Excited to be speaking on Improving Windows External Device Investigations at #CEICCONF next week #DFIR
Excited to be speaking on Improving Windows External Device Investigations at #CEICCONF next week. It’s almost time to talk digital forensics!
Category Archives: metadata
MetaDiver 2.0 alpha – available for download!
MetaDiver 2.0 alpha is now available for download! This is the first build after a major rewrite. I think you will like what you see but be sure to provide feedback on bugs so I can squash them! Download the build: https://45.76.237.35/Downloads/MetaDiver/ Review changelog: https://45.76.237.35/Downloads/MetaDiver/changelog.txt I hope you enjoy the MetaDiver! If you have feedback,
Raspberry Pi 2 up and running. Time for some fun!
Got a Raspbery Pi 2 today. Microcenter has it on sale. You can also sign up for the Windows 10 at the Windows Developer Program for IoT page to get on the list for when it becomes available for the Raspberry Pi 2. The latest Raspbian works great and blazing fast in X-Windows compared to the
Windows 8.1 Ntfs Operational Log
Kevin Stokes has a nice write-up on a newer Windows 8.1 event log that stores ntfs usage information called the “Microsoft-Windows-Ntfs/NTFS Operational” log. It was enabled in an April 2014 windows update. It logs useful information about the volume each time you plug a device in to your computer or boot creating a nice new
Interview from CEIC on the Forensic Lunch!
Earlier this week I gave a presentation on SQLite Forensics at the CEIC conference in Vegas. Later that day I gave an interview about my presentation on the Learn Forensics podcast live from CEIC. Watch here
SQLite – Export table contents with Python
Following my talk on SQLite Forensics at the CEIC conference I want to share the scripts I wrote but did not get the opportunity to demo during the talk! I talked about using Python to export data from the Favicon database in the Chrome web browser, any SQLite database using python. In this post I’m going
Scripting with FTK Filters – Updated
This is an updated post (cross-posted from my RRTX Blog!) about building Access Data’s FTK Toolkit filters outside of FTK. Access Data probably won’t like this since a bad filter can cause the client to crash if you build the filter wrong. So lets build it with care. If you are someone familiar with FTK
Unleashing IIS Log Analysis – Part 2 of Series
Welcome to part two of Unleashing log file analysis. In the last post I talked about the power of using LogParser to transform your Windows Event Logs. In this post I want to talk about using LogParser to transform your IIS Logs! So a quick recap from Part 1 of why I think LogParser is
Finding Shell Metadata
Finding Shell Metadata In my last post I talked about Shell32 in Windows and gave some background on how it works. In this post I want to talk about how we can leverage Shell in MetaDiver. With the latest MetaDiver you can choose to discover additional Metadata.I have also provided a basic example using Windows
MetaDiver – What is Shell
I want to continue to explore some of the powerful options in MetaDiver 1.1.1. What is Shell? I’m going to back up a bit and talk a little about what I mean when I talk about Shell and why I talk about it so much. Shell refers to the Windows Shell API functions. In windows