Clik here to view.
Thoughts on managing increasingly complex digital forensics cases
We’ve all seen articles about the looming death of forensics due to the increase in data volume and data containers. The calmer folk generally just chuckle and get back to work, knowing that they’re...
View ArticleClik here to view.
Says the command line, “I’m not dead yet!”
Dan Mares has been writing command line utilities for computer forensics, ediscovery, and other purposes for years. The quality and capability of each utility demonstrates how long he’s been doing...
View ArticleClik here to view.
New home for analyzeMFT, now with current binary, source repo, downloads,...
With thanks to Cory Altheide, analyzeMFT has a new home at: http://code.google.com/p/opensourceforensics/ It is currently the only project there, but I will be adding a new project hopefully this week...
View ArticleClik here to view.
analyzeMFT 2.0 released – OO’d!
Matt Sabourin created an object-oriented version of analyzeMFT.py. Most of the MFT analysis code and other logic was retained from the original version (along with the comments). The OO version is...
View ArticleClik here to view.
Selling forensics consulting company and its assets
’tis time to move on. It is time to sell, or shut down, my consulting company and sell its assets. I’ve been working for Ernst and Young for almost six months now and I cannot see any reason to believe...
View ArticleClik here to view.
analyzeMFT has moved to GitHub
Just a quick note to say that analyzeMFT has moved to GitHub: https://github.com/dkovar/analyzeMFT I’ve got some other things in the works and was looking for a place that would allow me to neatly...
View ArticleClik here to view.
Digital photography and social networking anti-forensics
I attended a superb class on OSINT the other week. One of the topics covered using geolocation data in digital photographs found on social networking sites to gather intelligence on suspects....
View ArticleClik here to view.
It isn’t APT, it is SASPDT – Sometimes Advanced, Sometimes Persistent,...
I’m human (thankfully) and I get irked by simple things at times. Today it due to conversations such as this one: Them: “That malware wasn’t very advanced, it is just a version of <insert commodity...
View ArticleClik here to view.
Dissecting a Blackhole 2 PDF (mostly) with peepdf.
I’m fairly new to malware analysis having spent most of the last ten years doing IT consulting, computer forensics, ediscovery, and some related work. I’m now doing a lot of incident response and am...
View ArticleClik here to view.
DFIR Fiction Reading List
The Digital Forensics and Incident Response fiction reading list, in no particular order: Ender’s Game – Orson Scott Card Jumper and Reflex - Steven Gould Most anything by John Grisham Daemon – Daniel...
View ArticleClik here to view.
Updated analyzeMFT – fixed MFT record number reporting
When I originally wrote analyzeMFT I assumed that the MFT record numbers would start at zero and politely increase by one for each record so “recordNumber = recordNumber + 1″ would be valid. Happily,...
View ArticleClik here to view.
Improved bodyfile support
With more thanks to Jamie for the prompting, I’ve improved bodyfile support in the latest version of analyzeMFT. You can now specify just a bodyfile for output and do not need to create a normal output...
View ArticleClik here to view.
First steps in converting analyzeMFT to a Python module, plus improved error...
I started rewriting analyzeMFT so that it can be loaded as a module and called from other programs. The primary reason is to enable including it in plaso, but perhaps other programs will find a need...
View ArticleClik here to view.
analyzeMFT now available via pip
[Ed Note: Please excuse the formatting. WordPress seems to be doing something funky.] analyzeMFT just got two major, and related upgrades: You can install it via PyPi It is now a well behaved (?)...
View ArticleClik here to view.
Using analyzeMFT from other programs
Now that analyzeMFT is a package, it is much easier to use from other programs. Here’s a quick example. from analyzemft import mft input_file = open(‘MFT-short’, ‘rb’) options =...
View ArticleClik here to view.
Adventures in Powershell for IR
So, I wanted to access locked registry hives. Simple enough using F-Response, but it devolves into various solutions that are not well supported after that. I came across one solution that was of...
View ArticleClik here to view.
analyzeMFT – ADS support added
The latest version of analyzeMFT is available on github. I’ve not pushed it out to Pypi and will hold off until I’m sure it is free of bugs due to this new work. The changes are: Fixed parsing and...
View ArticleClik here to view.
IRcollect – collect incident response information via raw disk reads and $MFT...
ircollect is a Python tool designed to collect files of interest in an incident response investigation or triage effort. This is very beta code. I’m hacking on it regularly, using it to learn about...
View ArticleClik here to view.
Patents in the DFIR community space
Good morning, David Cowen announced that he has submitted a patent application for NTFS TriForce. Let me start off by stating that I admire David quite a bit, I think TriForce is very useful and pushes...
View ArticleClik here to view.
SANS DFIR Summit Prague – Blue Team Perspectives slides
I gave a presentation at SANS DFIR Summit in Prague this morning. My presentation was designed to introduce DFIR practitioners to the larger business context that they might be working within. This...
View Article