Daily Blog #90: Saturday Reading 9/21/13

Hello Reader,       Another week has ended and for those of us not in the lab this weekend or onsite responding to some rude ruffian running an otherwise ideal weekend its time to give yourself a coffee break and get some forensic reading done. 1. If it’s the first item on my Saturday Reading list it must be this weeks Forensic […]

Daily Blog #89: Forensic Lunch 9/20/13

Hello Reader,           We have another great Forensic Lunch for you, thanks to all of you who watched live with us! I hope you can join us for the next live broadcast so you can get your questions in. This week we had: Suzanne Widup with Verizon DBIR talking about VCDB Jonathan Tomczak with TZWorks talking about new developments in tracking […]

Daily Blog #88: Solving the USB Device connections for Sunday Funday 9/15/13

Hello Reader,            I thought it would be helpful for many of you who want to get some practice to walk through how to solve the image we used for last weeks Sunday Funday. This image is actually based on chapter 13 of the new book ‘Infosec pro guide to computer forensics’ but you don’t need to buy it to learn […]

Daily Blog #87: Slides and Link from today’s Austin HTCIA presentation

Hello Reader,        We had a good time in Austin today where they gave us almost three hours to talk journal filesystem forensics, and boy did we! We went through NTFS, EXT3 and HFS+ with demos for different aspects of NTFS and HFS+ journal forensics. We are also releasing the beta of our HFS+ parser as we continue to expand our […]

Daily Blog #86: Sunday Funday 9/15/13 Answers

Hello Reader,       Thank you for all of you who attempted our first full forensic image challenge. We are going to be alternating between images and scenarios for Sunday Fundays and I’ll continue trying to to tweak the format and deadlines so all of you can have a chance! Today let’s give you the answer key to this Sunday Funday and […]

Daily Blog #85: Sunday Funday 9/15/13 Winner!

Hello Reader,        This was an interesting experiment of a challenge. We left a lot of things to find in this image and tomorrow I’ll will do a walk through of the artifacts. Today though its time to announce our anonymous winner! The Challenge:  An employee has left your employer and left to a competitor. You have been given an […]

Daily Blog #84: Sunday Funday 9/14/13!

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have our first full image challenge and […]

Daily Blog #83: Saturday Reading 9/14/13

Hello Reader,        It’s Saturday and I have my collection of links from the week ready to read. 1. We had another Forensic Lunch yesterday, with Joachim Metz, Kyle Maxwell and some of us in the G-C lab. You can watch it with the new Google+ Q&A feature here! 2. Corey Harrell has a new blog post up,, talking […]

Daily Blog #82 Forensic Lunch 9/13/13!

Hello Reader,      We had a great forensic lunch today with Joachim Metz and Kyle Maxwell, topics included: Encyclopedia ForensicaXOR EncryptionForensic Research topics and how to get startedProgramming for forensicsand a HFS+ Journal parser demo! I tried the new Hangout Q&A function today so instead of embedding a youtube video I’m going to provide a link to the replay where not […]

Daily Blog #81: Encyclopedia Forensica

Hello Reader,         If you read yesterdays blog post I was trying to understand a system for determining what we don’t know. In the comments that followed there was a good conversation that lead to a system that should lead us there. Step 1. Create a neat project name (Check!)Step 2. Create a forensic wiki page for it (Check!)Step 3. Write […]

Daily Blog #80: What don’t we know?

Hello Reader,         One of the things we’ve been talking about through the blog, on twitter and elsewhere is forensic research. Joachim Metz has been nice enough to point out areas where ideas and topics of research that need to be completed have been accumulating and I think that’s great. What I keep wondering though is what don’t we know? What […]

Daily Blog #79: Student Research and You

Hello Reader,            Jonathan Rajewski reached out to the community on twitter asking for ideas for student research topics. I replied with an idea about shellbag testing and a student named Chad Waibel has picked up the task! You can follow his work here: He posted the initial set of questions to be answered we came up with and is promising […]

Daily Blog #78: Sunday Funday 9/8/13 Winner!

Hello Reader,          This was an interesting contest, when I was writing the scenario I anticipated a different set of answers than what I received. What came in correct but focused on what Dropbox can provide you rather than the dead box artifacts that I was expecting to see as they are widely published and known. The Challenge: Your suspect had […]

Daily Blog #77: Sunday Funday 9/7/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #76: Saturday Reading 9/7/13

Hello Reader,         Another week of forensics down, lets get down to some interesting reading. I have a redeye right now, coffee and espresso, so I’m ready to focus. 1. Yesterday we had another Forensic Lunch, Eric Zimmerman, Phil Hagen, Lee Whitfield and our good folks in the lab at G-C had a great hour of discussion. We talked about […]

Daily Blog #75: Forensic Lunch 9/6/13!

Hello Reader,                It’s time again for the Forensic Lunch! Today join Eric Zimmerman, Phil Hagel, Lee Whitefield and in the G-C Studios Matt, Nicole, Rebecca and myself! Topics include:Forensic Image benchmarkingFUSE and NTFS3gNetwork ForensicsHFS+ Journal Parsingand more!

Daily Blog #74: The hidden burden of journaled filesystems in your imaging

Hello Reader,                A small diversion today as I prepare for tomorrows Forensic Lunch. A few months back we purchased a small, very small, computer from a company called xi3 known as the x5a, I liked the idea of a very portable computer system with lots of I/O (usb2 and eSATAon the x5a with usb3 coming on the x7a when […]

Daily Blog #73: Request for research topics

Hello Reader,            Today is a bit different in that I am not looking to push information to the community but rather solicit your feedback and ideas on what to push back to you. Today marks the first day of our intern Rebecca who for the next 3 months will be devoted to forensic research here […]

Daily Blog #72: Understanding the artifacts Prefetch

Hello Reader,            I hope you got some time off for the labor day weekend, I know I enjoyed my weekend. We have another forensic lunch coming up this Friday 9/6/13 at noon, make sure to let know you are coming to get the link as soon as it goes live here: Today we continue the […]

Daily Blog #71: Sunday Funday 9/1/13 Winner!

Hello Reader,         It’s Labor Day and boy did I have a great day. So great in fact that I woke up at 6am to smoke ribs rather than get this post up this morning. So here I am late labor day evening to announce the winner of yesterdays Sunday Funday contest! The Challenge:One of things that’s important in any […]

G-C Partners