Monthly Archives September 2014

EnScripts – USNJrnl.enscript

As I have mentioned previously one of the things I want to learn to make me a better Forensic Analyst is Python. Mainly because Kev can’t complete a sentence at work without mentioning it and also because I am inherently lazy and have been led to believe python can do lots for me.

I recently read an excellent blog post about using python scripts within EnScripts, written by James Habben which gave a great tutorial on using the power of the Python scripting language within EnCase.  Now I have a real love for EnScripts because as I said before I am inherently lazy (sometimes I wish I was) and I like it when I can automate processes.  So I worked with Kev on the creation of an EnScript for AnalyzeMFT.py which you can read about on his blog.  I must point out here I am a complete beginner with both Python and Enscripts so have relied heavily on the teachings of Kev and also the very useful blog posts by James but as I gain more experience I hope to add to that knowledgebase in the future.

Read More

New Home For My Blog

Just a quick blog post for the reasoning behind moving my blog. There were several reasons for the move, the main one being the relocation to the techanarchy.net domain. The techanarchy blog is the creation of Kev who i am lucky to call a friend and have learned a great deal from in the time I have known him...

Read More

Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More