Category Archives: Technical Articles

  • Deleted vs “Deleted”

    Posted on May 25, 2017 by Lee Whitfield in Technical Articles.

    This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file […]

    8 Comments.
    Continue Reading...
  • MacOS Timestamps from Extended Attributes and Spotlight

    Posted on October 18, 2016 by Lee Whitfield in Technical Articles.

    I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more […]

    No Comments.
    Continue Reading...
  • More MacOS File Movements

    Posted on October 17, 2016 by Lee Whitfield in Technical Articles.

    No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight: […]

    No Comments.
    Continue Reading...
  • MacOS File Movements

    Posted on October 13, 2016 by Lee Whitfield in Technical Articles.

    We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the […]

    2 Comments.
    Continue Reading...
  • 4:mag Challenge Solution

    Posted on December 23, 2013 by Lee Whitfield in News, Technical Articles.

    Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows: Somewhere in the digital copy of the magazine (downloaded from […]

    1 Comment.
    Continue Reading...
  • Gmail and Mailvelope Leakage

    Posted on September 23, 2013 by Lee Whitfield in Technical Articles.

    A few months ago no-one had heard of Edward Snowden, PRISM, Bullrun or Cheesy Name (yes, that is a real project name). Since these revelations many people, including average computer users, have become a lot more security conscious. I’m frequently asked questions about how one can increase his/her security and try to keep their data as […]

    11 Comments.
    Continue Reading...
  • Gmail Retention and Your Privacy

    Posted on May 28, 2013 by Lee Whitfield in Technical Articles.

    By Google’s own count there are more than 5 million companies that now use Google Apps for Business. This comprises of Fortune 500 companies, education institutions, government bodies, etc. Each of these organizations will have multiple accounts with, potentially, thousands of users that frequently sign in to Google Mail. I’m sure none of this is […]

    3 Comments.
    Continue Reading...
  • Apple Hates Forensicators

    Posted on January 31, 2013 by Lee Whitfield in Technical Articles.

    Not really, but some days it sure seems like it. We currently have a project where everyone in the case uses Apple computers. These computers are nice, no question. They are beautiful machines and scream quality. I love Apple products, make no mistake, but I’m now getting to the point where my frustration is boiling […]

    2 Comments.
    Continue Reading...
  • Strange Artifacts – Wubi

    Posted on April 7, 2012 by Lee Whitfield in Technical Articles.

    I don’t speak French. I learned it at school and don’t use it much but, if it was a pinch, I could probably remember enough to get by. The same goes for using linux. I know a lot of the basic commands and how to set things up so that it is usable, but I’m […]

    No Comments.
    Continue Reading...
  • Flashpost: Google Plus Artefacts – URL Forwarding

    Posted on July 5, 2011 by Lee Whitfield in Technical Articles.

    While using Google Plus I noticed this and thought that it may be of use to some of you: Whenever you click on a link in G+ you are redirected to a URL that looks like this: http://www.google.com/url?sa=z&n=1309767169313&url=http%3A%2F%2Fdilbert.com%2Fstrips%2Fcomic%2F2009-10-04%2F&usg=EazZfazk8jxAKAEECZZ_4OneRqs. You are then quickly redirected to the linked site. Obviously you can see the original link URL […]

    1 Comment.
    Continue Reading...