Blog

Daily Blog #62: Saturday Reading 8/24/13

Hello Reader,         It’s Saturday? How did that happen. Time for another saturday reading. I’ve been trying to expand my reading list to find more DFIR related blogs and websites to bring you good content every saturday. What I’ve noticed is that most of the old blogs I was following have fallen silent. If you know of a […]

Daily Blog #61: Forensic Lunch 8/23/13

Hello Reader,          It’s time for another Forensic Lunch!

Daily Blog #60: On the business of being in business in the expert business, business

Hello Reader,         We’ve been going strong, 60 days of blogs. To those of you who have kept up daily I salute you. I’ve been keeping things mainly technical but at times I know there is a wider audience of people who also are curious about other aspects of computer forensics. With that in mind I’m going of […]

Daily Blog #59: Understanding the artifacts ShellBags

Hello Reader,           Another day, another blog. They say if you’ve done something for two weeks it becomes a habit. Well it’s been two months and I will tell you that I know each evening that I should be writing tomorrows blog, but life (and good tv shows/movies) often gets in the way. So I just got […]

Daily Blog #58: Understanding the artifacts Jump Lists

Hello Reader,         Another Sunday Funday is behind us and from it I’ve identified another blog series that need to be written. We are trucking along through the artifacts needed to better understand usage. We’ve covered LNK files, the USN Journal, USB Stor and User Assist. Today we are going to jump into Jump Lists which first made […]

Daily Blog #57: Sunday Funday 8/18/13 Winner!

Hello Reader,         Another Sunday Funday behind us and another winning answer given. This week we did a Linux challenge and from the lack of responses and high readership I would say that this is a weak point for most of you. I have noted this and will devote some future blog posts to Linux forensics. This […]

Daily Blog #56: Sunday Funday 8/18/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #55: Saturday Reading 8/16/13

Hello Reader,      Wait, It’s Saturday? Where did the week go? It’s time for another Saturday Reading where I list out what I’ve been reading this week and what tools we’ve been trying out. Let’s get started. 1. We had another Forensic Lunch yesterday, http://www.youtube.com/watch?v=wOHG_pwHyRo, Brian Lockery came on to talk about the crimes against children conference and his products. […]

Daily Blog #54: Forensic Lunch 8/16/13

Hello Reader!,    It’s Friday and time for another forensic lunch! You can watch it live and ask us questions or the recording later. See you tomorrow for Saturday Reading!

Daily Blog #53: The TriForce is now Patent Pending

Hello Reader,             Short one today as I’m trying to get some work done, tomorrow I’ll continue our series of understanding the artifacts into jump lists. I’m happy to announce that we’ve filed a provisional patent on the triforce and what new types of analysis we can perform with it. I debated for a long time […]

Daily Blog #52: Understanding the artifacts LNK Files

Hello Reader,               Time to continue the series of understanding the artifacts building up to a deeper understanding of proving usage. Today we are going to go into a well known artifact LNK files and them move through Jump lists, MRU keys and the other artifacts we use to establish use and explain how to […]

Daily Blog #51: Understanding the artifacts USNJrnl

Hello Reader,        I’m going to change tracks this week and focus on a deeper understanding of the USNJrnl and its associated artifacts to prove usage from our challenge two weeks ago. To prepare for this series I want to take a bit to explain what each of the artifacts we rely on for proof of usage were […]

Daily Blog #50: Sunday Funday 8/11/13 Winner!

Hello Reader,        Wow, there are a lot of OSX and Timemachine loving DFIR people out there! I received a lot of submissions and they are all very good. I had to read over and compare the submissions but one was a clear standout. Congratulations to Sarah Edwards (@iamevltwin) who brought an answer so well written it had […]

Daily Blog #49: Sunday Funday 8/11/13

Hello Reader,           It’s that time again, Sunday Funday time! For those not familiar every Sunday I throw down the forensic gauntlet by asking a tough question. To the winner go the accolades of their peers and prizes hopefully worth the time they put into their answer. This week I am changing things up and letting the […]

Daily Blog #48: Saturday Reading 8/10/13

Hello Reader,            It’s Saturday! Hooray! The week is over and fedex pickup ends earlier today meaning you either have extra time in the lab or a some time at home. Either way, get some coffee and lets get our forensic reading going. 1. Joachim Metz has updated his volume shadow specification paper, not this week […]

Daily Blog #47: Forensic Lunch 8/9/13

Hello Reader,Going to try something different today and see if I can embed our Forensic Lunch live stream in the blog! Forensic Lunch is something we are trying to do every Friday where we talk about updates to research from around the community as well as our challenges and successes here in the G-C Lab. If all goes well you […]

Daily Blog #46: Understanding the Artifacts USBStor

Hello Reader,               No time to finish my Gmail code review so I’m going to continue the understanding the artifacts posts to keep things going. I got some good responses yesterday from the prolific Joachim Metz regarding what he’s seen in User Assist keys which I updated the post to include. The more we share […]

Daily Blog #45: Understanding the artifacts: User Assist

Hello Reader,              Turns out Gmail is very complicated so I need more time to parse through the javascript and css to find the right code that is rendering the array of emails to view-able text. If you’ve already done this feel free to leave me a note in the comments below or via email […]

Daily Blog #44: Forensic Tips – Shadow Access

Hello Reader,              I’m going to take a break today from the web 2.0 series for two reasons. 1. I’m not ready to write up the next post yet until I’ve reviewed the rest of the javascript that is parsing the message headers and contents we talked about last week. 2. A method I’ve been […]

Daily Blog #43: Sunday Funday Winner 8/5/13

Hello Reader,      Another Sunday Funday is behind us and some more great answers were given, thanks to everyone who submitted on Google+ and anonymously! I’ve learned from this week challenge that I need to be a bit more specific to help for more focused answers, I’ll make sure to do that for next weeks challenge. This week Eric […]

G-C Partners