Blog

Daily Blog #541: Solution Saturday 11/17/18

Hello Reader,          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks’ challenge for your chance at $100! The Challenge: We’ve tested what happens for copies to NTFS drives. Now let’s change […]

Daily Blog #541: Solution Saturday 11/17/18

Hello Reader,          This week a new champion emerges and enters the winners circle. Congratulations to Oleg Skulkin who grabbed a win this week with his testing! Make sure to come back tomorrow to see next weeks’ challenge for your chance at $100! The Challenge: We’ve tested what happens for copies to NTFS drives. Now let’s change […]

Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18

Hello Reader,    Tonight I’m back in my home lab with access to all my handy testing VMs! I decided to start up a series of tests on the Application Compatibility Cache artifacts (including Shimcache and Amcache amongst others to be tested). The tests have already shown more than I expected and here is what we learned tonight: Extracting an […]

Daily Blog #540: Forensic Lunch Test Kitchen 11/16/18

Hello Reader,    Tonight I’m back in my home lab with access to all my handy testing VMs! I decided to start up a series of tests on the Application Compatibility Cache artifacts (including Shimcache and Amcache amongst others to be tested). The tests have already shown more than I expected and here is what we learned tonight: Extracting an […]

Daily Blog #539: Forensic Lunch and CTF at Magnet User Summit 2019

Hello Reader,              Now that Magnet has announced that this years Magnet User Summit will be April 2-3, 2019 in Nashville, TN I can announce that we will be doing two things there. First you can find out more about MUS here https://www.magnetusersummit.com/ 1. Matt and I will be doing a live Forensic Lunch broadcast from […]

Daily Blog #539: Forensic Lunch and CTF at Magnet User Summit 2019

Hello Reader,              Now that Magnet has announced that this years Magnet User Summit will be April 2-3, 2019 in Nashville, TN I can announce that we will be doing two things there. First you can find out more about MUS here https://www.magnetusersummit.com/ 1. Matt and I will be doing a live Forensic Lunch broadcast from […]

Daily Blog #538: Forensic Lunch Test Kitchen 11/14/18

Hello Reader,          Tonight I did a bit of an experimental stream. I loaded the current first chapter draft of the new book and its proposed outline and talked through with those watching what I was planning to do. Thanks to Hooligan Goto for helping me out as I tried to figure out what my outline was […]

Daily Blog #538: Forensic Lunch Test Kitchen 11/14/18

Hello Reader,          Tonight I did a bit of an experimental stream. I loaded the current first chapter draft of the new book and its proposed outline and talked through with those watching what I was planning to do. Thanks to Hooligan Goto for helping me out as I tried to figure out what my outline was […]

Daily Blog #537: Forensic Lunch Test Kitchen 11/14/18

Hello Reader,          The test kitchen has returned! Tonight we looked at the new USB artifacts described in yesterdays post http://www.hecfblog.com/2018/11/daily-blog-536-usb-30-external-storage.html and look to see how USB Detective handles the new driver. Here is what we learned: The DeviceContainers key is the place that glues together the disparate keys you need for a storage device to figure out its properties The […]

Daily Blog #537: Forensic Lunch Test Kitchen 11/14/18

Hello Reader,          The test kitchen has returned! Tonight we looked at the new USB artifacts described in yesterdays post http://www.hecfblog.com/2018/11/daily-blog-536-usb-30-external-storage.html and look to see how USB Detective handles the new driver. Here is what we learned: The DeviceContainers key is the place that glues together the disparate keys you need for a storage device to figure out its properties The […]

Daily Blog #536: USB 3.0 External Storage Drive Forensics: Changes in registry locations

Hello Reader,             Everything changes and we can never rest when it comes to testing and validating our forensic artifacts. This time the change has come to large external storage drives, such as the Seagate USB 3.0 drive I have next to me. If you’ve been doing USB forensics lately you may have noticed a conspicuous […]

Daily Blog #536: USB 3.0 External Storage Drive Forensics: Changes in registry locations

Hello Reader,             Everything changes and we can never rest when it comes to testing and validating our forensic artifacts. This time the change has come to large external storage drives, such as the Seagate USB 3.0 drive I have next to me. If you’ve been doing USB forensics lately you may have noticed a conspicuous […]

Daily Blog #535: Sunday Funday 11/12/18

Hello Reader,           Another week for you to succeed! Every week the amount of submissions I get changes greatly so don’t think that you can’t win. You just have to submit what you think is your best submission and see what happens. This week we will continue or focus on validating time stamps. The Prize:$100 Amazon GiftcardThe […]

Daily Blog #535: Sunday Funday 11/12/18

Hello Reader,           Another week for you to succeed! Every week the amount of submissions I get changes greatly so don’t think that you can’t win. You just have to submit what you think is your best submission and see what happens. This week we will continue or focus on validating time stamps. The Prize:$100 Amazon GiftcardThe […]

Daily Blog #534: Solution Saturday 11/10/18

Hello Reader,         Another week and another round of quality submissions. Once again Sandor Tokesi  has taken a win by including not just all of the file name and standard information attribute timestamps, he also tested cut and paste within a volume and between volumes. In addition he also tested the move command which the is the command […]

Daily Blog #534: Solution Saturday 11/10/18

Hello Reader,         Another week and another round of quality submissions. Once again Sandor Tokesi  has taken a win by including not just all of the file name and standard information attribute timestamps, he also tested cut and paste within a volume and between volumes. In addition he also tested the move command which the is the command […]

Daily Blog #533: Windows Forensics DFIR InDepth proposed outline

Hello Reader,       I’m back in the United States for awhile and with that should signal a return of the test kitchen in coming nights. Until then I thought I post my current planned outline for the new book to be named Windows Forensics: DFIR InDepth. What I’m looking for at this point is your feedback on what else […]

Daily Blog #533: Windows Forensics DFIR InDepth proposed outline

Hello Reader,       I’m back in the United States for awhile and with that should signal a return of the test kitchen in coming nights. Until then I thought I post my current planned outline for the new book to be named Windows Forensics: DFIR InDepth. What I’m looking for at this point is your feedback on what else […]

Daily Blog #532: Why self publish?

Hello Reader,I’m sitting on another long flight heading back to Texas from dubai. Thanks and gratitude for all of my students this week who asked great questions and opened new research points I need to flush out in future testing. I thought since I don’t know if this flight will have wifi I would write down why I’m going to […]

Daily Blog #532: Why self publish?

Hello Reader,I’m sitting on another long flight heading back to Texas from dubai. Thanks and gratitude for all of my students this week who asked great questions and opened new research points I need to flush out in future testing. I thought since I don’t know if this flight will have wifi I would write down why I’m going to […]

G-C Partners