Digital Forensic Blog


We've written about a few topics here that interest us.


Windows 11 Time Rules

Windows 11 is now the default Operating System on many new devices. Time rules based on user interactions in Windows 10 have been well documented in the SANS red poster, but how does Windows 11 respond to the these same actions? Here's an initial investigation into this behaviour

USB connection artifact analysis

Artifacts generated when a USB device is connected to a Windows system are well documented, but are they still generated when no user accounts are logged into the system?

Analysing PinePhones

The PinePhone is one of the first true Linux-based smartphone projects that has released mobile devices, available to the general public, with a smartphone-specific variant of Linux pre-flashed onto the device. Although these are very much still in the testing and development phase, there is the prospect of such devices becoming more common in the future, and it's fun to see what data may be stored on a device, where, and how we can acquire it, to work out how it may be useful to a digital forensic investigation if one of these devices was seized as part of a case. I therefore provide a cheatsheet based on my research so far on where data of interest may be stored.

Introducing Pipe Viewer

The Linux Pipe Viewer command shows a progress bar for the volume of data passing through it. Used with commands like DD, it can be used to show the progress of data acquisition

Using Windows Subsystem for Linux for forensics

WSL is a powerful tool that allows Bash scripts and Linux programs to be run on a Windows system. This can also be set up on an offline system, which is best practice configuration for forensic workstations and we show you how we've set this up.

Profiling a Windows disk image with sysprofiler

sysprofiler is a bash script that extracts many common artefacts from a Windows disk image. It supports raw and E01 images and runs on a Linux command line or using WSL.

Print | Sitemap
© Khyrenz 2022