Daily Blog #83: Saturday Reading 9/14/13

Hello Reader,        It’s Saturday and I have my collection of links from the week ready to read. 1. We had another Forensic Lunch yesterday, with Joachim Metz, Kyle Maxwell and some of us in the G-C lab. You can watch it with the new Google+ Q&A feature here! 2. Corey Harrell has a new blog post up,, talking […]

Daily Blog #82 Forensic Lunch 9/13/13!

Hello Reader,      We had a great forensic lunch today with Joachim Metz and Kyle Maxwell, topics included: Encyclopedia ForensicaXOR EncryptionForensic Research topics and how to get startedProgramming for forensicsand a HFS+ Journal parser demo! I tried the new Hangout Q&A function today so instead of embedding a youtube video I’m going to provide a link to the replay where not […]

Daily Blog #81: Encyclopedia Forensica

Hello Reader,         If you read yesterdays blog post I was trying to understand a system for determining what we don’t know. In the comments that followed there was a good conversation that lead to a system that should lead us there. Step 1. Create a neat project name (Check!)Step 2. Create a forensic wiki page for it (Check!)Step 3. Write […]

Daily Blog #80: What don’t we know?

Hello Reader,         One of the things we’ve been talking about through the blog, on twitter and elsewhere is forensic research. Joachim Metz has been nice enough to point out areas where ideas and topics of research that need to be completed have been accumulating and I think that’s great. What I keep wondering though is what don’t we know? What […]

Daily Blog #79: Student Research and You

Hello Reader,            Jonathan Rajewski reached out to the community on twitter asking for ideas for student research topics. I replied with an idea about shellbag testing and a student named Chad Waibel has picked up the task! You can follow his work here: He posted the initial set of questions to be answered we came up with and is promising […]

Daily Blog #78: Sunday Funday 9/8/13 Winner!

Hello Reader,          This was an interesting contest, when I was writing the scenario I anticipated a different set of answers than what I received. What came in correct but focused on what Dropbox can provide you rather than the dead box artifacts that I was expecting to see as they are widely published and known. The Challenge: Your suspect had […]

Daily Blog #77: Sunday Funday 9/7/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #76: Saturday Reading 9/7/13

Hello Reader,         Another week of forensics down, lets get down to some interesting reading. I have a redeye right now, coffee and espresso, so I’m ready to focus. 1. Yesterday we had another Forensic Lunch, Eric Zimmerman, Phil Hagen, Lee Whitfield and our good folks in the lab at G-C had a great hour of discussion. We talked about […]

Daily Blog #75: Forensic Lunch 9/6/13!

Hello Reader,                It’s time again for the Forensic Lunch! Today join Eric Zimmerman, Phil Hagel, Lee Whitefield and in the G-C Studios Matt, Nicole, Rebecca and myself! Topics include:Forensic Image benchmarkingFUSE and NTFS3gNetwork ForensicsHFS+ Journal Parsingand more!

Daily Blog #74: The hidden burden of journaled filesystems in your imaging

Hello Reader,                A small diversion today as I prepare for tomorrows Forensic Lunch. A few months back we purchased a small, very small, computer from a company called xi3 known as the x5a, I liked the idea of a very portable computer system with lots of I/O (usb2 and eSATAon the x5a with usb3 coming on the x7a when […]

Daily Blog #73: Request for research topics

Hello Reader,            Today is a bit different in that I am not looking to push information to the community but rather solicit your feedback and ideas on what to push back to you. Today marks the first day of our intern Rebecca who for the next 3 months will be devoted to forensic research here […]

Daily Blog #72: Understanding the artifacts Prefetch

Hello Reader,            I hope you got some time off for the labor day weekend, I know I enjoyed my weekend. We have another forensic lunch coming up this Friday 9/6/13 at noon, make sure to let know you are coming to get the link as soon as it goes live here: Today we continue the […]

Daily Blog #71: Sunday Funday 9/1/13 Winner!

Hello Reader,         It’s Labor Day and boy did I have a great day. So great in fact that I woke up at 6am to smoke ribs rather than get this post up this morning. So here I am late labor day evening to announce the winner of yesterdays Sunday Funday contest! The Challenge:One of things that’s important in any […]

Daily Blog #70: Sunday Funday 9/1/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #69: Saturday Reading 8/31/13

Hello Reader,        It’s Saturday! 1. We had another Forensic Lunch on Friday, watch it here. We talked about legitimate uses for Tor, the CryptoParty movement, our new Plist parser and much more! Give it a watch and tune in live next week and get involved! 2. Over on Mari DeGrazia’s ‘Another Forensic Blog’ there is a new […]

Daily Blog #68: Forensic Lunch 8/30/13

Hello Reader,       It’s time for another Forensic Lunch! Join us as we talk IR tools with Kyle Maxwell, More extended MAPI fun with James Lohman and updates on our OSX plist parser and the triforce.

Daily Blog #67 Understanding the artifacts DeviceClasses

Hello Reader,         Tomorrow is the Forensic Lunch, are you going to join us? Click here to RSVP and be notified when the YouTube link is live! Want to be on the video chat? Email me and I’ll get you in the video chat room. Today we are going to talk about the DeviceClasses registry key. Introduced in […]

Daily Blog #66: Understanding the artifacts setupapi.log/

Hello Reader,            Friday is quickly coming up, have you made plans to spend your lunch hour with us? You can eat while we talk and then type your questions so you can be polite and not talk with your mouth full. You can RSVP for the lunch here,, and email me if you want […]

Daily Blog #65: Understanding the artifacts EMDMgmt

Howdy Reader,            Another good Sunday Funday come and gone. I want to make these contests fun and accessible for you and for those vendors who have graciously provided prizes worth your time and effort! Have an idea of how to make Sunday Funday better? Comment here or email me Also remember that this Friday […]

Daily Blog #64: Sunday Funday 8/25/13 Winner(s)!

Hello Reader,            Another Sunday Funday has come and gone and this week I decided to change things up again. I gave out two questions and allowed people to either answer one or both of them. I thought this would be a fun way to allow for varying levels of difficulty within the same challenge. I […]

G-C Partners