Clik here to view.
FTK Imager (for OS X) to the Rescue
So you have been tasked with acquiring an Apple Macbook Air. There you are, it’s just you and the laptop and you’re losing; · Your favorite Linux distribution disk won’t boot, · You...
View ArticleClik here to view.
cHECK oUT Microsoft’s Audit Object Access Policy for Forensic Evidence!
Let's say client XYZ maintains sensitive budget information within a select folder on one particular Windows fileserver. When originally created, the folder was restricted to specific AD users. At some...
View ArticleClik here to view.
Basic Groundwork for cmd line Scripting Computer Forensic Tasks + VIDEO BONUS
Watch the video tutorial that I created for our internal team to see this in action and how it works: http://dl.dropbox.com/u/27705041/final%20bat%20with%20redact.wmvTask: 50 hard drives, Windows XP,...
View ArticleClik here to view.
Dear Dav Nads, help me make some folders
yoGirl: Davnads, you put the "sic" in forensic bc you got skillz. Davnads: dat riteyoGirl: I'm trying to stage some data on my network for a eDiscovery engagement that I need to process using the...
View ArticleClik here to view.
Debian GNU/Linux Postfix Server Incident - p'owned?
Reason to believe a server was compromised and it's a physical Debian GNU/Linux mail server in a production environment? ..Sounds like fun!Below is a short list of items to consider when responding to...
View ArticleClik here to view.
Reminiscing about my CEIC 2010 video competition entry
In 2010, Guidance Software hosted a video competition for 2 free passes to their CEIC conference. We did not win because apparently it was not appropriate.I still went anyways, but reminiscing about...
View ArticleClik here to view.
Intellectual Property (IP) Theft and Technology 1o1o1o1
I'm working on a paper on High Tech Intellectual Property Theft so I thought I would share some food for thought!According to Wikipedia (whatev that's worth), Intellectual Property (IP) is a term...
View ArticleClik here to view.
Extending Reg Ripper, again.
A few months ago I posted how to automate the process of reporting all date/time instances a USB connection was made (including from Restore Points), using a combination of Mount Image Pro,...
View ArticleClik here to view.
Digital Forensics SIFT'ing: Cheating Timelines with log2timeline
Check out my article on SANS about cheating timeline with log2timeline.Digital Forensics SIFT'ing: Cheating Timelines with log2timeline
View ArticleClik here to view.
Article 7
Thank you to all of my #DFIR followers. Hope everyone had a great New Years. Let 2012 bring many dongles, matching hashes, and cold blowing CPU fans to everyone!-DAV NADS
View ArticleClik here to view.
Timeline Analysis: The Hybird Approach
Harlan Carvey recently blogged about approaches to conduct Timeline Analysis:"So, anyway...I've been thinking about some of the things that I put into pretty much all of my timeline analysis...
View ArticleClik here to view.
Dav Nads was Nominated!!
Sorry for the lack of log posts biatches but Dav Nads has been busywrangling APT hackers and getting nominated for writing "best digital forensic article of year" by the digital forensic incident...
View ArticleClik here to view.
SANS DFIR Summit, Forensic4cast award, my presentations, now back to work!
The SANS Digital Forensic Incident Response Summit in Austin ROCKED! Rob Lee and all the SANS folks put on an awesome show.SANS 508For me it started with the new SANS 508 class. If you haven't seen the...
View ArticleClik here to view.
Timeline Analysis - What's missing & What's coming..
If you missed my SANS 360 on timeline analysis... What the heck is timeline analysis?? Timeline creation and presentation is the concept of normalizing event data by time and presenting it in...
View ArticleClik here to view.
Timeline Analysis - More of what's coming..
So your kicking back in your chair, with your feet up in the air, reviewing some timeline data in M$ excel like a timeline bandit. Your filtering things, highlighting rows, making notes, and everything...
View ArticleClik here to view.
Dashboards, File Viewer, Hashing, and Date Plotter in l2t_Review #OMG
In my recent blog post titled Timeline Analysis - More of what's coming.. I introduced a method using l2t_Review to bring timelines to life with source data.Given a mounted disk image of the evidence...
View ArticleClik here to view.
#DFIR things DavNads is Thankful for on Thanksgiving
I hope everyone has a great Thanksgiving. I am going to attempt to deep fry a Turkey tonight so I wanted to get a blog post up in case it’s my last words! There’s often discussion about how to get...
View ArticleClik here to view.
4n6time Release Notice
After what feels like a year of “not having a life”… I am happy to announce 4n6time :-)4n6time, formally "l2t_Review", is a free, cross-platform forensic tool for timeline creation and review. Since...
View ArticleMy Windows 8 DFIR Reading List
Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop...
View ArticleClik here to view.
Melting snow, flash floods, and only a new 4n6time release ;-)
So where ever Kristinn Gudjonsson lives, there are apparently Flowers, blossoming trees and a new plaso release.That must be really nice. In Chicago we still have melting snow, flash floods, and only a...
View ArticleClik here to view.
New weapon, Emailtime!
I often rely on timelines to tell the story. However it’s imperative to understand how the story was constructed to do this effectively.Thanks to tools like log2timelineand plaso it’s easy to create...
View ArticleEnCase via RDP (part 2)
As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years ago, there are a work arounds but none are...
View ArticleClik here to view.
4n6time v.05 - anyone know how I get a tax write off on this???
I been super busy and actually forgot to announce that I posted 4n6time, v.05 a few months ago. So here it is boys and girls. As always none of this would be possible without the tools that create...
View Article4n6time v.06 - minor update
I posted a new version of 4n6time for Windows only. Download link here:https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/4n6time/Not many significant changes. Below is a short summary.-Using...
View Article