Author Archives: Dave

Mounting images in macOS (mac4n6)

Sarah Edwards (mac4n6) has a nice quick write up with the latest techniques for mounting various disk images when you are using a macOS computer. I’ve dealt with many of these issues including core storage and encrypted FileVault disk images. It’s great to see more info out there! Link to mac4n6 article http://www.mac4n6.com/blog/2017/11/26/mount-all-the-things-mounting-apfs-and-4k-disk-images-on-macos-1013

FindUSBMC updated – v20171030

I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below. Download Here’s where you can get version v20171030 Change log # v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned. # v20171030 –

Read More

Update to FindUSBMSC.py for #macos #USBMSC parsing #dfir

FindUSBMSC is a script to parse the system logs on macos. It looks for USBMSC storage device plugins and links them back to the product information. This release includes some important fixes and improvements. # v20171016 – Logic cleanup. Improve pid and vid parsing. Added list of unique devices. Added options parser. # v20171017 –

Read More

Visual Studio registry artifacts – part 1 – find & replace #dfir

When you use Visual Studio it leaves a lot behind that is valuable to an investigator. A valuable trove of information may exist. We are going to review briefly the “Find and Replace” history that gets left behind. Find and Replace   Registry location “…\Software\Microsoft\VisualStudio\<version #>\Find” Below you can my see Find history.    

Read More

Upgraded hosting hardware

In the past week I moved the websites to vps from shared hosting for www.easymetadata.com and www.redrocktx.com. I’m noticing a huge difference for $4/m more. I know I’m stubborn for not ditching the whole website thing and moving to medium.. I’m just not that hipster. I like having a shell and control. Anyway, hopefully you

Read More