Pauls blogs/ramblings

  1. SQLite Recovery

    Many recent applications and even operating systems, particularly on mobile phones, have embraced the SQLite database as a standard. This means that as forensic investigators we need to be able to find and parse these databases as part of almost every case.

    While there are tools that can examine specific SQLite databases such as SkypeAlyzer and NetAnalysis and these tools provide functionality to parse databases to look for deleted records and carve records from unallocated space. ...
    Categories
    Software
  2. Contiguous and fragmented!

    On occasion I have looked at the fragmentation of a file to try and draw some conclusions as to how the file has been "built" on the disk, i.e. is the file contiguous or is the file fragmented. On one occasion this was used to prove that a file hadn't been part of just a mass copy exercise (where all the other files were contiguous and one after the other), all pretty basic stuff.

    However today when playing with MFT entries I saw something that I had not seen before and that ...

    Updated 8th August 2012 at 19:46 by Paul (additional research)

    Categories
    General Articles
  3. Windows Registry Forensics

    I had been waiting with some anticipation for this book. I have done a lot with the registry over the years, including writing my own registry viewer, and I was looking forward to what I was hoping would be an authoritative reference, I was both pleased with what I got and a little disappointed.

    I wanted to get the paper version but was too impatient to wait until it was released over on this side of the pond so I decided it was time to try a digital book.

    To be fair ...

    Updated 15th February 2011 at 19:16 by Paul (Typos)

    Categories
    Reviews
  4. Recovering from deleted shadow copies – sometimes you just get lucky

    Scenario

    You have a document that you need to know the provenance of, or in my case you need to find an earlier version. There are no obvious backups and you have checked the existing shadow copies (using vssadmin) and there is nothing of interest there –however you have good intel to show that the file had been modified, but unfortunately the file was binary and it is not easy or possible to do a keyword search for the older version.

    Technical background
    ...
    Categories
    General Articles
  5. Are we gullible or just naive?

    It never fails to amaze me how many computer forensics investigators are happy to just regurgitate something they have read on a forensics forum or on the Internet in general. While the Internet is obviously a great source of information we do appreciate, don't we, that it is populated by the well meaning but sometimes ill informed.

    It doesn't take you long to find a thread on a computer forensics forum (this includes those forums that are closed to the public) where someone with ...
    Categories
    General Articles
Page 1 of 2 12 LastLast