Digital Forensic Survival Podcast

This week I go over some of my favorite Mac tools.

This week I talk about some common PLISTS to check as part of an initial system triage.

This week I talk about common Mac file formats, Libraries and Keychains.

This week I talk about Mac Home Folders to give Mac Examiners an idea of how it is structured and where to look for certain artifacts.

This week I talk about OS X's Spotlight feature, a powerful indexing and search engine built into your Mac that may be harnessed for computer forensic purposes.

This week I talk Apple double files and what to make of them during a forensic exam.

This week I am taking a breather and doing some planning for future topics. If you have a topic you would like to see covered mention it in the show notes. Full episodes will return the first week of September.

This week I go over some of my top reasons why Macs should be considered as a computer forensic platform.

File Juicer is an easy to use data carving tool that runs on OS X. Take most any file, drop it on File Juicer, and watch it spin out embedded image, movie, document files and text. Perfect for on-scene triage, lab work and exploring new file types.

This is part two of RAM extraction tools. Part 1 looked at why RAM extraction is an important part of forensic analysis. In Part 2 the results of a benchmark experiment with four different RAM Extraction tools is discussed: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.

This episode is a two-parter looking at RAM extraction tools. Part 1 will take a look at why RAM extraction is an important part of forensic analysis. Part 2 will go over an experiment I did with four different tools: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.

This week I take a look at three popular computer forensic suites: FTK, Encase and WinHex. I offer my opinion as to the strengths and weaknesses of each.

If you take a look at all the different DFIR certifications that exist today you can easily get overwhelmed. There are so many to choose from it puts meaning to the saying that too many choices is no choice at all. In this episode I take a look at digital forensic certifications from two different vantage points to provide a little guidance to those that may be trying to advance themselves through a certification or two.

For those looking to get some real world hands-on experience in DFIR to build up or expand your skill set, check out honeynet.org. The non-profit offers information and challenges to help sharpen your skills.

This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.

The last talk in the Open-Source password cracking series focuses on a tool that rivals the pay tools in function and capability - Hashcat.

Last episode I talked about using Cain to attack Windows LANMAN and NTLM hashes. Next we will discuss John the Ripper, Linux password files and rainbow tables.

In the last episode I talked about PW psychology, an important part of operationalizing any PW cracking tool effectively. Face it, the math is against you so understanding a person’s probable PW patterns is important. In this episode we will talk about our first tool that can be used against a PW file. First let’s go over some general features you will likely find in a PW cracking tool.

The next mini series will focus on open source password attack tools. There are some pay options out there, however, most IR teams do not have a need for it and disk forensic teams use if infrequently. Despite this many labs want the capability so it makes sense to explore the open source options first before spending the money. My goal here is talk about these options to provide some insight and to open the series I thought I's talk about password psychology since the weakness link in any password algorithm is usually the person using it.  

The $UsnJrnl is an artifact that logs certain changes to files in NTFS volumes. It is a great source of timeline information for malware\ IR investigations, time stomping concerns and anti-forensics activities (i.e. wiping) as well as an additional source of file use and knowledge evidence for disk forensics.