- Feed Preview Digital Forensics Stream
Memory Acquisition and Virtual Secure Mode
Starting in Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS). This feature suite currently includes Credential Guard, Devic...
https://dfstream.blogspot.com/2017/08/memory-acquisition-and-virtual-secure.html
Fun with Recycle Bin $I Files & Windows 10
A few weeks back, I found myself in need of a free tool to parse $I files from Windows Vista+ recycle bins. For anyone needing a refresher, $I files store metadata regarding the act of sending ...
https://dfstream.blogspot.com/2016/04/fun-with-recycle-bin-i-files-windows-10.html
Adobe Reader's Not-So-cRecentFiles
Version 11.0.07 of Adobe Reader, released in May 2014, introduced some interesting changes that can impact forensic examination. With previous versions of Reader for Windows, the cRecentFiles ...
https://dfstream.blogspot.com/2015/07/adobe-readers-not-so-crecentfiles.html
Leveraging the DeviceContainers Key
If you've ever examined registry artifacts related to a particular USB device, you've probably come across a value called "ContainerID". For example, a flash drive's instance ID subkey of the U...
https://dfstream.blogspot.com/2015/02/leveraging-devicecontainers-key.html
Office 2013: More MRUs
Microsoft Office 2013 continues to yield very interesting artifacts related to user activity. Harlan recently posted about the "PendingChanges" subkeys in relation to PowerPoint, and I have p...
https://dfstream.blogspot.com/2014/02/office-2013-more-mrus.html
VSC Toolset Update
I've made various updates to VSC Toolset since its last public release in September 2012 and wanted to write a quick post about some of the updates for those interested. The most significant addi...
https://dfstream.blogspot.com/2014/02/vsc-toolset-update.html
USB Device Tracking Batch Script
Last month, I wrote about utilizing the Windows 7 Event Log in USB device tracking. In my previous post, I mentioned automating the process using Microsoft's Log Parser, but didn't go into much...
https://dfstream.blogspot.com/2014/02/usb-device-tracking-batch-script.html
MS Word 2013 Reading Locations
Microsoft Office 2013 introduced a new feature that allows a user to continue reading or editing a document starting at the last point he or she was working. This feature, referred to by some ...
https://dfstream.blogspot.com/2014/01/ms-word-2013-reading-locations.html
MS Excel 2013 Last Saved Location Metadata
The release of Microsoft Office 2013 granted the ability to save files in formats not previously available (such as "Strict OOXML"), but the default format remained the same as Office 2007 and 20...
https://dfstream.blogspot.com/2014/01/ms-excel-2013-last-saved-location.html
The Windows 7 Event Log and USB Device Tracking
Recently, there have been a few blog posts discussing evidence found on a system when USB devices are connected and removed (Yogesh Khatri's blog series and Nicole Ibrahim's blog ). I've bee...
https://dfstream.blogspot.com/2014/01/the-windows-7-event-log-and-usb-device.html
Windows 8 and 8.1: Search Charm History
The upcoming release of Windows 8.1 offers new features that will add to and/or modify the forensic artifacts available for examination. One of these additions is the "Search Everywhere" featur...
https://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html
MS Excel and BIFF Metadata: Last Opened By
In my last post, I discussed using an OLE timestamp to determine the last time an Excel spreadsheet was opened and closed without being saved. The last opened time can be very helpful, but woul...
https://dfstream.blogspot.com/2013/07/ms-excel-and-biff-metadata-last-opened.html
MS Excel and OLE Metadata: Last Opened Time
It is well known that Microsoft Office files store internal metadata that can be very revealing during forensic examinations (Author, Last Saved By, Creation Time, Last Saved time, etc.). What ...
https://dfstream.blogspot.com/2013/07/ms-excel-and-ole-metadata-last-opened.html
Amazon Cloud Drive Forensics: Part 2
In my last post, I covered artifacts that an examiner might find when analyzing a system that has accessed an Amazon Cloud Drive using the desktop application. While the desktop application mak...
https://dfstream.blogspot.com/2013/06/amazon-cloud-drive-forensics-part-2.html
Amazon Cloud Drive Forensics: Part 1
Amazon Cloud Drive is yet another way that users can upload and store information in the cloud. Much like other cloud storage options, an Amazon Could Drive can be used for a variety of purpose...
https://dfstream.blogspot.com/2013/06/amazon-cloud-drive-forensics-part-1.html
Windows 8: Tracking Opened Photos
One of the many new features of Windows 8 is a new stock photo viewing application called Photos. With the inclusion of a new photo viewer comes the creation of new artifacts resulting from its...
https://dfstream.blogspot.com/2013/03/windows-8-tracking-opened-photos.html
Automating USB Device Identification on Mac OS X
One of the common methods examiners may use during USB analysis on Mac OS X machines (running Snow Leopard or above) is to search the kernel log for "USBMSC" entries to identify USB devices that ...
https://dfstream.blogspot.com/2013/01/automating-usb-device-identification-on.html
VSC Toolset Update: File Recovery
I've recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies. You can now do this with VSC Toolset eithe...
https://dfstream.blogspot.com/2012/09/vsc-toolset-update-file-recovery.html
FoxTab: Firefox's Hidden Camera
The FoxTab add-on to Mozilla Firefox presents some interesting artifacts in respect to forensic analysis. According to FoxTab's webpage , the add-on "brings innovative 3D functionality to your ...
https://dfstream.blogspot.com/2012/09/foxtab-mozillas-hidden-camera.html
Quickly Find the Date Range of EVTX Event Logs
It's helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log,...
https://dfstream.blogspot.com/2012/06/quickly-find-date-range-of-evtx-event.html
Windows 8 TypedURLsTime
Amanda Thomson posted a Windows 8 Forensic Guide last month that covers a variety of topics examiners can expect to encounter with this new operating system on the horizon. One of the new it...
https://dfstream.blogspot.com/2012/05/windows-8-typedurlstime.html
VSC Toolset: A GUI Tool for Shadow Copies
Volume shadow copies (VSCs) have become an important part of the forensic examination of a Windows machine, as they can provide details about user activity that was not possible in the past. Be...
https://dfstream.blogspot.com/2012/03/vsc-toolset-gui-tool-for-shadow-copies.html