The latest version of the system dedicated to forensic analysis and incident management, DEFT X, is released and available for downloading here.

GiftStick allows an inexperimented user to easily (one click) upload forensics evidence (such as some information about the system, a full disk image as well as the system’s firmware, if supported) from a target device (that will boot on an external device containing the code) to Google Cloud Storage. Learn more about the project at GitHub.

New versions of our open source DFIR tools have been released: Autopsy New Features: Removed data from table that are time intensive and can be found in content viewers (such as hash set hits) Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository. Added ability to ignore common items that …

This Autopsy plugin by Rebecca Anderson won Autopsy Plugin Contest this year at Open Source Digital Forensics Conference (OSDFCon). It searches Virus Total for SHA1 hashes of executables from amcache. You can get the plugin here.

0.2-alpha version of memtriage has been released. This tool allows you to quickly query a Windows machine for RAM artifacts. It utilizes the Winpmem drivers to access physical memory, and Volatility for analysis.

Maxim Suhanov presented winmem_decompress – a program that tries to extract compressed memory pages from page-aligned data. Such compressed memory pages can be found in virtual memory of Windows 8.1 & 10 operating systems. Learn more about the tool here.

libfsapfs is a library and tools by Joachim Metz to access the Apple File System (APFS). Source code is available at GitHub.

Eric Zimmerman has released another amazing tool – VSCMount. Now we have “a simple way to mount Volume Shadow Copies from the command line without having to do much of anything except provide the drive letter to where the VSCs are and where you want the VSCs to be mounted to.” Learn more about it here.

In this post Harlan Carvey shows that most known methods used for forensicating Volume Shadow copies no longer work with Windows 10 – images. According to the author, “only vss.exe in conjunction with Arsenal Image Mounter” seems to work well.

Anbox is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu. In other words: Anbox will let you run Android on your Linux system without the slowness of virtualization. Learn more about the tool here.