Wylie, Texas
lee@forensic4cast.com

Blog

Forensic 4:cast Awards 2018 – Voting is Open

The nominations have been tallied (sorry for the lateness, life is very busy) and the nominees have been decided. They are as follows: Computer Forensics Software of the Year Magnet Axiom/IEF Belkasoft Evidence Center X-Ways Forensic Digital Forensic Blog of the Year Forensic Focus Blog Murphy’s Laws of Digital Forensics This Week in 4n6 Phone…
Read more

Forensic 4:cast Awards 2018 – Nominations are Now Open

If you don’t know anything about the Forensic 4:cast Awards, where have you been for the past nine years? Every year we celebrate the achievements of digital forensic investigators around the world by giving awards to those that have been deemed as worthy by their peers. There is no advisory panel, no interference in the…
Read more

Deleted vs “Deleted”

This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file…
Read more

My New Company

Hi everyone. I just wanted to make a minute to let you know that in addition to my working at SANS I’ve also set up a company so that I can keep doing the forensics work that I love. I will, of course, continue to post here when I have something to say. I’ll also…
Read more

Awards Nomination Closing Date and News

A number of people have asked me about the closing date for the nominations for the Forensic 4:cast Awards. Well here it is: March 31, 2017 I will be accepting nominations as long as it is still March 31 somewhere in the world. I will then spend a couple of days tallying the nominations before…
Read more

MacOS Timestamps from Extended Attributes and Spotlight

I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more…
Read more

More MacOS File Movements

No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight:…
Read more

MacOS File Movements

We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the…
Read more

Forensic 4:cast Awards 2016 – Results

This year’s Forensic 4:cast Awards were held on Thursday June 23, 2016. The awards were at the SANS DFIR Summit. A lot of the categories were EXTREMELY close. Congratulations to all the nominees, and especially to the winners The finalists for each category is listed below. The winners are highlighted in red. Computer Forensic Software of…
Read more

Voting is Closed

Took a few days to get this out, for which I apologize. Life is crazy sometimes. Voting for the 2016 Forensic 4:cast Awards is now closed. The winners will be announce at the SANS DFIR Summit in Austin (details can be found here: https://www.sans.org/event/digital-forensics-summit-2016) on June 23, 2016 at 4:45pm Central. If you’ve been nominated, please…
Read more