SQLite Forensics Book, now available on Amazon

More information here

 

General Articles

  1. Contiguous and fragmented!

    On occasion I have looked at the fragmentation of a file to try and draw some conclusions as to how the file has been "built" on the disk, i.e. is the file contiguous or is the file fragmented. On one occasion this was used to prove that a file hadn't been part of just a mass copy exercise (where all the other files were contiguous and one after the other), all pretty basic stuff.

    However today when playing with MFT entries I saw something that I had not seen before and that ...

    Updated 8th August 2012 at 19:46 by Paul (additional research)

    Categories
    General Articles
  2. Recovering from deleted shadow copies – sometimes you just get lucky

    Scenario

    You have a document that you need to know the provenance of, or in my case you need to find an earlier version. There are no obvious backups and you have checked the existing shadow copies (using vssadmin) and there is nothing of interest there –however you have good intel to show that the file had been modified, but unfortunately the file was binary and it is not easy or possible to do a keyword search for the older version.

    Technical background
    ...
    Categories
    General Articles
  3. Are we gullible or just naive?

    It never fails to amaze me how many computer forensics investigators are happy to just regurgitate something they have read on a forensics forum or on the Internet in general. While the Internet is obviously a great source of information we do appreciate, don't we, that it is populated by the well meaning but sometimes ill informed.

    It doesn't take you long to find a thread on a computer forensics forum (this includes those forums that are closed to the public) where someone with ...
    Categories
    General Articles
  4. Securely wiping a hard disk versus destroying it.

    I have just spent considerable amount of time and money destroying some old hard disk drives that have contained indecent images of children from past investigations. This has got me thinking again as to whether secure destruction, be that shredding, hammering a six inch nail through them, degaussing or simple lump hammer therapy is an appropriate way to destroy the data on the drive especially given the cost of the drives and the potential for re-use. We are now a green(ish) society after all. ...
  5. Police boot suspects computer.....

    A post on one of the computer forensics forums in relation to computer forensics standards and specifically about a non computer forensics officer switching on a device that is currently switched off has got me thinking. First off I didn’t see the program (I understand it was in relation to the occupants of a car stopped in for questioning in respect to drug related matters) so can't comment specifically, but that aside, are we a little over paranoid about computer evidence and the affect that such ...
    Categories
    General Articles