In this blog post Arman Gungor discusses the problem of cloud emails native file format. He gives the definition for “native file format” term, overviews it in the cloud domain, and gives some nice examples, including Gmail, Hosted Exchange/Office 365 and IMAP.

Ahmed Hashad from 701 Labs has published a brief guide on using JTAG acquisition in mobile forensics. In the blog post he presents an overview of the method, gives some tips on when you should use it, and discusses its advantages and disadvantages.

Wolfgang Ettlinger from SEC Consult Vulnerability Lab has published an interesting research on how to manipulate forensic evidence. In the post he demonstrates an attack on a very popular digital forensic tool – EnCase Forensic Imager.

Adam Kramer has published a post in SANS DFIR blog about ‘rapid_env’. This is an open source tool he developed, “which allows for the instant, template based provisioning of a Windows environment. This can include elements such as files, registry keys, processes and mutex, all of which can alter the way that many of the current threats behave.”

Medium user @rootsecdev has published a post on how to automate print logging for DFIR purposes. In the post the author shows a simple .bat script and the process of Active Directory implementation.

Francesco Picasso from Zena Forensics has published a blog post on how to decrypt Windows Dropbox DBX files. Reading the post, you will get a nice overview of the encryption process, a bunch of useful scripts, and, of course, a clear DBX decryption tutorial. Just go and get it!

One of our favorite forensicators – David Cowen, – has published a very interesting post in Hacking Exposed Computer Forensics blog. In the post he notes, that now Windows on its own and without user request is removing unused device entries from the registry on a regular basis driven by Task Scheduler. These artifacts might be extremely useful for your cases, …

Brenton Morris has published an interesting blog post about using r2pipe for automatic malware unpacking. In the post he creates a Python script and uses it to unpack notorious Locky. This is another good example why we all should learn Python.

Preston Miller has published a cheat-sheet on tracking web-account activity. According to the post, “these can alert the user to suspicious activity and provide the investigator a built-in audit log to review”.

Here is a nice cheat sheet by Forensic Proof, showing USB device tracking artifacts on Linux and Mac OS X: