Another Forensics Blog
Digital Forensics and Incident Response Research,Python Scripts and Musings
Wednesday, June 13, 2018
Malicious PowerShell in the Registry: Persistence
This is the second part in my series on Finding and Decoding Malicious PowerShell Scripts. My first blog post walked through how to find ...
Friday, January 5, 2018
Mounting an APFS image in Linux
As a follow up to my post on how to mount AFPS images on Windows, I wanted to post about how to mount an APFS image on a Linux system. If y...
Monday, January 1, 2018
How to mount Mac APFS images in Windows
APFS is the new file system for Mac OS, and so far, many forensic suites are playing catch up as far as support goes. As such, workarounds m...
Monday, October 16, 2017
Finding and Decoding Malicious PowerShell Scripts
PowerShell. It's everywhere. I've started coming across more and more malicious PowerShell scripts. Why do attackers love us...
Friday, February 24, 2017
Onion Peeler: Batch Tor Lookup Program
Logs, Logs, Logs. I see, IPs. When reviewing log files for suspect activity it can be helpful to look up information related to IP addresses...
Monday, February 20, 2017
When Windows Lies
Wait, What? Windows lies? I believe so... I worked a case where I checked the Windows Install date and it was a couple days before we rece...
Wednesday, October 5, 2016
Quicklook thumbnails.data parser
Earlier this year at the request of a reader I wrote a tool to parse the Quicklook thumbnails index.sqlite file. This sqlite database sto...
View web version