justaskweg.com

az4n6.blogspot.com

Another Forensics Blog: Safari and iPhone Internet History Parser

http://az4n6.blogspot.com/2014/07/safari-and-iphone-internet-history.html

The primary purpose of this blog is to aid the occasional Google researcher in the field of computer forensics. The content may not be ground breaking or earth shattering, but simply a way to pass along what I hope is useful information. Monday, July 21, 2014. Safari and iPhone Internet History Parser. Back in June, I had the opportunity to speak at the SANS DFIR Summit. In this post I'll run through each of the artifacts I located and explain how to use the script to parse out the files. First, a little...

az4n6.blogspot.com

Another Forensics Blog: Python Parser to Recover Deleted SQLite Database Data

http://az4n6.blogspot.com/2013/11/python-parser-to-recover-deleted-sqlite.html

The primary purpose of this blog is to aid the occasional Google researcher in the field of computer forensics. The content may not be ground breaking or earth shattering, but simply a way to pass along what I hope is useful information. Wednesday, November 6, 2013. Python Parser to Recover Deleted SQLite Database Data. Soooo last week I was listening to the Forenisc Lunch. And the topic of parsing deleted. While a commerical tool is good, its always nice to have an open source alternative. After hea...

az4n6.blogspot.com

Another Forensics Blog: Timestomp MFT Shenanigans

http://az4n6.blogspot.com/2014/10/timestomp-mft-shenanigans.html

The primary purpose of this blog is to aid the occasional Google researcher in the field of computer forensics. The content may not be ground breaking or earth shattering, but simply a way to pass along what I hope is useful information. Tuesday, October 7, 2014. Basically there are two "sets" of timestamps that are tracked in the MFT. These two "sets" are the $STANDARD INFORMATION and $FILE NAME. Both of these track 4 timestamps each - Modified, Access, Created and Born. Or if you prefer - C...Most time...

memoryforensics.blogspot.com

Memory Forensics: Building a Decoder for the CVE-2014-0502 Shellcode

http://memoryforensics.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html

Wednesday, April 9, 2014. Building a Decoder for the CVE-2014-0502 Shellcode. Yesterday on the Volatility Labs blog I published a post on analyzing some interesting shellcode from a recent attack campaign and 0day exploit. The shellcode was encrypted multiple times and required full static reversing before revealing the algorithm needed to decrypt the backdoor URL. I think you will like it:. Http:/ volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html. View my complete profile.

romanperez.com

Resources

http://www.romanperez.com/resources.html

Federal Rules of Evidence. Resources of the trade. More important than knowing everything is knowing where to find the answers. Books, KB, Articles, Etc. A PRACTICAL GUIDE TO COMPUTER FORENSICS INVESTIGATIONS. Creating a Virtual Machine of a write-blocked drive using Linux Ubuntu 12.10. Digital Forensics Certification Board.

memoryforensics.blogspot.com

Memory Forensics: February 2013

http://memoryforensics.blogspot.com/2013_02_01_archive.html

Friday, February 15, 2013. Memory Forensics Talk at RSA! On Wednesday of RSA. I will be giving a talk titled:. Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware". This talk will focus on three key points:. 1) Showcasing the power and usefulness of memory forensics. Memory forensics from disk forensics. 3) Highlighting why live forensics should not be used and instead analysts should switch to using offline memory forensics. Or ping me on Twitter ( @attrc. View my complete profile.

memoryforensics.blogspot.com

Memory Forensics: November 2013

http://memoryforensics.blogspot.com/2013_11_01_archive.html

Monday, November 25, 2013. Our Registry Forensics Master Class is now Live! I am very happy to announce that the Registry Forensics Master Class. That I developed in conjunction with 504ENSICS. Is now live. The master class is completely focused on registry forensics, and takes students from the basics through advanced topics and analysis techniques. A few of the topics covered include:. Acquiring hives from both disk images and memory samples. Investigating the registry in volatile memory (RAM). For mor...

memoryforensics.blogspot.com

Memory Forensics: December 2012

http://memoryforensics.blogspot.com/2012_12_01_archive.html

Monday, December 10, 2012. Analyzing Malware in Memory Webinar. On December 18th I will be leading a webinar on analyzing malware in memory with Volatility and memory forensics techniques. The following link has a full abstract and registration info (its free):. Http:/ www.thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/. Subscribe to: Posts (Atom). Analyzing Malware in Memory Webinar. View my complete profile. Recoving tmpfs from Memory with Volatility. Announcing Mac Support in Volatility.