Category DFIR

Hunting Evilness – GRR

“Hello World” It seems like so long since I last posted I felt I should say hello again 🙂

As is always the case real life and work got in the way and my ability to blog became much diminished.  I am hoping to become more active again and have been playing with Google Rapid Response (GRR) again on my home network...

Read More

VolUtility – Web Application for Volatility

I have been very fortunate to be involved with some minor beta testing for great new Web App tool created for Volatility by my good friend Kev!

The name alone gives you an idea of its usefulness but that is but the tip of the iceberg.  VolUtility is an excellent GUI front end packed with features to assist analysts wi...

Read More

Google Rapid Response – Build Process

During my SANS 508 I first heard about something called Google Rapid Response (GRR) and it peaked my interest then.  Unfortunately as is normal following a SANS course I was lost in the dark world I like to call ‘Indexing and Study’ or Hell 🙂 ...

Read More

Setting Up My Forensic Lab

I have finally bowed to the pressure of my good friend Kev and now have a server! I must point out that it is his old server and through his immense generosity now my new server! Thanks Kev 🙂

The server is an old IBM X3455:

4 CPUs x 2.593GHZ

Dual Core AMD Opteron Processor 2218

Running ESXi-5.1.0

With 12GB of RAM

i...

Read More

EnScripts – GUI USNJrnl.enscript

Those of you who are following my blog will remember that in my last EnScript blog post I created a UsnJrnl EnScript and I promised I would add a Graphical User Interface (GUI) to enhance its functionality...

Read More

EnScripts – USNJrnl.enscript

As I have mentioned previously one of the things I want to learn to make me a better Forensic Analyst is Python. Mainly because Kev can’t complete a sentence at work without mentioning it and also because I am inherently lazy and have been led to believe python can do lots for me.

I recently read an excellent blog post about using python scripts within EnScripts, written by James Habben which gave a great tutorial on using the power of the Python scripting language within EnCase.  Now I have a real love for EnScripts because as I said before I am inherently lazy (sometimes I wish I was) and I like it when I can automate processes.  So I worked with Kev on the creation of an EnScript for AnalyzeMFT.py which you can read about on his blog.  I must point out here I am a complete beginner with both Python and Enscripts so have relied heavily on the teachings of Kev and also the very useful blog posts by James but as I gain more experience I hope to add to that knowledgebase in the future.

Read More

Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More

Timeline Creation – Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool...

Read More

Timeline Creation – Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook.

One area I am enjoying very much is the timeline process...

Read More

Grep and icat

Just a very brief blog post regarding the power of grep and icat in relation to forensic images.  I am currently revising for my GCFA certification and as part of this revision was looking at the creation of timelines both the filesytem based timeline and the super timelines.

I am the first to admit that I like a good...

Read More