Windows Resilient File System Forensics

Ken Mizota

In the fall of 2012, Microsoft made Windows Server 2012 generally available with a quietly announced feature: Resilient File System (ReFS). Of course, Microsoft does not roll out new file systems casually, and when they do, the ripple effects are generally felt slowly. NTFS has been generally available since Windows NT 3.1, released in 1993. If one runs a data center of any size, swapping out the underlying file system of critical or precious data is not a decision taken lightly. In large part, this justifies a general complacence in our field of digital forensics tools when considering how to deal with this new file system. Today, ReFS is a rare bird: investigators just don’t see it very often. We think that is going to begin to change later this year.

Volatility Reporting Plugin for EnCase Forensic v7

Guidance Software

As most investigators know, volatile memory contains valuable information about the runtime state of the system, registry keys, network connections in memory and much more. One of the most popular tools to handle memory analysis is Volatility, an open source tool created by Volatile Systems.

EnCase App Central - Destined To Be A Game Changer

Chet Hosmer

We are all painfully aware that criminals share their secrets, exploits and even technology. Those investigating cybercrime, attempting to pre-empt dangerous criminals, or finding new ways to rapidly clear cases must be on equal footing.

Whether on the desktop, server, smart mobile device, cloud or on a network, investigating cybercrime requires a combination of exceptional tools along with expert knowledge. One of the unique elements of investigating cybercrime efficiently is that you need expertise in both computer science and social science. Unfortunately, there has not been a solid methodology to bring this cross domain expertise to fruition. It is vital that we close this gap and create a greater overlap between these domains.

C-TAK by WetStone

Guidance Software

Unveiling cyber threats that can impact investigations

Many cyber investigations require a comprehensive understanding of any cyber threats or malware infestation that may impact examinations. The impacts to criminal investigations, civil litigation, human resource actions and incident response engagements can be serious, depending upon the specific threats or malware discovered.

Examining Mac OS X User & System Keychains

Simon Key

Introduction

To forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –

Safari Form Values Decryptor

James Habben

As a forensic investigator, you are likely already familiar with the artifacts left in storage on a disk from the use of a web browser. The mainstream browsers all provide, for the most part, the same functionality of things like tabbed browsing, remembering history and exposing it in date ranges, storing bookmarks for later viewing, etc.

One of those features is the topic of this blog post: remembering data that a user typed into a form field so that same value doesn’t have to be typed into that same form next time. This is generally referred to as an autofill form values feature. Firefox, Chrome, Internet Explorer, Safari, they all offer this feature, but each of them store these values in a different way.

Good guys working together

Ken Mizota

In my role at Guidance Software as a product manager, I have a fun job. Every day, I get to come into the office and work with some of the best and brightest engineers who build tools for the most brilliant digital investigators in the world. I get to meet investigators in government, law enforcement and corporations, our customers, who do the good work of investigating crime, fraud and general wrongdoing. Working with talented, focused people is rewarding. Working with talented focused people for a good cause is downright enjoyable.

Announcing our CEIC Caption Contest Winner

Guidance Software

Congratulations to Paul Webel from Vestige. His caption won our caption contest by a landslide! Thank you to all who participated. Your captions generated quite a few chuckles around Guidance Software.

Again, congratulations to Paul!

Difficult Times for iOS Investigations

Ken Mizota

A recent CNet story “Apple deluged by police demands to decrypt iPhones” was recently picked up by slashdot.org. The original article is a good read of one of the pain points in today’s iOS investigations, but the comments on the Slashdot.org post are downright illuminating. A veteran digital investigator probably already knows: iPhone 4S, iPhone 5 and iPad version 2+ passcode and encryption have been virtually impossible to bypass. Even built-for-purpose mobile device forensic companies plainly admit, iOS forensics has been advancing slowly.

Foul?

CEIC Caption Contest

Guidance Software

Submit your caption for this cartoon! The caption with the most votes will win an Apple iPad! Winner will be announced June 10, 2013. Be original and have fun! Enter on our Facebook page.

Attendance at CEIC is not required to participate so join in!