Category Archives: Forensics

Mounting images in macOS (mac4n6)

Sarah Edwards (mac4n6) has a nice quick write up with the latest techniques for mounting various disk images when you are using a macOS computer. I’ve dealt with many of these issues including core storage and encrypted FileVault disk images. It’s great to see more info out there! Link to mac4n6 article http://www.mac4n6.com/blog/2017/11/26/mount-all-the-things-mounting-apfs-and-4k-disk-images-on-macos-1013

FindUSBMC updated – v20171030

I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below. Download Here’s where you can get version v20171030 Change log # v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned. # v20171030 –

Read More

Visual Studio registry artifacts – part 1 – find & replace #dfir

When you use Visual Studio it leaves a lot behind that is valuable to an investigator. A valuable trove of information may exist. We are going to review briefly the “Find and Replace” history that gets left behind. Find and Replace   Registry location “…\Software\Microsoft\VisualStudio\<version #>\Find” Below you can my see Find history.    

Read More