Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More

Timeline Creation – Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool...

Read More

Timeline Creation – Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook.

One area I am enjoying very much is the timeline process...

Read More

Grep and icat

Just a very brief blog post regarding the power of grep and icat in relation to forensic images.  I am currently revising for my GCFA certification and as part of this revision was looking at the creation of timelines both the filesytem based timeline and the super timelines.

I am the first to admit that I like a good...

Read More

Chrome Cache – Where’s the stash (Part 2)

In Part 1 of this blog I mentioned the metadata regarding one of the separate files contained within the deleted cache.  I stated that I would further explain what is contained within that metadata, here is my interpretation and explanation.

f_00056 is a picture of the character Hermionie Granger from the film Harr...

Read More

Chrome Cache – Where’s the stash? (Part 1)

As part of my ongoing training I have been fortunate enough to start down the road towards an MSc in Forensic Computing for Practitioners with De Montfort University, Leicestershire.  We have been taught by 2 outstanding Professors, Prof B Jenkinson and Prof A Sammes, one of which was involved in RFC1 back in 1969!

Read More

Never-ending Training Cycle………..

As I lie here having finished another SANS Course this time the 508 Advanced Computer Forensic Analysis and Incident Response, it occurs to me that everyday is and always will be a learning day!  No one person within our chosen specialisation will ever be able to proclaim that they know it all (although some certainly ...

Read More