FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog demonstrates amcache activity for process tracking on Win10 USB and Amcache Justin Boncaldo examines the Win10 Netflix app Netflix -Windows 10 Appstore Forensics Brian Moran at BriMor Labs walks through his process of parsing Skype Lite data Skype Hype/Gripe Oleg and Vladimir at Elcomsoft have written […]

FORENSIC ANALYSIS Ashley Hernandez at Blackbag Technologies shares a number of useful tips for collecting data from Macs with T2 chips (although there are also tips for general Mac acquisition as well worth noting – particularly surrounding mounting dirty APFS volumes, and clearing fsevents accidentally). It also appears that live data collection will require additional […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows the File ID on ReFS. Examining this ID may be useful in identifying timestomping. ReFS and File ID Marcus Thompson at Professor Bike demonstrates various issues he has come up against whilst parsing MFT records. Applying the Precision Testing Methodology to the Master File Table […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog looks at the USN Journal on ReFS, which can be queried but FTK Imager doesn’t seem to parse the file system, and he was unsuccessful with carving for USN records Refs and USN Journal Further research indicated that USN_RECORD_V3 is used on ReFS. Refs and USN […]

Paul Sanderson advised that Sanderson Forensics is closed until further notice due to family health concerns. Sending well wishes and hopefully, everything gets better soon. FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the “Audit PNP Activity” event logging with regards to USB device connection. Audit PNP Activity and ID […]