to Data Deduplication and speaks to how to identify whether a system or disk image has Data Deduplication enabled” Windows Server Data Dedupliction and […]