Harlan Carvey recently wrote a post on his blog called Accessing Volume Shadow Copies, which provided some excellent instruction on how you can go about accessing Volume Shadow Copies (VSCs) from an existing image without having to use expensive … [Continue reading]
Internet Explorer InPrivate URL Artifacts
Let's just say that you're doing an investigation of a subject and that the investigation centers around proving that they visited a certain website. Of course, you've check the usual places: history files, typed URLs in the registry, etc - but … [Continue reading]
Quick Tip: PowerShell Grep Equivalent
I've used searching in my previous PowerShell posts, but I thought that it deserves a dedicated "Quick Tip" posting. I know that folks coming from a *nix background will be very familiar with using grep to search for pretty much anything and … [Continue reading]
Searching the Registry using PowerShell
On a cold and rainy Thursday morning, I thought that it would be a good time to write a post on searching the Windows registry using PowerShell. In an Incident Response scenario you may want or need to do some live analysis on a compromised system, … [Continue reading]
Turning off automount in Windows
Along with disabling autoplay/autorun, you may want to consider turning off the automount functionality of Windows systems requiring high security and is a decent secondary protection on a forensics workstation (you are using a hardware write blocker … [Continue reading]
Finding an Active Directory User's SID using PowerShell
I sometimes need a quick and easy way of determining a user's Active Directory SID (for example, when performing forensics on the Recycle Bin). Yes, there are ways to find out a SID in ADUC (check out how here) - but I think that utilizing … [Continue reading]
Your company is a target – targeted phishing attacks
Whether you choose to believe it or not, your company (given it is of a reasonable size or deals with sensitive data) is, or will be, the target of a specific technology oriented attack of some kind. And I’m not talking a basic port scan here, I’m … [Continue reading]
Determining the hostname of a Windows machine
A coworker just asked me this question, and I thought that it would be useful enough to create a quick post. If you'd like to find out the hostname of a Windows workstation/server and only have a drive image available (and don't want to boot it), … [Continue reading]
The relevance of the Access time in timeline analysis
So - you're working on creating a timeline for a new disk image and you're finding that the subject accessed a large number of unrelated files in quick succession. Perhaps they were up to no good, but before utilizing this evidence to support any … [Continue reading]
Recycle Bin Forensics in Windows 7 and Vista
Microsoft has significantly changed how files and their corresponding details are represented within the Recycle Bin in Windows 7 and Vista. In Windows XP, when files were placed into the Recycle Bin they were placed within a hidden directory named … [Continue reading]