New Home For My Blog

Just a quick blog post for the reasoning behind moving my blog. There were several reasons for the move, the main one being the relocation to the techanarchy.net domain. The techanarchy blog is the creation of Kev who i am lucky to call a friend and have learned a great deal from in the time I have known him...

Read More

Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More

Timeline Creation – Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool...

Read More

Timeline Creation – Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook.

One area I am enjoying very much is the timeline process...

Read More

Grep and icat

Just a very brief blog post regarding the power of grep and icat in relation to forensic images.  I am currently revising for my GCFA certification and as part of this revision was looking at the creation of timelines both the filesytem based timeline and the super timelines.

I am the first to admit that I like a good...

Read More

Chrome Cache – Where’s the stash (Part 2)

In Part 1 of this blog I mentioned the metadata regarding one of the separate files contained within the deleted cache.  I stated that I would further explain what is contained within that metadata, here is my interpretation and explanation.

f_00056 is a picture of the character Hermionie Granger from the film Harr...

Read More

Chrome Cache – Where’s the stash? (Part 1)

As part of my ongoing training I have been fortunate enough to start down the road towards an MSc in Forensic Computing for Practitioners with De Montfort University, Leicestershire.  We have been taught by 2 outstanding Professors, Prof B Jenkinson and Prof A Sammes, one of which was involved in RFC1 back in 1969!

Read More

Never-ending Training Cycle………..

As I lie here having finished another SANS Course this time the 508 Advanced Computer Forensic Analysis and Incident Response, it occurs to me that everyday is and always will be a learning day!  No one person within our chosen specialisation will ever be able to proclaim that they know it all (although some certainly ...

Read More