DFIR tagged posts

Immersive Labs Practical Skills Platform

As many of you know I have been in the DFIR realm now for just over 6 years and during that time have been very fortunate to attend many interesting and varied training courses, including SANS, De Montfort University, XRY and others...

Read More

Google Rapid Response – Build Process

During my SANS 508 I first heard about something called Google Rapid Response (GRR) and it peaked my interest then.  Unfortunately as is normal following a SANS course I was lost in the dark world I like to call ‘Indexing and Study’ or Hell 🙂 ...

Read More

Happy Christmas and a Prosperous New Year

It’s that time of year when I travel all around the UK visiting family and remembering what it’s all about.

This year has been an interesting one for me on my DFIR journey and I feel I have learned a great deal, although still I realise I have only just scratched the surface.

I have dipped my foot into a few areas whic...

Read More

Setting Up My Forensic Lab

I have finally bowed to the pressure of my good friend Kev and now have a server! I must point out that it is his old server and through his immense generosity now my new server! Thanks Kev 🙂

The server is an old IBM X3455:

4 CPUs x 2.593GHZ

Dual Core AMD Opteron Processor 2218

Running ESXi-5.1.0

With 12GB of RAM

i...

Read More

EnScripts – GUI USNJrnl.enscript

Those of you who are following my blog will remember that in my last EnScript blog post I created a UsnJrnl EnScript and I promised I would add a Graphical User Interface (GUI) to enhance its functionality...

Read More

Timestamp Anomalies – $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis of it can be used to detect timestamp anomalies (Timestomping)

The first thing I wanted to do was extract my MFT so I can then run a tool against it for...

Read More

Timeline Creation – Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool...

Read More

Timeline Creation – Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook.

One area I am enjoying very much is the timeline process...

Read More

Grep and icat

Just a very brief blog post regarding the power of grep and icat in relation to forensic images.  I am currently revising for my GCFA certification and as part of this revision was looking at the creation of timelines both the filesytem based timeline and the super timelines.

I am the first to admit that I like a good...

Read More

Never-ending Training Cycle………..

As I lie here having finished another SANS Course this time the 508 Advanced Computer Forensic Analysis and Incident Response, it occurs to me that everyday is and always will be a learning day!  No one person within our chosen specialisation will ever be able to proclaim that they know it all (although some certainly ...

Read More