Tag: host forensics


The Importance of Dual Tool Verification

Those of us working in the Digital Forensics and Incident Response realm rely on tools to harvest data for analysis, not to mention to perform the actual analysis. Let’s be honest: Without tools, we would have a dickens of a time doing our jobs. Unfortunately, this had led to examiners having an inherent high level[…]


Most Recent Used (MRU) Peek-A-Book

In this post, we will cover some cool ways to review the Most Recent Used (MRU) keys from the Windows registry. The goal of the article is to show how these keys can be useful, explain how to review them using RegRipper, and provide a means to review these keys directly from a memory image[…]


Time for an Autopsy!

Autopsy Introduction Greetings! Destruct_Icon here with a look into a forensics tool named Autopsy. Autopsy is a GUI into a suite of tools known as The Sleuth Kit and can be found here. In this article, we want to introduce you to the interface itself as well as describe some of the capabilities. First off, we have a[…]


Security Tools Page

Security Tools Page Introduction Destruct_Icon here. I wanted to post about a new addition to our site. We’ve added a page devoted to security tools. Just click on the “Security Tools” option in the Menu. Here we will be adding tools and categorizing their use for quick searching capabilities. We plan to create posts for each[…]


Bit-Level Forensics: Partitions and VBRs

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , , ,
Comments: Leave a Comment

:Partitions and VBRs: Partitioning is an important part of hard drives. Partitioning is the dividing of the hard disk into multiple sections. The primary partition is used by the OS, and then you can also have extended partitions. There are 16 bytes that make up a partition entry and are made up of a combination[…]


NTUSER, SOFTWARE or SYSTEM Hive Registry Parser

Registry Parser There has been times where I would like to parse through a NTUSER, SYSTEM, SOFTWARE hive and pull back just the key and sub keys that have been modified between a certain date (which is one of the arguments for the below python script). Thanks to William Ballenthin for showing how this is[…]

Today is Saturday