Forensic 4:cast – Page 4

Forensic 4:cast Awards 2018 – Nominations are Now Open
If you don’t know anything about the Forensic 4:cast Awards, where have you been for the past nine years? Every year we celebrate the achievements of digital forensic investigators around the world by giving awards to those that have been deemed as worthy by their peers. There is no advisory panel, no interference in the…
January 11, 2018
Deleted vs “Deleted”
This morning, in my Enfuse talk (MAC Times, Mac Times, and more) I made a blanket statement. I usually avoid these but, in this case, I made a deliberate blanket statement. I provided the example from the SANS Windows Forensic Poster and showed, from the poster, that MAC times are not updated when a file…
May 25, 2017
My New Company
Hi everyone. I just wanted to make a minute to let you know that in addition to my working at SANS I’ve also set up a company so that I can keep doing the forensics work that I love. I will, of course, continue to post here when I have something to say. I’ll also…
May 1, 2017
Awards Nomination Closing Date and News
A number of people have asked me about the closing date for the nominations for the Forensic 4:cast Awards. Well here it is: March 31, 2017 I will be accepting nominations as long as it is still March 31 somewhere in the world. I will then spend a couple of days tallying the nominations before…
March 12, 2017
MacOS Timestamps from Extended Attributes and Spotlight
I started this whole thing just with a general idea that I want to track times across USB devices on MacOS. As I went further down the rabbit-hole, however, I seem to have gotten lost and can’t seem to find my way back without finding more unexplored tunnels. It seems as if there are more…
October 18, 2016
More MacOS File Movements
No sooner had I posted the last article than I started getting questions, all along the same theme. “What about NTFS?” They shout. “I’m working on it,” I replied. And so I was. To review, HFS+ has five timestamps: Created Modified (last written) Accessed Record Change Added Date NTFS, on the other hand, has eight:…
October 17, 2016
MacOS File Movements
We continue to see more and more Apple devices come through our doors here at Digital Discovery. As such I do what I can to increase my knowledge in this area on a regular basis. I often rely on Sarah Edwards for assistance. She truly is a genius, not like the so-called geniuses at the…
October 13, 2016
Forensic 4:cast Awards 2016 – Results
This year’s Forensic 4:cast Awards were held on Thursday June 23, 2016. The awards were at the SANSÂ DFIR Summit. A lot of the categories were EXTREMELY close. Congratulations to all the nominees, and especially to the winners The finalists for each category is listed below. The winners are highlighted in red. Computer Forensic Software of…
June 24, 2016
Voting is Closed
Took a few days to get this out, for which I apologize. Life is crazy sometimes. Voting for the 2016 Forensic 4:cast Awards is now closed. The winners will be announce at the SANS DFIR Summit in Austin (details can be found here:Â https://www.sans.org/event/digital-forensics-summit-2016) on June 23, 2016 at 4:45pm Central. If you’ve been nominated, please…
June 10, 2016
As Promised
Every year. Every damned year. Well, these people caught me on a morning when I feel unwell and decidedly curmudgeonly. So here’s their email and my reply. This is Helena from Compelson, the creators of MobilEdit. Hello Lee, Unfortunately we didnâ€™t receive any invitation from you, that is time to voteâ€¦ Any chance we could…
May 13, 2016