I am pleased to announce that the latest version of MetaDiver (2.4.0) has been released. In this release there are a lot of nice new features and improvements including a single download with outlook bitness detection, hex viewer, binary strings viewer (thanks to Eric Zimmerman’s excellent bstrings) and many more. The expiration date has been
I have been doing testing with MacOS 10.11, El Capitan. Specifically I wanted to see if erasing a disk or disk partition using DiskUtil would leave a DiskUtil.log as it did in previous versions of MacOS. So far I have been unable to cause a DiskUtil.log to get created. I have read that DiskUtil has
MetaDiver v2.1.6 has been released. This build fixes a bug in email mappings. Download
In the DFIR (Digital Forensic and Incident Response) space there are always interesting things happening. Change is constant and sometimes exhausting. I’m taking a quick break from working on my presentation for CEIC 2015 on improving external forensic analysis and finishing up my chapter for the new version of Hacking Exposed Computer Forensic’s book to
MetaDiver 2.0 is finally here. I hope to drop the release the alpha of 2.0 tomorrow in Downloads! This is a huge list of features and changes for MetaDiver. It’s been a LOT of work but a lot of fun and much of the research that has gone into the code has been hugely beneficial
If you have ever been looking for a way to access your computer disk without having to deal with user permissions and constrains the operating system enforces then this is the series to read. David Cowen is working on an excellent series called “Automating DFIR” (Digital Forensics Incident Response) on his blog “Hacking Exposed Computer
Today I’m posting some research I did early last year related to querying Chrome Web Browser SQLite databases which is how Chrome stores most of the useful information that makes for a great browsing experience. A byproduct of course is useful information for an examiner. In this post I’m going to talk about two databases
When reviewing activity from a Mac OSX system there are a number of great artifacts to consider in your investigations. In this post I’m going to talk about the Quicklook database that stores metadata for thumbnails of files you view in the Mac Finder. When Finder session renders that thumbnail it tracks the thumbnail information
Over the weekend I finally took the time to dig through the source code from Arsenal for mounting forensic images. It’s been on my list for a long time so I was excited to do some hacking and see what I could come up with. Although the documentation is not good I was able to
I’ve made a few changes to ShadowKit to address feedback from users! (I know, finally) The changes that have been made are (changelog): *Exporting no longer uses numeric folders (0,1,2,x). Files are exported directly to the folder you have chosen for the exported files. *Fixed the Export Complete Dialogue so that it is now always