We continue our unforgetable journey to the world of cloud forensics. This time we are going to forensicate pCloud desktop application – pCloud Drive. pCloud is a file storage and synchronization service, emerged on September 13, 2013. The service supports cloud storage, file sharing, data backup and user collaboration. As of May 2018, pCloud has over 8 000 000 registered users all over the world, …

It seems we really enjoy forensicating desktop apps for cloud services. Last week we started from really secure cloud service app – Mega. This time we are going to continue with another, much more forensically friendly app, – Box. So Box is a popular enterprise content management platform, but, of course, can be used by regular users for managing content in the …

Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Drive, Google Drive are some of the most popular services. There are also some services focused on security of their users data – one of such services is MEGA. According to the developers, “MEGA is fully accessible without prior software installs and remains the only cloud …

Timestamps play a very important role in many digital forensic examinations, so it’s very important for any forensic examiner or analyst to clearly understand how they work. SANS Institute has an amazing Windows Forensic Analysis poster illustrating Windows Time Rules, but recently a few of our DFIR friends noticed, that those rules are not working anymore. We have decided to …

Metasploit Framework is very popular not only among pentesters, but also quite often used by real adversaries. So why memory forensics is very important here? Because, for example, Meterpreter, an advanced, dynamically extensible Metasploit’s payload, resides entirely in memory and writes nothing to victim’s drive. In this article we will show you how to use Volatility Framework to find Metasploit’s traces with …

SQLite databases are very common sources of forensic artifacts nowadays. A lot of mobile applications store data in such databases, you can also find them on desktop computers and laptops as well, for example, forensicating web-browsers, messengers and some other digital evidence sources. There are a lot of forensic tools on the market that support analysis of SQLite databases, for …

Recently we have received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research. If we are talking about Windows system clock backdating – there are a lot of information to help, for example, this …

Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp is not a simple registry parser. The project started as an attempt to fully implement the Windows registry file format specification [2] and to provide features important to incident responders and forensic examiners. This article will highlight one …

We are not sure about your labs, but our receives more and more Macs for forensic examination every month. And, of course, some of the cases require us to find forensic artefacts of external USB drives connections and files copying. We know that you guys liked our last article regarding USB forensics on Windows systems, so we decided to write …

If you are a digital forensic examiner, you must know, that clients very often ask to find out, which sensitive files were copied to USB thumb drives by disgruntled employees before they left the company. There are a lot of articles and guides on USB forensics on the Web, but most of them dealing with the flash drives and not the computer …