Week 38 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog shows that it’s possible to copy a file using the esentutl application, and this is recorded in the security event log. Esentutl and File copy James Habben at 4n6IR shows how to locate ObjectIDs in Encase. NTFS Object IDs in EnCase There were a couple of […]

Week 37 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog takes a look at the $ObjectID file and shows that there can be references for deleted files. From some testing, it would be arguable that the file with that name has been accessed, which may be useful to know. NTFS $ObjID and ObjectID Andrew Odendaal at […]

Week 36 – 2018

FORENSIC ANALYSIS @0x00A at DFIR X has started a blog, and shows how to convert a vmem image to raw for examination with Volatility How to prepare a VMWare memory image for Volatility analysis Oleg Afonin at Elcomsoft explains “how to access information stored in Apple iCloud with and without using forensic tools” Cloud Forensics: […]

Week 35 – 2018

FORENSIC ANALYSIS Hideaki Ihara at the Port 139 blog posted a couple of tests of the $LogFile this week He tested using “$LogFile to check overwriting of the cluster.” NTFS $LogFile and DataRun He also had a look at the $LogFile when an ObjectID is set. NTFS $LogFile and ObjectID Oleg Afonin at Elcomsoft has […]

This Month In 4n6 – August – 2018

A monthly wrap-up of the DFIR news for August 2018. Thank you to those Patreon donors for the last month. I decided to go with the value-for-value model rather than advertising. Alternatively, it would be great if you could leave an iTunes review. If you are a Patreon donor the show notes can be found here. Special thanks to […]

Week 34 – 2018

FORENSIC ANALYSIS Brian Gerdon at Arsenal Recon digs into the URLs generated by Gmail to try and trace user actions. Google tends to track a lot of interaction information, and even better, it’s stored in URLs for us. Awesome find that the message ID is actually a timestamp, looks like I’ll have to update GSERPent […]

Week 33 – 2018

FORENSIC ANALYSIS Justin Boncaldo walks through a few of the artefacts that are useful for tracking USB devices on a Windows system. Justin also described his recent internship at Califorensics DFS# 03: Was a USB drive inserted into my Windows computer? Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a number of times […]