Category: Technical Articles

  • Mac Randomization in Windows

    In a break from the norm, I’m going to start with a Bible reference. Romans 2:21 says:“Thou therefore which teachest another, teachest thou not thyself?” As a SANS Instructor this couldn’t be truer. Every time I teach a class, I am asked at least one question where I think, “huh, I’d never considered that before,” or…

  • Updates to the RecentDocs Key in Windows 10

    I’ve been revisiting things in Windows 10 recently. We’ve seen a few things change that we have taken for granted in previous versions so I’ve been investigating things. In my most recent efforts, I’ve come to the RecentDocs key in the Windows registry. For those that are unaware, this key lies in each user’s NTUSER.DAT…

  • Deleted vs “Deleted”

    This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file…

  • MacOS Timestamps from Extended Attributes and Spotlight

    I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more…

  • More MacOS File Movements

    No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight:…

  • MacOS File Movements

    We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the…

  • 4:mag Challenge Solution

    Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows: Somewhere in the digital copy of the magazine (downloaded from…

  • Gmail and Mailvelope Leakage

    A few months ago no-one had heard of Edward Snowden, PRISM, Bullrun or Cheesy Name (yes, that is a real project name). Since these revelations many people, including average computer users, have become a lot more security conscious. I’m frequently asked questions about how one can increase his/her security and try to keep their data as…

  • Gmail Retention and Your Privacy

    By Google’s own count there are more than 5 million companies that now use Google Apps for Business. This comprises of Fortune 500 companies, education institutions, government bodies, etc. Each of these organizations will have multiple accounts with, potentially, thousands of users that frequently sign in to Google Mail. I’m sure none of this is…

  • Apple Hates Forensicators

    Not really, but some days it sure seems like it. We currently have a project where everyone in the case uses Apple computers. These computers are nice, no question. They are beautiful machines and scream quality. I love Apple products, make no mistake, but I’m now getting to the point where my frustration is boiling…