Visualizations Visualizing USN Journal Activity Since learning about the USN journal, my investigative process has never been the same. It is a powerful artifact that can tell us much about what has transpired on a
Web Browsers The Chrome history was cleared! Now what? (part 1) Settings and BookmarksOk, so for the sake of this post, let's assume that the answer to the question posed in the previous part ("Was the history cleared?") was yes, it
Web Browsers The Chrome history was cleared! Now what? (part 0) First, let's take a step back. Why do you think that the Chrome history had been cleared? Is it because there are no browsing records at all? Gaps in the
Web Browsers Chrome Transition Values The Chrome transition values are nothing new and haven't changed much through all the different releases of Chrome. They have been discussed in a number of places. However, most of
Web Browsers Detecting Clock Changes Using Cookies The forensics community has found many ways to identify system clock changes; Lee Whitfield's article and SANS presentation are excellent resources on the topic. In his presentation and in another
Digital Forensics Deleted File Recovery using foremost In this post, we'll use the Linux program foremost to recover files, both existing and deleted, from a .dd image. foremost is what is as known as a data-carving utility.
Digital Forensics Slack Space Slack space can exist when a file's size is not a multiple of the file system's cluster size. As a little refresher, a sector is the smallest amount of data
Digital Forensics Imaging Using dcfldd In this post, a 128MB USB thumb drive will be imaged on a Linux system using dcfldd onto a 1GB USB thumb drive. dcfldd is an improved version of dd; most of the syntax is identical, just a few functions have been added. As