Forensics

Few weeks ago I was contacted about how to decrypt Windows Dropbox DBX files and the same topic appeared on SANS DFIR mailing list too. So I decided to create an Open Source toolkit and this post to brush up on the DBX files create by the Dropbox client on…

Share
Read More

Few weeks ago I was contacted about how to decrypt Windows Dropbox DBX files and the same topic appeared on SANS DFIR mailing list too. So I decided to create an Open Source toolkit and this post to brush up on the DBX files create by the Dropbox client on…

Share
Read More

This is the biggest and most comprehensive update for ShellBags Explorer to date. While the change log may not be lengthy, there are significant and important changes and optimizations in many of the changes. NEW: Added support for Windows backup related shellbags. These are populated as backup sets are navigatedNEW:…

Share
Read More

Hello! This release is long overdue! NOTE: All of my software is now digitally signed starting with this release going forward. Most of my other programs have also been signed (but not necessarily changed beyond that). Redownload as needed if you want the signed versions. Last Friday Dave and I…

Share
Read More

As requested on the Forensic Lunch and elsewhere, I have done some additional testing to see how a few of the tools handle larger data sets (122 GB E01) and raw images vs E01. Since I added another data set and another image format, I slightly adjusted the spreadsheet Data…

Share
Read More

A few days ago, Guillermo Fritz contacted me stating he found an automatic jump list that had more directory entries than what was showing up in the DestList section. When the jump list in question is loaded in Nirsoft’s JumpListsView, 589 directory entries are shown, but JLECmd was only showing…

Share
Read More

(This post is part of a larger post which can be found here (this will link to main post once its out). It has been separated out to keep the main post from getting too long.) Workstation configuration details Information on the GS series VMs is available here and FS series here. DS…

Share
Read More

(This post is part of a larger post which can be found here (this will link to main post once its out). It has been separated out to keep the main post from getting too long.) Workflow overview There are two main sections, carving and searching, below. Each contains an…

Share
Read More

The primary focus of this release is the addition of plugins. A plugin allows for processing a key and/or value in order to further process the data available within. For example, UserAssist is Rot13 encoded, so the plugin for UserAssist would un-Rot13 the value names and extract other meaningful things…

Share
Read More