PsExec can be a very useful tool during incident response and live forensics work. For those that don't know, PsExec is a tool that can be used to execute commands on a remote Windows computer andwas initially developed by Sysinternals, which is now … [Continue reading]
Orphaned Files in an NTFS File System
A discussion came up recently at work around how a file can become identified as "Orphaned" in an NTFS file system and I thought that it would be a good topic to cover on my blog since understanding how this occurs aids in the forensic analysis of … [Continue reading]
iPhone vulnerability allows data to be accessed, even when protected by a PIN
Security researcher Bernd Marienfeldt recently published his findings on the general state of iPhone security and has exposed a rather significant vulnerability present in the current iterations of the iPhone. It appears that even when the iPhone is … [Continue reading]
Prevent residue when imaging…
A quick hint for a lazy Friday afternoon (actually I just finished analyzing and correcting a corrupt FAT table on a forensic image, so I'm not being lazy, I'm just tired :)): Most forensic investigators generally acquire drive images to some sort … [Continue reading]
Write Blockers – Hardware vs Software
Utilizing a proven write blocker is generally important and a best practice during forensic investigations in order to ensure and prove that your actions as the investigator did not affect the original image (best evidence). Notice my use of the … [Continue reading]
What are alternate data streams?
Alternate data streams (sometimes referred to as ADS) are a way for a user to obscure files that they don't want appearing within a file browser or a standard DIR listing (albeit they are easily discoverable with the right tools). ADS is specific … [Continue reading]