Oleg Afonin from Elcomsoft has posted a step by step guide on how to perform jailbreaking and physical acquisition of iOS devices. The guide is available here.

Apple’s iOS 12 is the latest iteration in their mobile device software. With each iteration Apple creates new system protections in order to enhance user privacy which in turn inhibits the ability for a forensic analyst to complete forensic analysis on Apple devices. With each iteration comes workarounds to allow forensic analyst access to obtain information stored in these devices. …

Teru Yamazaki has posted about how to extract Windows Event Log files from allocated space, Volume Shadow Copies, carve them from unallocated space with Bulk Extractor, and parse all these EVTX files with Eric Zimmerman’s EvtxECmd.

David Via from FireEye has written a very good article focused on the following known sources of historical registry data: Registry transaction logs (.LOG)Transactional registry transaction logs (.TxR)Deleted entries in registry hivesBackup system hives (REGBACK)Hives backed up with System Restore

Lee Holmes has posted about how to extract activity history from PowerShell process dumps. Such dumps may be gold mines, especially if compromised system doesn’t have PowerShell logging enabled.

Computer Incident Response Center of Luxembourg has published materials used during their forensic trainings including slides and links to the disk images. You can find these materials here.

Justin Boncaldo has written a post about forensic analysis of Netflix app. It seems the app doesn’t store a lot of data locally, especially the kind of data that can be used for forensic purposes, but you can find some user-action related data.

John Walther has written an article about Snapchat forensics. He used an iOS device running 11.4.1 and an Android device running Marshmallow. For data extraction the author used Oxygen Forensic Detective 10.4.0.54. Here is what he got.

Marc Rivero López presented a how-to guide that will help you to deploy Cuckoo Sandbox – an open source malware sandbox system.

Here is a post by Paul Cimino, in which he goes through the steps to create a macro-embedded Word document, extract the files, and then analyze them for malicious content.