Clik here to view.
SANS DFIR Summit, Forensic4cast award, my presentations, now back to work!
The SANS Digital Forensic Incident Response Summit in Austin ROCKED! Rob Lee and all the SANS folks put on an awesome show.SANS 508For me it started with the new SANS 508 class. If you haven't seen the...
View ArticleClik here to view.
Timeline Analysis - What's missing & What's coming..
If you missed my SANS 360 on timeline analysis... What the heck is timeline analysis?? Timeline creation and presentation is the concept of normalizing event data by time and presenting it in...
View ArticleClik here to view.
Timeline Analysis - More of what's coming..
So your kicking back in your chair, with your feet up in the air, reviewing some timeline data in M$ excel like a timeline bandit. Your filtering things, highlighting rows, making notes, and everything...
View ArticleClik here to view.
Dashboards, File Viewer, Hashing, and Date Plotter in l2t_Review #OMG
In my recent blog post titled Timeline Analysis - More of what's coming.. I introduced a method using l2t_Review to bring timelines to life with source data.Given a mounted disk image of the evidence...
View ArticleClik here to view.
#DFIR things DavNads is Thankful for on Thanksgiving
I hope everyone has a great Thanksgiving. I am going to attempt to deep fry a Turkey tonight so I wanted to get a blog post up in case it’s my last words! There’s often discussion about how to get...
View ArticleClik here to view.
4n6time Release Notice
After what feels like a year of “not having a life”… I am happy to announce 4n6time :-)4n6time, formally "l2t_Review", is a free, cross-platform forensic tool for timeline creation and review. Since...
View ArticleMy Windows 8 DFIR Reading List
Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop...
View ArticleClik here to view.
Melting snow, flash floods, and only a new 4n6time release ;-)
So where ever Kristinn Gudjonsson lives, there are apparently Flowers, blossoming trees and a new plaso release.That must be really nice. In Chicago we still have melting snow, flash floods, and only a...
View ArticleClik here to view.
New weapon, Emailtime!
I often rely on timelines to tell the story. However it’s imperative to understand how the story was constructed to do this effectively.Thanks to tools like log2timelineand plaso it’s easy to create...
View ArticleEnCase via RDP (part 2)
As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years ago, there are a work arounds but none are...
View ArticleClik here to view.
4n6time v.05 - anyone know how I get a tax write off on this???
I been super busy and actually forgot to announce that I posted 4n6time, v.05 a few months ago. So here it is boys and girls. As always none of this would be possible without the tools that create...
View Article4n6time v.06 - minor update
I posted a new version of 4n6time for Windows only. Download link here:https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/4n6time/Not many significant changes. Below is a short summary.-Using...
View Article