Some time ago I talked about BitLocker forensics and the decryption of BitLocker encrypted volumes. As a result, I received a few questions and a request regarding TrueCrypt encrypted volumes. Encryption, in general, is quite the challenge…
Should you pull the plug?
When you are collecting evidence a live system is always interesting. There is some debate on how to handle live systems. And while there certainly are interesting products on the market like the HotPlug Field…
Encryption: BitLocker forensics
Encryption is a challenge in forensics and the use of encryption to protect computer data is growing. Without a decryption key, the data and the potential evidence can't be accessed. When you come across a system…
How to unwrap 360 (spherical) videos
When you want to monitor a large area with the minimum amount of camera's, dome camera's are a great way to go. When utilizing a fisheye lens you are able to capture 360 degrees of…
Forensics 101: RAM capture (Belkasoft Ram Capturer)
During an investigation, you always want to create a forensic image of all the relevant computer systems. However, what if you encounter a live system? How to handle a live system is something i will…
Forensics 101: RAM capture (FTK-Imager)
During an investigation, you always want to create a forensic image of all the relevant computer systems. However, what if you encounter a live system? How to handle a live system is something I will…
Always use multiple hash algorithms
Digital evidence, like any type of evidence, requires a means of identification, a way to prove that what you are presenting as evidence was not modified in any way. The best way to prove that…
MAC Times and file wiping
My article regarding MAC Times and file deletion generated some feedback. Some people contacted me regarding this article and shared some experiences with me of cases where they were able to retrieve a deletion timestamp from…
MAC Times and file deletion
A lot of times during investigations you get the question "when was this file deleted?". And most of the times, there is no exact answer. In the forensic community, there is a lot of debate…