In-Depth Forensic Analysis of Windows Registry Files
The Windows registry is an essential source of evidence when performing a wide range of examinations. In a recent talk (Zero…
Timestamp hiccups: Detecting manipulated filesystem timestamps on NTFS
Redundant capacity in filesystem timestamps is recently proposed in the literature as an effective means for information hid…
Chasing Adversaries with Autoruns â Evading Techniques and Countermeasures
Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence po…
Forensic Artefacts Associated with Intentionally Deleted User Accounts
Digital forensics is an evolving discipline that looks for evidence in electronic devices. It is being utilised in investiga…
Windows Credentials Attacks, Mitigations & Defense
Windows credentials are arguably the largest vulnerability affecting the modern enterprise. Credential harvesting is goal nu…
Extract Common Windows Forensic Artifacts with ArtifactExtractor
ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs. Artifacts in VSCs will be …
Amcache and USB Device Tracking
Jason Hale has published an interesting post on how to use the amcache to track USB devices. You can find device serial numb…
Finding and Decoding Malicious PowerShell Scripts
Mari DeGrazia has published a very useful post, which will help you to learn how to find and decode malicious PowerShell scr…
Autopsy 4.5.0 and the Sleuth Kit 4.5.0 have been released
The new versions of your favourite open source digital forensics tools – the Sleuth Kit and Autopsy have been released…
Plaso Heimdall Has Been Released
The Plaso development team has announced the new version of the tool – Heimdall. Here is the list of new features: New…
