Some time ago I talked about BitLocker forensics and the decryption of BitLocker encrypted volumes. As a result, I received a few questions and a request regarding TrueCrypt encrypted volumes. Encryption, in general, is quite the challenge…
Building wordlists from Forensic Images
Encryption has become widespread and it's common to encounter at least a few encrypted files during an investigation. Bruteforcing a password is always an option, however, depending on the type of encryption that has been…
TESTED: Forensic imaging tools
There are a few good imaging tools out here. When creating a forensic image you always try to pick the best tool for the job. In this post, I will compare six forensic imagers. This is…
File deletion vs wiping (HDD vs SSD)
As you might know, there is a difference between deleting a file and wiping a file. For the user they seem to have the same outcome, the requested file has been removed. However, when you…
TESTED: Camera Ballistics 2
Last week Brett Shaver's had a good post on his blog about placing the suspect behind the camera (Link). Phill Moore named this post in his excellent weekly roundup This week in 4N6 and also…
Forensics 101: What is a forensic image?
A question I get asked a lot is "what is a forensic image?" and what is the difference between an image made with tools like FTK Imager and Acronis true Image. A simple answer would…
AccessData Live Online Training
When working in forensics you will have to keep yourself informed of the latest developments in the field, that's one of the reasons I started creating this blog. Recently I have been attending several Live…
Examining when a system was turned on and…
When you are analyzing a system you might want to document when the system was powered on. One of the best ways to do this is to analyze the windows event log. However, this can…
Determining the Windows10 installation date.
When working on fraud cases it isn't uncommon to see people trying to hide their tracks. In some cases this means hiding files in a hidden folder, in other cases, they might replace the hard…