Blog

Daily Blog #101: Forensic Imaging Speed Testing

Howdy Reader,         I’m off today to Burlington, Vermont to go talk to the students at Champlain College about computer forensics. I’m looking forward to a room full of students that are passionate about computer forensics who want to talk about what their future holds for them. If you watch the Forensic Lunch you got to see a preview of Eric […]

Daily Blog #100: What was burned to CD from Sunday Funday 9/15/13

Hello Reader,             Another week and now its time to close out this series on how to solve the 9/15/13 Sunday Funday challenge. Also this is my 100th Daily Blog post! Woo! Only 252 to go! Oh man I should not have typed that out, one blog at a time dave … one blog at a time. If you haven’t already […]

Daily Blog #99: Sunday Funday 9/29/13 Winner!

Hello Reader,        Another challenge has found a victor! Congratulations to Steve M who provided this weeks best answer and really did a good job going into depth.  Next week get ready for a full forensic image challenge and read what Steve M has to say today and next year when it appears in print in Hacking Exposed: […]

Daily Blog #98: Sunday Funday 9/29/13

Hello Reader,          It’s Sunday Funday time again! I have some more images but I’m saving them for some bigger prizes, so this week be another scenario question. I was talking this week to the Texas Lawyer Technology Summit about spoliation so I thought that would be a fun topic for this weeks Sunday Funday. The Prize: Your chance to become […]

Daily Blog #97: Saturday Reading 9/28/13

Hello Reader,          It’s Saturday! It’s been a great week in the lab over at G-C, lots of good research and good cases keeping us going. This week I have another pile of good links for you to read over a hopefully uneventful weekend with lots of good stuff happening this week. 1. We had another Forensic Lunch this week with […]

Daily Blog #96: Forensic Lunch 9/27/13

Hello Reader,          Today we had another great Forensic Lunch! On today’s show we had: Jake Williams – Talking about FOR 610 for sans and the addition of a whole 6th day for netwars style competition for malware reverse engineering, fun stuff! Harlan Carvey – Talking about windows shell items and how they are embedded, parsed and understood. Windows shell items […]

Daily Blog #95: Webmail artifacts from Sunday Funday 9/15/13

Hello Reader,         Tomorrow we have a pretty great Forensic Lunch coming together with Harlan Carvey, Zoltan Szabo and us in the lab talking about forensics, you can RSVP here for it. Today we are going to look at what remnants are left from the uploading and attachment of files from the Sunday Funday 9/15/13 image. We will finish this series […]

Daily Blog #94: Determining what was accessed from USB on Sunday Funday 9/15/13

Hello Reader,          Friday’s Forensic Lunch is looking pretty good so far, our first confirmed guest this week is Harlan Carvey. Click the link above to RSVP and receive reminders and notification on when the stream begins at noon CST (GMT -5) so you can watch live and ask questions. Within the post I make heavy use of FTK Imager and […]

Daily Blog #93: FileZilla Artifacts

Hello Reader,         Continuing from last weeks blogs on how to solve the 9/15/13 Sunday Funday we’ve covered how to quickly determine which USB devices were connected, today lets look at another method that was used to transfer data FileZilla. This is an interesting piece of analysis for me as its fun to see what an application you use on a […]

Daily Blog #93: FileZilla Artifacts

Hello Reader,         Continuing from last weeks blogs on how to solve the 9/15/13 Sunday Funday we’ve covered how to quickly determine which USB devices were connected, today lets look at another method that was used to transfer data FileZilla. This is an interesting piece of analysis for me as its fun to see what an application you use on a […]

Daily Blog #92: Sunday Funday 9/22/13 Winner!

Hello Reader, This was a fun challenge, the clue here really was the specific version of OSX I referenced, 10.8 which added a new feature called ‘Revert to Last Save’ featured here: https://www.apple.com/osx/whats-new/features.html under Auto Save and detailed in the Apple support article here: https://support.apple.com/kb/HT4753. While there have been some interesting security writeups on this artifact we haven’t found much forensic […]

Daily Blog #91: Sunday Funday 9/22/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have our first full image challenge and […]

Daily Blog #90: Saturday Reading 9/21/13

Hello Reader,       Another week has ended and for those of us not in the lab this weekend or onsite responding to some rude ruffian running an otherwise ideal weekend its time to give yourself a coffee break and get some forensic reading done. 1. If it’s the first item on my Saturday Reading list it must be this weeks Forensic […]

Daily Blog #89: Forensic Lunch 9/20/13

Hello Reader,           We have another great Forensic Lunch for you, thanks to all of you who watched live with us! I hope you can join us for the next live broadcast so you can get your questions in. This week we had: Suzanne Widup with Verizon DBIR talking about VCDB Jonathan Tomczak with TZWorks talking about new developments in tracking […]

Daily Blog #88: Solving the USB Device connections for Sunday Funday 9/15/13

Hello Reader,            I thought it would be helpful for many of you who want to get some practice to walk through how to solve the image we used for last weeks Sunday Funday. This image is actually based on chapter 13 of the new book ‘Infosec pro guide to computer forensics’ but you don’t need to buy it to learn […]

Daily Blog #87: Slides and Link from today’s Austin HTCIA presentation

Hello Reader,        We had a good time in Austin today where they gave us almost three hours to talk journal filesystem forensics, and boy did we! We went through NTFS, EXT3 and HFS+ with demos for different aspects of NTFS and HFS+ journal forensics. We are also releasing the beta of our HFS+ parser as we continue to expand our […]

Daily Blog #86: Sunday Funday 9/15/13 Answers

Hello Reader,       Thank you for all of you who attempted our first full forensic image challenge. We are going to be alternating between images and scenarios for Sunday Fundays and I’ll continue trying to to tweak the format and deadlines so all of you can have a chance! Today let’s give you the answer key to this Sunday Funday and […]

Daily Blog #85: Sunday Funday 9/15/13 Winner!

Hello Reader,        This was an interesting experiment of a challenge. We left a lot of things to find in this image and tomorrow I’ll will do a walk through of the artifacts. Today though its time to announce our anonymous winner! The Challenge:  An employee has left your employer and left to a competitor. You have been given an […]

Daily Blog #84: Sunday Funday 9/14/13!

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week we have our first full image challenge and […]

Daily Blog #83: Saturday Reading 9/14/13

Hello Reader,        It’s Saturday and I have my collection of links from the week ready to read. 1. We had another Forensic Lunch yesterday, with Joachim Metz, Kyle Maxwell and some of us in the G-C lab. You can watch it with the new Google+ Q&A feature here! https://plus.google.com/u/0/hangouts/onair/watch?hid=AP36tYeu7Y8bHZkP7bb8Bg2D77DjD6W0jyMmb9bquRnsdNvQrxBQ2kZV9LC9cPzkEnsCLvs&ytl=Pj5d6KFrRhw&hl=en&t=0 2. Corey Harrell has a new blog post up, http://journeyintoir.blogspot.com/2013/09/tools-to-grab-locked-files.html, talking […]

G-C Partners