This project helps a forensics analyst explore offline Docker filesystems. Docker uses layered backend filesystems like AuFS or OverlayFS. Each layer is actually stored on the host’s filesystem as multiple folders, and some JSON files are used by Docker to know what is what.
New versions of most popular open source DFIR tools, Autopsy and TSK, have been released. Here are the lists of new features: Autopsy A graph visualization was added to the Communications tool to make it easier to find messages and relationships. A new “Application” content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs). New …
If you are doing macOS memory forensics often enough, we have great news for you – 44 new OS X profiles have been just added to Volatility. You can find all of them at GitHub.
Eric Zimmerman presented a tool for parsing ActivitiesCache.db, which contains Windows 10 Timeline data. You can learn how to use it here and download the tool here.
Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. You can learn more about the script here.
Dshell is an extensible network forensic analysis framework, that enables rapid development of plugins to support the dissection of network packet captures. It’s key features: Robust stream reassembly IPv4 and IPv6 support Custom output handlers Chainable decoders Learn more about it at GitHub.
If you are looking for a SIFT replacement and already have a Debian workstation, this package is for you. Forensics-full package will help you to get everything you need to perform a first class digital forensic examination. Worth a try!
The first beta Linux version of your favourite open source DFIR tool Autopsy. You can download it here. Now the tool has the following known limitations: Multi-user cases are not supported Local drives cannot be analyzed VMDK / VHDI images not supported Dead JAR issues if you ever run as ‘root’. Other users can’t overwrite one of the .so files. …
Jason Hale has presented his USB Detective tool in this post. USB Detective aims to ease the burden on the examiner by visually distinguishing attributes with inconsistent timestamps from those with multiple corroborating sources. You can download free community version of the tool or buy professional version here.
Polito Inc. has partnered with ReversingLabs (RL) and has developed a plugin extension called ReversingLabs Lookup Utility for Autopsy. You can download the plugin from their GitHub repo. Also, you can learn more about the plugin and its installation steps here.
Login
