Author Archives: Unknown

I’ve talked about toolmarks before…what they are, why (I believe) they’re important, that sort of thing.  I’ve also described how I’ve implemented them, and about toolmarks specific to different artifacts, such as LNK files. The primary source f… Continue reading Extracting Toolmarks from Open Source Intel→

As you can imagine, 2020 has been a very “different” year, for a lot of reasons, and impacts of the events of the year have extended far and wide.  One of the impacts is conference attendance, and to address this, several conferences have opted to… Continue reading Speaking at Conferences, 2020 edition→

 I thought today of all days would be a good time to break from tradition and share a post that has nothing to do with DFIR or Windows, one that isn’t technical, nor related to computers. Some of you may be aware that once, in a galaxy far, f… Continue reading Happy Birthday, Marine Corps!→

How often to DFIR analysts think about name resolution, particularly on Windows systems?  I know that looking back across engagements I’ve done in the past, I’ve asked for DNS server logs but very often, these were not available. I’m sure others h… Continue reading Name Resolution→

There are a number of settings within Windows systems that can and do significantly impact the functionality of Windows, and as a result, can also impact what is available to a #DFIR analyst.  These settings very often manifest as modifications to… Continue reading Settings That Impact The Windows OS→

Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems.
Developed by a German compa… Continue reading FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations→