Forensics

This is the biggest and most comprehensive update for ShellBags Explorer to date. While the change log may not be lengthy, there are significant and important changes and optimizations in many of the changes. NEW: Added support for Windows backup related shellbags. These are populated as backup sets are navigatedNEW:…

Read More

Hello! This release is long overdue! NOTE: All of my software is now digitally signed starting with this release going forward. Most of my other programs have also been signed (but not necessarily changed beyond that). Redownload as needed if you want the signed versions. Last Friday Dave and I…

Read More

As requested on the Forensic Lunch and elsewhere, I have done some additional testing to see how a few of the tools handle larger data sets (122 GB E01) and raw images vs E01. Since I added another data set and another image format, I slightly adjusted the spreadsheet Data…

Read More

A few days ago, Guillermo Fritz contacted me stating he found an automatic jump list that had more directory entries than what was showing up in the DestList section. When the jump list in question is loaded in Nirsoft’s JumpListsView, 589 directory entries are shown, but JLECmd was only showing…

Read More

(This post is part of a larger post which can be found here (this will link to main post once its out). It has been separated out to keep the main post from getting too long.) Workstation configuration details Information on the GS series VMs is available here and FS series here. DS…

Read More

(This post is part of a larger post which can be found here (this will link to main post once its out). It has been separated out to keep the main post from getting too long.) Workflow overview There are two main sections, carving and searching, below. Each contains an…

Read More

The primary focus of this release is the addition of plugins. A plugin allows for processing a key and/or value in order to further process the data available within. For example, UserAssist is Rot13 encoded, so the plugin for UserAssist would un-Rot13 the value names and extract other meaningful things…

Read More