Author: Lee Whitfield

  • Deleted vs “Deleted”

    This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file…

  • My New Company

    Hi everyone. I just wanted to make a minute to let you know that in addition to my working at SANS I’ve also set up a company so that I can keep doing the forensics work that I love. I will, of course, continue to post here when I have something to say. I’ll also…

  • Awards Nomination Closing Date and News

    A number of people have asked me about the closing date for the nominations for the Forensic 4:cast Awards. Well here it is: March 31, 2017 I will be accepting nominations as long as it is still March 31 somewhere in the world. I will then spend a couple of days tallying the nominations before…

  • MacOS Timestamps from Extended Attributes and Spotlight

    I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more…

  • More MacOS File Movements

    No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight:…

  • MacOS File Movements

    We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the…

  • Forensic 4:cast Awards 2016 – Results

    This year’s Forensic 4:cast Awards were held on Thursday June 23, 2016. The awards were at the SANS DFIR Summit. A lot of the categories were EXTREMELY close. Congratulations to all the nominees, and especially to the winners The finalists for each category is listed below. The winners are highlighted in red. Computer Forensic Software of…

  • Voting is Closed

    Took a few days to get this out, for which I apologize. Life is crazy sometimes. Voting for the 2016 Forensic 4:cast Awards is now closed. The winners will be announce at the SANS DFIR Summit in Austin (details can be found here: https://www.sans.org/event/digital-forensics-summit-2016) on June 23, 2016 at 4:45pm Central. If you’ve been nominated, please…

  • As Promised

    Every year. Every damned year. Well, these people caught me on a morning when I feel unwell and decidedly curmudgeonly. So here’s their email and my reply. This is Helena from Compelson, the creators of MobilEdit. Hello Lee, Unfortunately we didn’t receive any invitation from you, that is time to vote… Any chance we could…

  • Ken Johnson

    I considered writing this on Facebook but, then, the audience would be somewhat limited. Occasionally I write personal things here but today is a mix of both professional and personal. This is Ken Johnson. You may also know him as @Patories on Twitter. On Monday evening Ken was in the Milwaukee area on Business with…