Tag: forensics


The Importance of Dual Tool Verification

Those of us working in the Digital Forensics and Incident Response realm rely on tools to harvest data for analysis, not to mention to perform the actual analysis. Let’s be honest: Without tools, we would have a dickens of a time doing our jobs. Unfortunately, this had led to examiners having an inherent high level[…]


Most Recent Used (MRU) Peek-A-Book

In this post, we will cover some cool ways to review the Most Recent Used (MRU) keys from the Windows registry. The goal of the article is to show how these keys can be useful, explain how to review them using RegRipper, and provide a means to review these keys directly from a memory image[…]


Bit-Level Forensics: Partitions and VBRs

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , , ,
Comments: Leave a Comment

:Partitions and VBRs: Partitioning is an important part of hard drives. Partitioning is the dividing of the hard disk into multiple sections. The primary partition is used by the OS, and then you can also have extended partitions. There are 16 bytes that make up a partition entry and are made up of a combination[…]


MACtime Forensics

:MACtime Forensics: Timestamps are a critical part of forensics. It takes a skilled forensicator to examine all pertinent data available to them in order to find key evidence and provide an accurate timeline of events. The timestamps we will be discussing are the MACB timestamps. M – Modified Time A – Accessed Time C –[…]


Memory Forensics: Mandiant Redline

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , ,
Comments: 1 Comment

Mandiant Redline Why perform memory forensics? There are a plethora of reasons. What do you do when something happens on a computer and nothing is written to the disk? That is the biggest reason why you want to analyze a computer’s memory. Memory is like a snapshot in time for a computer and can provide[…]

Today is Tuesday