Windows registry contains information that are helpful during a forensic analysis Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process. Let’s analyze the main keys… Recent opened Programs/Files/URLs HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU MRU is the abbreviation for […]
Amcache and Shimcache can provide a timeline of which program was executed and when it was first run and last modified In addition, these artifacts provide program information regarding the file path, size, and hash depending on the OS version.
Essential information during timeline analysis During a forensic analysis, especially during timeline analysis, you deal with MAC timestamps, so it’s important to know and understand the concept of time resolution. The MAC(b) times are derived from file system metadata and they stand for: Modified Accessed Changed ($MFT Modified) Birth (file creation time) The (b) is […]
Some information raised during preparation of GCFA exam
Simplify Linux digital forensics! LiMEaide is a python application developed by Daryl Bennett that can remotely dump RAM of a Linux client. It can also create a volatility profile for later analysis. In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your […]