In the first post of the new year Mari Degrazia is writing about mounting APFS images in Windows. The thing is, Paragon has a free (preview) driver to mount APFS volumes in Windows! So with conjunction with our favourite Arsenal Image Mounter you can easily mount and browse APFS images with your Windows workstation.
Jessica Hyde (Magnet Forensics) and Brian Moran (BriMorLabs) have presented a document summarizing the URLs to query from Amazon to return some of the Amazon Echosystem data. You can find the results of their research here.
This post by TM4n6 covers the use of the Android Debug Bridge (ADB) command-line tool on Linux. It focuses on the extraction of forensically relevant data from mobile devices packaged with the Android Operating System developed by Google.
With the continuous development of data recovery and digital forensics technology, techniques for forensic data recovery from the logic layer of hard drives are constantly improving. Yet there remains a great challenge: how to recover fragmented files? Through a case study of fragmented files in XFS file system, forensic experts from SalvationDATA will explain in this issue how to recover fragmented files …
In this post Jessica Payne writes about how to use the built in Windows Event Forwarding components of Windows, some PowerShell scripts, and PowerBI desktop to create a fast, free, and effective console for diagnosing problems and finding Indicators of Attack in a network.
Mimikatz is a common tool used by APT in modern cyber attacks to harvest admin’s and user’s login credentials. It’s very important for any analyst dealing with investigations of such attack to clearly understand how it works and what traces he or she might find. Here is the unofficial guide to Mimikatz and command reference by Sean Metcalf.
Sarah Edwards has written an amazing blog post at mac4n6, which will help you to mount APFS and 4k disk images on macOS 10.13, both RAW and EWF, using xmount. If you are dealing with macOS forensics, this is a must read!
Cindy Murphy from Gillware has published a very interesting post on how to reset the backup password in iOS 11. Here is an excerpt from it: “Appleâs help page about encrypted backups got an update when iOS 11 came out. They give the following advice for people who have forgotten their backup password: You canât restore an encrypted backup without its password. With iOS …
SANS Institute has presented a short tutorial with Lenny Zeltser on how to intercept IP connections in a malware analysis lab:
Jason Hale has published an interesting post on how to use the amcache to track USB devices. You can find device serial numbers, descriptions (e.g. FriendlyName-like values), volume names, VID/PID data, and more.
Login
