Phill Moore has written a nice post in his new blog – ThinkDFIR. This post will help you to understand what orphaned files are (of course if you still don’t know).

Jason Hale has published a post about the impact of VBS on memory acqusition. With Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS), such as Credential Guard, Device Guard, Application Guard, and more. In the post you will learn which tools to use to overcome these new features.

Yogesh Khatri has published a very useful post – he shows how to find the serial number of a Mac computer or laptop. There are a few system databases that store this information and make it available for forensic investigators to use: consolidated.db cache_encryptedA.db lockCache_encryptedA.db You can find information about the databases location in the original post.

In this post Jamie McQuaid from Magnet Forensics shows how to create Android physical images via custom recovery with AXIOM, step by step. Flashing a recovery image to an Android device will work on a phone even if it has a passcode lock, bypassing it completely and allowing you to acquire a full physical image of the device.

Another interesting article has been posted by Andrea Fortuna. This time he is writing about event logs recovery from a Windows memory image. The author uses two approaches, depending on OS version. If he deals with Windows XP and 2003, he uses evtlogs Volatility plugin, for other Windows versions he uses Willi Ballenthin’s EVTXtract.

Quentin Jerome from RawSec shared an article on carving Windows Event Logs in EVTX format. He gives a short overview of the EVTX file format, presents carving pseudo-algorithm and a bunch of experiments.

BlackBag Training Team has published a post about Mac memory imaging and analysis. They start from different ways of capturing RAM: with administrator’s password and via reboot (yes, reboot) with MacQuisition. The team finishes their post with analysis of captured image with BlackLight.

In this video Joshua James uses SSDEEP to create fuzzy hashes of text and image files, and compare the similarity between files in a directory. SSDEEP is used to create hashes that are not exact matches, but instead compare similarity between two files at the binary level. It can be used to look for modified and original documents, or compare …

In this article Lenny Zeltser discusses the phenomenon of “fileless malware”. You’ll learn about known threats and also get some alternatives to saying “fileless malware”.

AFF4 (Advanced Forensics File Format v4.0) is the new standard in forensic imaging, a new container format for storing digital evidence which accelerates the digital forensic and incident response workflow. Reading this post you will learn how to add AFF4 support to The Sleuth Kit and Volatility on your Mac workstation.