This week it's back to Mac forensics with a look at the the Finder Sidebar and it's value for File Use & Knowledge investigations.
This week I pull back the focus for newer examiners and share some thoughts on creating a system that works for you to organize, and keep readily accessible, all the knowledge you accumulate..... and a few words about Shimcache on Windows 10.
This week I breakdown iCloud forensic artifacts.
This week I talk about where to find different listing of different recently accessed files on a Mac as well as how to break out the data for interpretation.
This week I go over some of my favorite Mac tools.
This week I talk about some common PLISTS to check as part of an initial system triage.
This week I talk about common Mac file formats, Libraries and Keychains.
This week I talk about Mac Home Folders to give Mac Examiners an idea of how it is structured and where to look for certain artifacts.
This week I talk about OS X's Spotlight feature, a powerful indexing and search engine built into your Mac that may be harnessed for computer forensic purposes.
This week I talk Apple double files and what to make of them during a forensic exam.
This week I am taking a breather and doing some planning for future topics. If you have a topic you would like to see covered mention it in the show notes. Full episodes will return the first week of September.
This week I go over some of my top reasons why Macs should be considered as a computer forensic platform.
File Juicer is an easy to use data carving tool that runs on OS X. Take most any file, drop it on File Juicer, and watch it spin out embedded image, movie, document files and text. Perfect for on-scene triage, lab work and exploring new file types.
This is part two of RAM extraction tools. Part 1 looked at why RAM extraction is an important part of forensic analysis. In Part 2 the results of a benchmark experiment with four different RAM Extraction tools is discussed: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
This episode is a two-parter looking at RAM extraction tools. Part 1 will take a look at why RAM extraction is an important part of forensic analysis. Part 2 will go over an experiment I did with four different tools: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
This week I take a look at three popular computer forensic suites: FTK, Encase and WinHex. I offer my opinion as to the strengths and weaknesses of each.
If you take a look at all the different DFIR certifications that exist today you can easily get overwhelmed. There are so many to choose from it puts meaning to the saying that too many choices is no choice at all. In this episode I take a look at digital forensic certifications from two different vantage points to provide a little guidance to those that may be trying to advance themselves through a certification or two.
For those looking to get some real world hands-on experience in DFIR to build up or expand your skill set, check out honeynet.org. The non-profit offers information and challenges to help sharpen your skills.