Quentin Jerome from RawSec shared an article on carving Windows Event Logs in EVTX format. He gives a short overview of the EVTX file format, presents carving pseudo-algorithm and a bunch of experiments.

BlackBag Training Team has published a post about Mac memory imaging and analysis. They start from different ways of capturing RAM: with administrator’s password and via reboot (yes, reboot) with MacQuisition. The team finishes their post with analysis of captured image with BlackLight.

In this video Joshua James uses SSDEEP to create fuzzy hashes of text and image files, and compare the similarity between files in a directory. SSDEEP is used to create hashes that are not exact matches, but instead compare similarity between two files at the binary level. It can be used to look for modified and original documents, or compare …

In this article Lenny Zeltser discusses the phenomenon of “fileless malware”. You’ll learn about known threats and also get some alternatives to saying “fileless malware”.

AFF4 (Advanced Forensics File Format v4.0) is the new standard in forensic imaging, a new container format for storing digital evidence which accelerates the digital forensic and incident response workflow. Reading this post you will learn how to add AFF4 support to The Sleuth Kit and Volatility on your Mac workstation.

Arman Gungor from Meridian Discovery has posted an article on forensic analysis of Microsoft Outlook attachments. In the article he performs in-depth analysis of Outlook attachments timestamps from a forensic point of view.

As you must already know, a massive cyber attack with Petya ransomware emerged yesterday, a month from notorious WannaCry attack. This isn’t the original Petya, but a modified sample, which is much more sophisticated. This piece of ransomware not only encrypts files, but also MFT, overwrites MBR and has custom bootloader, showing attackers’ message. If you are already infected, it’s …

Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) presented an 80-page guide on how to detect lateral movement through tracking event logs.

Basil Alawi S.Taher has posted a nice overview of how to start using VolUtility – a web frontend for Volatility framework. If you don’t like command line tools and you hate remembering plugins –  VolUtility is a very useful tool for you.

Joshua James has published a video-tutorial on how to build Linux kernel profiles for memory forensics with Volatility. He notes that Linux kernel changes data structures and debug symbols often, so it’s very important for a digital forensics examiner to be able to create Linux profiles for the version of Linux that he or she is trying to analyze.