As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying instead on social-engineering based attacks. These socially-engineered attacks often rely on emails containing script-based malware loaders such as JavaScript, Visual Basic Script, or HTA files. When run, these scripts will be hosted with a Windows script execution engine and usually proceeds …

Matt Suiche has recorded a presentation on the new features of Comae Stardust, such as process memory dump support, YARA scans, human-readable reports and publishing snapshots:

In the world of forensics, mobile device investigations could be the most complicated of all. Ever changing technology guarantees that when it comes to you and your forensic tools, there is no such a thing as a monogamous relationship. There are a plethora of mobile forensics tools available to make your job easier, but do they? What happens when the …

ElMouatez Billah Karbab discusses his work at DFRWS EU 2018:

macOS forensics has not seen the kind of attention Windows gets. Few tools and documentation exist to specifically address macOS artifact processing needs, so the mac_apt – macOS Artifact Processing Tool, a Python, open-source, cross-platform, plugin-based framework with support for Apple File System and High Sierra was created. You’ll see how mac_apt can process complex artifacts and drastically cut down …

Reviewing web browsing activity is relevant in a wide variety of DFIR cases. With many users having multiple devices that may need to be analyzed, we need better ways to get answers quickly. This presentation will show how a synopsis of browsing activity can be a starting point before a deep-dive investigation and can help investigators decide whether a device …

Mobile devices investigation is a challenging field for forensic analysts, especially due to the increasing amount of data encryption mechanisms. The talk will give a brief overview on how to conduct a forensic investigation and examine the different approaches of physical and logical data acquisition methods. Furthermore, encryption mechanisms and countermeasures used on mobile devices are discussed on a high-level …

Looking for a “new” Windows artifact that is currently being underutilized and contains a wealth of information? Event Tracing for Windows (ETW) and Event Trace Logs (ETL) may be your answer. There’s nothing new about them, yet they can provide a wealth of information. Event Tracing for Windows was introduced in Windows 2000 and is still going strong in current …

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based …

Here’s Brian Carrier’s presentation from Open Source Digital Forensics Conference (OSDFCon) 2018. In the presentation he walks attendees through new Autopsy features around messaging, email, and chats. You can download it here.