SQLite Forensics Book, now available on Amazon

More information here

 

All Blog Entries

  1. Recovering from deleted shadow copies – sometimes you just get lucky

    Scenario

    You have a document that you need to know the provenance of, or in my case you need to find an earlier version. There are no obvious backups and you have checked the existing shadow copies (using vssadmin) and there is nothing of interest there –however you have good intel to show that the file had been modified, but unfortunately the file was binary and it is not easy or possible to do a keyword search for the older version.

    Technical background
    ...
    Categories
    General Articles
  2. Are we gullible or just naive?

    It never fails to amaze me how many computer forensics investigators are happy to just regurgitate something they have read on a forensics forum or on the Internet in general. While the Internet is obviously a great source of information we do appreciate, don't we, that it is populated by the well meaning but sometimes ill informed.

    It doesn't take you long to find a thread on a computer forensics forum (this includes those forums that are closed to the public) where someone with ...
    Categories
    General Articles
  3. Securely wiping a hard disk versus destroying it.

    I have just spent considerable amount of time and money destroying some old hard disk drives that have contained indecent images of children from past investigations. This has got me thinking again as to whether secure destruction, be that shredding, hammering a six inch nail through them, degaussing or simple lump hammer therapy is an appropriate way to destroy the data on the drive especially given the cost of the drives and the potential for re-use. We are now a green(ish) society after all. ...
  4. Police boot suspects computer.....

    A post on one of the computer forensics forums in relation to computer forensics standards and specifically about a non computer forensics officer switching on a device that is currently switched off has got me thinking. First off I didn’t see the program (I understand it was in relation to the occupants of a car stopped in for questioning in respect to drug related matters) so can't comment specifically, but that aside, are we a little over paranoid about computer evidence and the affect that such ...
    Categories
    General Articles
  5. MFTView

    Quote Originally Posted by sandy771 View Post
    I have just uploaded a beta version of the software for you to play with. version 1.1.0

    This version has an inbuilt hex editor (based on RevEnge and the same as that seen in LinkAlyzer and PmExplorer) when you select a file entry from the file list the MFT is displayed raw in the hex view and the decoded fields are displayed in the vertical list to the right of the screen. When a value in the vertical list is selected (say the created date) the relevant bytes in the raw data are highlighted.
    ...
    Categories
    Software
Page 2 of 3 FirstFirst 123 LastLast