VolUtility – Web Application for Volatility

I have been very fortunate to be involved with some minor beta testing for great new Web App tool created for Volatility by my good friend Kev!

The name alone gives you an idea of its usefulness but that is but the tip of the iceberg.  VolUtility is an excellent GUI front end packed with features to assist analysts wi...

Read More

Child Safety Online

Those of us who work within DFIR have probably at some time encountered inappropriate/criminal images and had to deal with the mental issues they bring with them (If not consider yourself lucky)...

Read More

A happy and prosperous 2016 to all!

Well 2015 has been a slow year for my blogging due to workload and also some personal ‘stuff’

I am positive though that 2016 will see me blogging again as I plan to get my head around PLASO and timesketch once I install them on my server I will be blogging about the install process and also running it against some infe...

Read More

Google Rapid Response – Build Process

During my SANS 508 I first heard about something called Google Rapid Response (GRR) and it peaked my interest then.  Unfortunately as is normal following a SANS course I was lost in the dark world I like to call ‘Indexing and Study’ or Hell 🙂 ...

Read More

Happy Christmas and a Prosperous New Year

It’s that time of year when I travel all around the UK visiting family and remembering what it’s all about.

This year has been an interesting one for me on my DFIR journey and I feel I have learned a great deal, although still I realise I have only just scratched the surface.

I have dipped my foot into a few areas whic...

Read More

Setting Up My Forensic Lab

I have finally bowed to the pressure of my good friend Kev and now have a server! I must point out that it is his old server and through his immense generosity now my new server! Thanks Kev 🙂

The server is an old IBM X3455:

4 CPUs x 2.593GHZ

Dual Core AMD Opteron Processor 2218

Running ESXi-5.1.0

With 12GB of RAM


Read More

EnScripts – GUI USNJrnl.enscript

Those of you who are following my blog will remember that in my last EnScript blog post I created a UsnJrnl EnScript and I promised I would add a Graphical User Interface (GUI) to enhance its functionality...

Read More

EnScripts – USNJrnl.enscript

As I have mentioned previously one of the things I want to learn to make me a better Forensic Analyst is Python. Mainly because Kev can’t complete a sentence at work without mentioning it and also because I am inherently lazy and have been led to believe python can do lots for me.

I recently read an excellent blog post about using python scripts within EnScripts, written by James Habben which gave a great tutorial on using the power of the Python scripting language within EnCase.  Now I have a real love for EnScripts because as I said before I am inherently lazy (sometimes I wish I was) and I like it when I can automate processes.  So I worked with Kev on the creation of an EnScript for AnalyzeMFT.py which you can read about on his blog.  I must point out here I am a complete beginner with both Python and Enscripts so have relied heavily on the teachings of Kev and also the very useful blog posts by James but as I gain more experience I hope to add to that knowledgebase in the future.

Read More

New Home For My Blog

Just a quick blog post for the reasoning behind moving my blog. There were several reasons for the move, the main one being the relocation to the techanarchy.net domain. The techanarchy blog is the creation of Kev who i am lucky to call a friend and have learned a great deal from in the time I have known him...

Read More

Timestamp Anomalies – $MFT


Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More