Bitscout allows anyone who is running Ubuntu OS to build own LiveCD/LiveUSB image to be used for remote digital forensics (or other tasks of your own choice). Bitscout relies on 3 roles in the process of remote forensics: 1. The Owner. The owner is a user who has physical access to the target system and owns it. The owner’s role …

Chromensics is an open source tool by Nishant Grover capable of reading all information from Chrome Browser directory and present it to an examiner in easy readable tabular format. The tool will also allow you to retrieve information from other Chrome installation brought from different machine for analyzing. The acquired artifacts can be exported in PDF report to present it in …

Andrea Fortuna has published a useful list of Python tools you can use for malware detection and analysis. You will learn about pyew, Exefilter, jsunpack-n, yara-python, phoneyc and pyClamd.

With help of yarGen you can generate YARA rules automatically. The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use. You can learn more …

New version of FSEventsParser has been released. FSEvents files are written to disk by OS X apis and contain historical records of events that occurred for the partition. They are stored in the root of the partition within the directory ‘/.fseventsd/’. FSEvent files can be found on the OS X system partition and can also be found on external storage devices that …

PassMark Software has released a beta version of Volatility Workbench – a graphical user interface (GUI) for the Volatility tool. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version including: No need to remember command line parameters Storage of the operating system profile, KDBG address and process list with the memory …

Mark McKinnon has written a plugin that will export the /.fseventsd directory to the temp folder and will then call an executable program that will parse the data into a SQLite database and import it into Autopsy into the Extracted Content area. Learn more about the plugin here.

The new version of our favorite open source forensic tool – Autopsy, – has been released. New triage features. Make a VHD image during analysis. Pre-program files to analyze… Version 4.4.0 can be downloaded here.

Adam Witt has presented a fresh Python script. It’s called Windows Prefetch Carver and, as you already understood, can be used to carve Windows Prefetch artifacts from arbitrary binary data. Unfortunately, Windows 10 Prefetch files are compressed, and are unable to be carved from disk in this manner, but all other Prefetch formats are supported (Windows XP – Windows 8.1).

Daan Raman from NVISO Labs has published a blog post about their new tool – binsnitch.py. You can use this tool to detect unwanted changes to the file system. Use binsnitch.py to: create a baseline of trusted files for a workstation (golden image) and use it again later on to automatically generate a list of all modifications made to that system (for …