Collaborate Disseminate
I recently got access to a license to Magent’s Axiom product and have been using it periodically to explore and learn the features. I have used Magnet’s Internet Evidence Finder (IEF) for more years than I really want to admit because it will make me sound really old. I have relied on IEF as a … Continue reading “Processing Progress in Axiom” Continue reading Processing Progress in Axiom
In a previous post, I showed you how to make a condition to find all files in an NTFS volume that have Object IDs associated with them in NTFS. In this post, I will be showing you how to create a condition to search through the values of the Object IDs to filter on specific … Continue reading “NTFS Object IDs in EnCase – Part 3” Continue reading NTFS Object IDs in EnCase – Part 3
Another post in the series of using commercial tools to access Object IDs, only this time switching over to X-Ways Forensic (XWF). I don’t think that it is any secret that EnCase has been my primary forensic tool suite for a really long time, but I like to have options and XWF is one I … Continue reading “NTFS Object IDs in X-Ways” Continue reading NTFS Object IDs in X-Ways
I posted previously about how to view the Object ID values, stored by NTFS, using EnCase as a forensic tool. In this post, I will show you a method to identify the files in your case that have an Object ID assigned to them. You can follow this using EnCase v7 or v8. Using EnCase … Continue reading “NTFS Object IDs in EnCase – Part 2” Continue reading NTFS Object IDs in EnCase – Part 2
Over on the Hacking Exposed Computer Forensics blog, David Cowen has been posting up weekly challenges. I love that he is investing in the DFIR community (literally with $100 prizes). He posted a challenge on September 9, 2018 for readers to develop a python script to parse the NTFS $ObjId:$O alternate data stream. He apparently … Continue reading “NTFS Object IDs in EnCase” Continue reading NTFS Object IDs in EnCase
Several days ago, Objective-See shared details about an attack vector used by advanced attackers to target MacOS users. If you haven’t read about it, I encourage you to do that now since this post really won’t make a lot of sense otherwise. It is a very creative way to gain remote execution. Quick Review Applications … Continue reading “Parsing CFBundleURLSchemes from MacOS Apps” Continue reading Parsing CFBundleURLSchemes from MacOS Apps
I previously wrote about the digital forensic artifact left behind by a user creating a file on a Windows computer with NTFS. I also showed how to display the owner ID and search for all files owned by that ID. In this post, I am showing how to accomplish the same tasks in W-Ways Forensics … Continue reading “Show and Search for Owner ID in X-Ways” Continue reading Show and Search for Owner ID in X-Ways
Windows can be such a weird and wonderful thing, both at the same time. In a digital forensics sense, the artifacts left behind from user activity often give me delight. The same artifacts can often leave me scratching my head about why it exists in the first place. One of those features is the owner … Continue reading “Show and Search for NTFS Owner in EnCase” Continue reading Show and Search for NTFS Owner in EnCase
I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well. Showing Your Timezone This is a pretty simple one. Don’t do anything. The default … Continue reading “Show Your Timezone in X-Ways” Continue reading Show Your Timezone in X-Ways
A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others. Setting Time Zones When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you … Continue reading “Show Your Timezone in EnCase” Continue reading Show Your Timezone in EnCase