Carve and recreate VSS catalog with vss_carver
Minoru Kobayashi has presented a tool for carving and recreating deleted VSS at at Japan Security Analyst Conference 2018. T…
Recycle Bin Forensics
As a continuation of Richard Davis’ “Introduction to Windows Forensics” series, this video introduces Recy…
Detection of Backdating the System Clock in macOS
Recently we have received a good question from one of our DFIR mates: “How can one detect backdating of the system clo…
Carving Fragmented Registry Files
Yet another registry parser, or yarp, is a library and tools to deal with Windows registry files [1]. Despite the name, yarp…
Windows Console Command History: Valuable Evidence for Live Response Investigation
Tom Sela has posted an updated version of his paper originally published in the March 2017 edition of eForensics Magazine. T…
iOS Imaging on the Cheap! – Part Deux! (for iOS 10 & 11)
Sarah Edwards has published the second part of her “iOS Imaging on the Cheap” series. This time the post include…
Statistical Methods for Analyzing Event Time-Series Data in Digital Forensics
This CSAFE webinar was presented by Dr. Padhraic Smyth from University of California, Irvine on September 28, 2017. Descript…
How to Mount Mac APFS Images in Windows
In the first post of the new year Mari Degrazia is writing about mounting APFS images in Windows. The thing is, Paragon has …
Correlate Cases and Get Intelligence
Starting with Autopsy 4.5.0, you can now determine when a file or phone number (or other artifact) was seen in a previous ca…
Introduction to Plaso Heimdall
As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this video introduces Plas…
