FORENSIC ANALYSIS @0x00A at DFIR X has started a blog, and shows how to convert a vmem image to raw for examination with Volatility How to prepare a VMWare memory image for Volatility analysis Oleg Afonin at Elcomsoft explains “how to access information stored in Apple iCloud with and without using forensic tools” Cloud Forensics: […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of tests of the $LogFile this week He tested using “$LogFile to check overwriting of the cluster.” NTFS $LogFile and DataRun He also had a look at the $LogFile when an ObjectID is set. NTFS $LogFile and ObjectID Oleg Afonin at Elcomsoft has […]

FORENSIC ANALYSIS Brian Gerdon at Arsenal Recon digs into the URLs generated by Gmail to try and trace user actions. Google tends to track a lot of interaction information, and even better, it’s stored in URLs for us. Awesome find that the message ID is actually a timestamp, looks like I’ll have to update GSERPent […]

FORENSIC ANALYSIS Justin Boncaldo walks through a few of the artefacts that are useful for tracking USB devices on a Windows system. Justin also described his recent internship at Califorensics DFS# 03: Was a USB drive inserted into my Windows computer? Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times […]

Links only this week! On the way home back from Vegas after an exciting few days of DFIR (and FIFA) FORENSIC ANALYSIS @port139 Jumplist and Clear File Explorer history Archer Forensics Dissecting Official Reddit App, What Your Tools Don’t Tell You DF Challenge Digital Forensic Challenge DME Forensics 10 Tips for a Nonworking DVR Dave […]

Just an FYI I’m over in Las Vegas next week for DEF CON; two things. 1) If you’re around, shoot me a message on Twitter or through the contact form. Some people have reached out after I’ve been state-side and said things like “oh you looked busy”; if I’m busy, I’ll tell you, otherwise come […]