Wylie, Texas
lee@forensic4cast.com

Category: Technical Articles

Updates to the RecentDocs Key in Windows 10

I’ve been revisiting things in Windows 10 recently. We’ve seen a few things change that we have taken for granted in previous versions so I’ve been investigating things. In my most recent efforts, I’ve come to the RecentDocs key in the Windows registry. For those that are unaware, this key lies in each user’s NTUSER.DAT…
Read more

Deleted vs “Deleted”

This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file…
Read more

MacOS Timestamps from Extended Attributes and Spotlight

I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more…
Read more

More MacOS File Movements

No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight:…
Read more

MacOS File Movements

We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the…
Read more

4:mag Challenge Solution

Earlier this year I published the first (and, thus far, the only) edition of 4:mag. In this issue I set a challenge in which a copy of David Cowen’s latest book “Computer Forensics InfoSec Pro Guide”. The only information you were given was as follows: Somewhere in the digital copy of the magazine (downloaded from…
Read more

Gmail and Mailvelope Leakage

A few months ago no-one had heard of Edward Snowden, PRISM, Bullrun or Cheesy Name (yes, that is a real project name). Since these revelations many people, including average computer users, have become a lot more security conscious. I’m frequently asked questions about how one can increase his/her security and try to keep their data as…
Read more

Gmail Retention and Your Privacy

By Google’s own count there are more than 5 million companies that now use Google Apps for Business. This comprises of Fortune 500 companies, education institutions, government bodies, etc. Each of these organizations will have multiple accounts with, potentially, thousands of users that frequently sign in to Google Mail. I’m sure none of this is…
Read more

Apple Hates Forensicators

Not really, but some days it sure seems like it. We currently have a project where everyone in the case uses Apple computers. These computers are nice, no question. They are beautiful machines and scream quality. I love Apple products, make no mistake, but I’m now getting to the point where my frustration is boiling…
Read more

Strange Artifacts – Wubi

I don’t speak French. I learned it at school and don’t use it much but, if it was a pinch, I could probably remember enough to get by. The same goes for using linux. I know a lot of the basic commands and how to set things up so that it is usable, but I’m…
Read more