Blog

Daily Blog #51: Understanding the artifacts USNJrnl

Hello Reader,        I’m going to change tracks this week and focus on a deeper understanding of the USNJrnl and its associated artifacts to prove usage from our challenge two weeks ago. To prepare for this series I want to take a bit to explain what each of the artifacts we rely on for proof of usage were […]

Daily Blog #50: Sunday Funday 8/11/13 Winner!

Hello Reader,        Wow, there are a lot of OSX and Timemachine loving DFIR people out there! I received a lot of submissions and they are all very good. I had to read over and compare the submissions but one was a clear standout. Congratulations to Sarah Edwards (@iamevltwin) who brought an answer so well written it had […]

Daily Blog #49: Sunday Funday 8/11/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #48: Saturday Reading 8/10/13

Hello Reader,            It’s Saturday! Hooray! The week is over and fedex pickup ends earlier today meaning you either have extra time in the lab or a some time at home. Either way, get some coffee and lets get our forensic reading going. 1. Joachim Metz has updated his volume shadow specification paper, not this week […]

Daily Blog #47: Forensic Lunch 8/9/13

Hello Reader,Going to try something different today and see if I can embed our Forensic Lunch live stream in the blog! Forensic Lunch is something we are trying to do every Friday where we talk about updates to research from around the community as well as our challenges and successes here in the G-C Lab. If all goes well you […]

Daily Blog #46: Understanding the Artifacts USBStor

Hello Reader,               No time to finish my Gmail code review so I’m going to continue the understanding the artifacts posts to keep things going. I got some good responses yesterday from the prolific Joachim Metz regarding what he’s seen in User Assist keys which I updated the post to include. The more we share […]

Daily Blog #45: Understanding the artifacts: User Assist

Hello Reader,              Turns out Gmail is very complicated so I need more time to parse through the javascript and css to find the right code that is rendering the array of emails to view-able text. If you’ve already done this feel free to leave me a note in the comments below or via email […]

Daily Blog #44: Forensic Tips – Shadow Access

Hello Reader,              I’m going to take a break today from the web 2.0 series for two reasons. 1. I’m not ready to write up the next post yet until I’ve reviewed the rest of the javascript that is parsing the message headers and contents we talked about last week. 2. A method I’ve been […]

Daily Blog #43: Sunday Funday Winner 8/5/13

Hello Reader,      Another Sunday Funday is behind us and some more great answers were given, thanks to everyone who submitted on Google+ and anonymously! I’ve learned from this week challenge that I need to be a bit more specific to help for more focused answers, I’ll make sure to do that for next weeks challenge. This week Eric […]

Daily Blog #42: Sunday Funday 8/4/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have quite the prize from our friends […]

Daily Blog #41: Saturday Reading 8/3/13

Hello Reader,           It’s Saturday and after a long week of working, heck you might be in the office working right now, its time to let the disks image, the indexes run and the hashes hash while you sip some coffee and do some forensic reading. 1. If you haven’t watched/listen to it already we had a […]

Daily Blog #40: Web 2.0 Forensic Part 5

Hello Reader,                    In the past posts in this series we’ve focused on what you can recover from web 2.0 sites, how data sits on the disk and how data is transmitted across the network. In this post we talk about what these messages fields mean and how to build a quick […]

Forensic Lunch 8/2/13

Hi there Reader,           Just a reminder that in an hour we will be doing a Forensic Lunch broadcast. To watch live and ask questions go here:http://ow.ly/nzLd4 I’ll update the event to a link to the broadcast. If you can’t make it, don’t worry! I’ll have a recording up after the event ends on our Youtube channel here:http://www.youtube.com/user/LearnForensics Hope to see […]

Daily Blog #39: Web 2.0 Forensic Part 4

Hello Reader,      I finally got fiddler installed, its windows only and available here http://fiddler2.com/get-fiddler, and it is much improved over the last time I used it! It even has a ajax and xml decoder built in now which is a pretty huge improvement. In this post we are going to focus on what network data is actually being transmitted […]

Daily Blog #38: Web 2.0 Forensics Part 3

Hello Reader,        This post is a bit late in the day but that happens sometimes when you are onsite and can’t sneak away for some blog writing. In the last two posts we’ve discussed where to find JSON/AJAX fragments and how Gmail stores message data within them. Today we will discuss how these artifacts are created and […]

Daily Blog #37: Web 2.0 Forensics Part 2

Hello Reader,             Sunday Funday is always fun for me for two reasons. One it gets me two blog posts out of one so I get more time to get work done and two I like getting a general feeling of what level of understanding exists on certain artifacts. So while you get a prize, that […]

Daily Blog #36: Sunday Funday 7/28/13 Winner!

Hello Reader,                 This Sunday Funday I thought was easier than the last and we had several submissions both post on the blog and submitted anonymously but only one was done before the deadline of Midnight PST. o congratulations go out to Jonathan Turner who while not having the most complete answer of […]

Daily Blog #35: Sunday Funday 7/28/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have quite the prize from our friends […]

Daily Blog #34: Saturday Reading 7/26/13

Hello Reader,        It’s Saturday, time to put on a long movie for the little ones while you fire up the web browser to prepare for another week of deep dives into forensic images. This week we have links to deep reads on a wide range of topics so I hope you’ll stay informed as we all move […]

Daily Blog #33: Web 2.0 Forensics Part 1

Hello Reader,                 I’ve finished two series, I’ve never even finished one in the last 5 years so I think this daily blog experiment is working. Thanks to all of you that are following along, I know it can be hard to keep up daily and for those that do (I compulsively watch pageviews) […]

G-C Partners