FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log. Esentutl and File copy James Habben at 4n6IR shows how to locate ObjectIDs in Encase. NTFS Object IDs in EnCase There were a couple of […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know. NTFS $ObjID and ObjectID Andrew Odendaal at […]

FORENSIC ANALYSIS @0x00A at DFIR X has started a blog, and shows how to convert a vmem image to raw for examination with Volatility How to prepare a VMWare memory image for Volatility analysis Oleg Afonin at Elcomsoft explains “how to access information stored in Apple iCloud with and without using forensic tools” Cloud Forensics: […]

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of tests of the $LogFile this week He tested using “$LogFile to check overwriting of the cluster.” NTFS $LogFile and DataRun He also had a look at the $LogFile when an ObjectID is set. NTFS $LogFile and ObjectID Oleg Afonin at Elcomsoft has […]

FORENSIC ANALYSIS Brian Gerdon at Arsenal Recon digs into the URLs generated by Gmail to try and trace user actions. Google tends to track a lot of interaction information, and even better, it’s stored in URLs for us. Awesome find that the message ID is actually a timestamp, looks like I’ll have to update GSERPent […]

FORENSIC ANALYSIS Justin Boncaldo walks through a few of the artefacts that are useful for tracking USB devices on a Windows system. Justin also described his recent internship at Califorensics DFS# 03: Was a USB drive inserted into my Windows computer? Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times […]