Recently I have had cause to look again at how the Apple Safari web browser stores cache. Surprisingly much of what I wrote concerning Safari back in 2010 still holds true. The introduction of OSX Lion brought some changes in that a new table cfurl_cache_receiver_data was created within the SQLite cache.db database and used to store the cached item as a binary large object in the receiver_data field.
Quality Assurance Practices are essential to ensure the overall quality of services that a...
Since PDF files are so common these days there's no shortage of tools to rip them apart and...
Digital forensic investigators can be dangerous; one poor assumption could lead to several false accusations. Because of this, proper interpretation of forensic artifacts is paramount in any investigation.
Corey Harell has uploaded an excellent writeup on the working of Windows Application Experience and Compatibility features. Here he explains how process entries/traces show up in locations such as the ShimCache and RecentFileCache.bcf. For forensic/malware analysts, this is a great place to search for recent processes that were run.
This is pretty straight forward, but it depends on what we want to do with the files. I assumed that the larger files should be deleted since they are redundant. This will leave us with only the smallest file in the directory. Let's start off by listing all the files in the current directory and sort them by size.
I bought Didier Steven's PDF workshop and just started them today. As he was showing PDFiD I was thinking about ways of using PDFiD to instantly focus my efforts for analysis when faced with multiple PDF documents. Of course my mind turned to Python, but I thought of an even easier shell script which could potentially do the job, depending on the number of files you have!
The Application Experience and Compatibility feature is considered one of the pillars in the in Microsoft Windows operating systems. Microsoft states in reference to the Microsoft Application Compatibility Infrastructure (Shim Infrastructure) "as the Windows operating system evolves from version to version changes to the implementation of some functions may affect applications that depend on them."
Belkasoft releases a major update to Belkasoft Evidence Center. Boosting version number to 6.0, the newest release of Belkasoft forensic suite facilitates a major price drop, introduces new editions, and offers a host of new features, functionality, and usability improvements.
Regardless of whether a Computer Forensics unit is a stand alone entity within a law enforcement agency, a section within a forensic laboratory, or is housed within a private corporation or business, Quality Assurance Practices are essential to its overall success.
The Hacker Academy recently released its new Windows Registry Master Class. Prior to its release, Hacker Academy senior instructor Andrew Case contacted me and asked if I'd like to review the course. I, of course, said yes and got signed up when the course was ready.
Up to five Nissan North America information security employees could also do double duty as reserve sheriff’s deputies, assisting investigators on forensics cases as part of a first-ever arrangement between the automaker and the Williamson County Sheriff’s Department.
The capillary diffusion of technology in our society has an important consequence. Hardware has to be properly analyzed during acquisition and qualification phases of the supply chain. We’re surrounded by electronic devices and appliances that in many cases perform critical functions in areas such as telecommunications, defense and health. Because of that, it’s crucial to validate electronic components they contain.
FIREBrick is an easy to use modular platform which allows law enforcement departments to implement an evidence pre-processing solution. Features include autonomous disk imaging at speeds of up to 5 GB per minute with storage mirroring and encryption and free open source firmware.
The courts have generally accepted evidence collected from the Internet as long as its authenticity can be established. Commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics.
I conducted some analysis recently where I used timeline analysis, Volatility, and the Sniper Forensics concepts shared by Chris Pogue to develop a thorough set of findings in relatively short order. I was analyzing an image acquired from a system thought to have been infected with Poison Ivy. All I had to go on were IPS alerts of network traffic originating from this system on certain dates.
New court filings against Ross Ulbricht, the young Texan accused of being the mastermind behind the notorious Silk Road website, show new and compelling evidence that he was the man at the helm.
Due to changes with my employer last Spring my new responsibilities include all things involving incident response. I won’t go into details about what I’m doing for my employer but I wanted to share some linkz I came across. Similar to my responsibilities, these linkz include all things involving incident response.
Tracking USB device insertion times has never been an easy task given that there is no direct timestamp saved by windows for this activity, ie, until Windows 8 arrived! This was a real pain in Windows Vista and 7 as dates and times were obtained from many different Registry keys’ Last Modified timestamps. And while this was reasonably reliable, timestamps thus retrieved always had to be taken with a pinch of salt!
Identifying indicators when performing incident response activities is crucial. These indicators will give us points to pivot from that will not only help us broaden the scope of the analysis we are performing on the host, but will also help us locate additional compromised machines on our network.
What if the Kennedy assassination had happened during the era of smartphones and laptops? And, assuming the perpetrator left a digital trail, would that evidence uncover any associated conspiracy?
Nuix and ADF Solutions have formed a technology, sales and marketing partnership to combine their strengths in digital forensic triage, indexing and investigation.
When I first start delving in memory forensics, years ago, we relied upon controlled operating system crashes (to create memory crash dumps) or the old FireWire exploit with a special laptop. Later, software-based tools like regular dd, and win32dd, made the job much easier (and more entertaining as we watched the feuds between mdd and win32dd).
How a tool is used can also be very valuable information. For example, from Lance's post, as well as what I saw at OSDFC, folks use RegRipper, but apparently not the way I use it. It seems that the predominant means of using RegRipper is to just run all the plugins against the available hives. That may be good for some folks, but like Corey Harrell, I tend to take something of a more targeted approach.
So I was recently on a case where I knew I would have to go through some proxy logs. I thought I could use TrustedSource to upload text files of 100 IPs/Domains at a time and get their results. Getting an account on TrustedSource is free and I like to use it when investigating. Sure, you have to break up the file into smaller files, but thats just a script ... no problem! But, what if you have 1000 ... 5,000 domains to upload?
Per a couple of reader’s request, I’ll be covering how to deobfuscate Magnitude using the latest version of Converter. From what the panel looks like, a better name for this kit should be "Death Touch EK." How appropriate for unpatched computers!
The way in which an SSD stores data is totally different from how data is stored on a traditional hard drive. To fully comprehend how an SSD functions and provide insight into their forensic examination, it is necessary to understand SSD terminology.
This article proposes moving away from a live box analysis approach and analyzing raw memory dumps offline. The authors propose a new rootkit analysis methodology based on using Windows' built-in debugger, WinDbg, to analyze snapshots of the computer's volatile memory.
- Page 1