Timestamps play a very important role in many digital forensic examinations, so it’s very important for any forensic examiner or analyst to clearly understand how they work. SANS Institute has an amazing Windows Forensic Analysis poster illustrating Windows Time Rules, but recently a few of our DFIR friends noticed, that those rules are not working anymore. We have decided to …

Metasploit Framework is very popular not only among pentesters, but also quite often used by real adversaries. So why memory forensics is very important here? Because, for example, Meterpreter, an advanced, dynamically extensible Metasploit’s payload, resides entirely in memory and writes nothing to victim’s drive. In this article we will show you how to use Volatility Framework to find Metasploit’s traces with …

SQLite databases are very common sources of forensic artifacts nowadays. A lot of mobile applications store data in such databases, you can also find them on desktop computers and laptops as well, for example, forensicating web-browsers, messengers and some other digital evidence sources. There are a lot of forensic tools on the market that support analysis of SQLite databases, for …

Recently we have received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research. If we are talking about Windows system clock backdating – there are a lot of information to help, for example, this …

Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp is not a simple registry parser. The project started as an attempt to fully implement the Windows registry file format specification [2] and to provide features important to incident responders and forensic examiners. This article will highlight one …

We are not sure about your labs, but our receives more and more Macs for forensic examination every month. And, of course, some of the cases require us to find forensic artefacts of external USB drives connections and files copying. We know that you guys liked our last article regarding USB forensics on Windows systems, so we decided to write …

If you are a digital forensic examiner, you must know, that clients very often ask to find out, which sensitive files were copied to USB thumb drives by disgruntled employees before they left the company. There are a lot of articles and guides on USB forensics on the Web, but most of them dealing with the flash drives and not the computer …

For a long time one of the most common sources of ransomware and other malware have been spear phishing emails. Such emails are targeted towards a specific person or organization, and are used by attackers to steal data or install malicious software. If you are doing digital forensics, you must know that such attacks are quite common even in 2017. …

Nowadays more and more people use encryption to protect the backups of their iPhone, iPad, or iPod touch in iTunes. That’s why this is one of typical problems of modern digital forensics. As you know, iTunes backups can be found in the following locations: Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/ Windows 7, 8 or 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\ Of course, if the backup you found …

In this article, we are going to take a close look at the fundamentally new sources of digital evidences that are typical for the new version of the Windows 10 operating system, such as Notification center, new browser Microsoft Edge and digital personal assistant Cortana. Also, we will study some of the sources that were in the previous versions of …