The Windows Recycle Bin contains files that have been deleted by the user, but not yet purged from the system: a valuable source of evidence for an examiner.Continue reading “Windows Forensics: analysis of Recycle bin artifacts”
OS X is, in effect, a *nix based system.
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I’d like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.
The hibernation file (hiberfil.sys) is the file used by default by Microsoft Windows to save the machine’s state as part of the hibernation process.Continue reading “How to read Windows Hibernation file (hiberfil.sys) to extract forensic data?”
Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory.
This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
A very brief post, just a reminder about a very useful volatility feature.Continue reading “How to analyze a VMware memory image with Volatility”