Starting in Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS). This feature suite currently includes Credential Guard, Devic...
https://dfstream.blogspot.com/2017/08/memory-acquisition-and-virtual-secure.html
A few weeks back, I found myself in need of a free tool to parse $I files from Windows Vista+ recycle bins. For anyone needing a refresher, $I files store metadata regarding the act of sending ...
https://dfstream.blogspot.com/2016/04/fun-with-recycle-bin-i-files-windows-10.html
Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination. With previous versions of Reader for Windows, the cRecentFiles ...
https://dfstream.blogspot.com/2015/07/adobe-readers-not-so-crecentfiles.html
If you've ever examined registry artifacts related to a particular USB device, you've probably come across a value called "ContainerID". For example, a flash drive's instance ID subkey of the U...
https://dfstream.blogspot.com/2015/02/leveraging-devicecontainers-key.html
Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan recently posted about the "PendingChanges" subkeys in relation to PowerPoint, and I have p...
https://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html
I've made various updates to VSC Toolset since its last public release in September 2012 and wanted to write a quick post about some of the updates for those interested. The most significant addi...
https://dfstream.blogspot.com/2014/02/vsc-toolset-update.html
Last month, I wrote about utilizing the Windows 7 Event Log in USB device tracking. In my previous post, I mentioned automating the process using Microsoft's Log Parser, but didn't go into much...
https://dfstream.blogspot.com/2014/02/usb-device-tracking-batch-script.html
Microsoft Office 2013 introduced a new feature that allows a user to continue reading or editing a document starting at the last point he or she was working. This feature, referred to by some ...
https://dfstream.blogspot.com/2014/01/ms-word-2013-reading-locations.html
The release of Microsoft Office 2013 granted the ability to save files in formats not previously available (such as "Strict OOXML"), but the default format remained the same as Office 2007 and 20...
https://dfstream.blogspot.com/2014/01/ms-excel-2013-last-saved-location.html
Recently, there have been a few blog posts discussing evidence found on a system when USB devices are connected and removed (Yogesh Khatri's blog series and Nicole Ibrahim's blog ). I've bee...
https://dfstream.blogspot.com/2014/01/the-windows-7-event-log-and-usb-device.html
The upcoming release of Windows 8.1 offers new features that will add to and/or modify the forensic artifacts available for examination. One of these additions is the "Search Everywhere" featur...
https://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html
In my last post, I discussed using an OLE timestamp to determine the last time an Excel spreadsheet was opened and closed without being saved. The last opened time can be very helpful, but woul...
https://dfstream.blogspot.com/2013/07/ms-excel-and-biff-metadata-last-opened.html
It is well known that Microsoft Office files store internal metadata that can be very revealing during forensic examinations (Author, Last Saved By, Creation Time, Last Saved time, etc.). What ...
https://dfstream.blogspot.com/2013/07/ms-excel-and-ole-metadata-last-opened.html
In my last post, I covered artifacts that an examiner might find when analyzing a system that has accessed an Amazon Cloud Drive using the desktop application. While the desktop application mak...
https://dfstream.blogspot.com/2013/06/amazon-cloud-drive-forensics-part-2.html
Amazon Cloud Drive is yet another way that users can upload and store information in the cloud. Much like other cloud storage options, an Amazon Could Drive can be used for a variety of purpose...
https://dfstream.blogspot.com/2013/06/amazon-cloud-drive-forensics-part-1.html
One of the many new features of Windows 8 is a new stock photo viewing application called Photos. With the inclusion of a new photo viewer comes the creation of new artifacts resulting from its...
https://dfstream.blogspot.com/2013/03/windows-8-tracking-opened-photos.html
One of the common methods examiners may use during USB analysis on Mac OS X machines (running Snow Leopard or above) is to search the kernel log for "USBMSC" entries to identify USB devices that ...
https://dfstream.blogspot.com/2013/01/automating-usb-device-identification-on.html
I've recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies. You can now do this with VSC Toolset eithe...
https://dfstream.blogspot.com/2012/09/vsc-toolset-update-file-recovery.html
The FoxTab add-on to Mozilla Firefox presents some interesting artifacts in respect to forensic analysis. According to FoxTab's webpage , the add-on "brings innovative 3D functionality to your ...
https://dfstream.blogspot.com/2012/09/foxtab-mozillas-hidden-camera.html
It's helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log,...
https://dfstream.blogspot.com/2012/06/quickly-find-date-range-of-evtx-event.html
I mentioned in a previous post that a RegRipper plugin (or something similar) would need to be written in order to easily correlate the contents of the TypedURLs subkey with the TypedURLsTime su...
https://dfstream.blogspot.com/2012/06/typedurlstime-regripper-plugin.html
I don't plan to regularly post about tool updates, but I figured there's enough in the most recent update to VSC Toolset that I might want to write a bit about it. As indicated by the title of ...
https://dfstream.blogspot.com/2012/05/vsc-toolset-update-browsing-shadow.html
Amanda Thomson posted a Windows 8 Forensic Guide last month that covers a variety of topics examiners can expect to encounter with this new operating system on the horizon. One of the new it...
https://dfstream.blogspot.com/2012/05/windows-8-typedurlstime.html
I've updated VSC Toolset with a couple of new features, including integrating some new scripts with it. You can now choose a specific RegRipper plugin to run against one or more VSCs (specifyin...
https://dfstream.blogspot.com/2012/03/vsc-toolset-update.html
Volume shadow copies (VSCs) have become an important part of the forensic examination of a Windows machine, as they can provide details about user activity that was not possible in the past. Be...
https://dfstream.blogspot.com/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html