tag:blogger.com,1999:blog-2456910508235577340.comments2024-03-03T22:38:30.152-07:00Another Forensics BlogMari DeGraziahttp://www.blogger.com/profile/07035429062451749639noreply@blogger.comBlogger188125tag:blogger.com,1999:blog-2456910508235577340.post-33153979885161820182018-05-17T23:12:36.103-07:002018-05-17T23:12:36.103-07:00we had the same situation and it also coincides wi...we had the same situation and it also coincides with the windows 10 security/feature update dates. thanks for sharing.TonyBeehttps://www.blogger.com/profile/15574047247356717022noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-13402551118482209602018-03-01T15:59:58.027-07:002018-03-01T15:59:58.027-07:00Looks like the registry change it the same for v16...Looks like the registry change it the same for v16 as well. Thanks for posting this, it helped me figure out if a user clicked on the document or not.<br />dudyohttps://www.blogger.com/profile/02156026419025067534noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-1448071528424340632018-01-10T16:05:49.730-07:002018-01-10T16:05:49.730-07:00Awesome! Nice work Mari. Awesome! Nice work Mari. Anonymoushttps://www.blogger.com/profile/04575988267855486279noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-225834984803977242018-01-10T09:01:21.132-07:002018-01-10T09:01:21.132-07:00Thank you for posting this information, easy to fo...Thank you for posting this information, easy to follow and functional.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-69172665604906655922018-01-07T22:52:08.104-07:002018-01-07T22:52:08.104-07:00Thanks for the insight.Thanks for the insight.Anonymoushttps://www.blogger.com/profile/15978620055393228033noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-65596495613704698462018-01-07T19:42:16.696-07:002018-01-07T19:42:16.696-07:00Nice article, helpful and informative. Thanks for ...Nice article, helpful and informative. Thanks for willing to share.TrewMTEhttps://www.blogger.com/profile/14383857668167815289noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-2953086508260117732018-01-05T10:10:38.874-07:002018-01-05T10:10:38.874-07:00Thanks for sharing as always !Thanks for sharing as always !Kevin DeLonghttp://www.avairysolutions.comnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-85729856136450287402018-01-04T19:09:34.606-07:002018-01-04T19:09:34.606-07:00I used an E01 file. See Yogesh's answer for FV...I used an E01 file. See Yogesh's answer for FV2Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-23398072164571403462018-01-04T19:08:37.513-07:002018-01-04T19:08:37.513-07:00I did not. :( I used the latest version, and while...I did not. :( I used the latest version, and while it identified the partition as APFS, it did not parse it out.Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-28692884345994110332018-01-04T12:24:58.556-07:002018-01-04T12:24:58.556-07:00Did you have any luck getting X-ways to recognize ...Did you have any luck getting X-ways to recognize the APFS image directly? Sounds like in Sep 2017 they added support for it in SR2 - http://www.x-ways.net/winhex/forum/messages/1/4931.html?1511344633Paul Jaramillonoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-76147105824999255742018-01-03T15:40:03.180-07:002018-01-03T15:40:03.180-07:00Ed, this approach will not work for encrypted (Fil...Ed, this approach will not work for encrypted (Filevaulted) disks. Arsenal image mounter is just emulating a disk and making it available to your system as an attached virtual disk, it does no more processing and does not parse any file systems for you.<br /><br />If and when Paragon supports encrypted disks, then it will work.Yogeshhttps://www.blogger.com/profile/08526932165369184069noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-21327576483586478642018-01-02T06:44:37.975-07:002018-01-02T06:44:37.975-07:00Awesome! Very cool, thanks for sharing this!Awesome! Very cool, thanks for sharing this!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-91288890492649141802017-10-26T02:43:50.534-07:002017-10-26T02:43:50.534-07:00Excellent write-upExcellent write-upim1badmfhttps://www.blogger.com/profile/15464053297592388050noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-14745941470653065902017-10-19T11:44:21.593-07:002017-10-19T11:44:21.593-07:00For anyone coming across this great post in the fu...For anyone coming across this great post in the future, we've released an open source plistutils library for Python which will parse the Alias data and convert Mac dates, among other things: https://github.com/strozfriedberg/plistutilsAnonymoushttps://www.blogger.com/profile/08433843733864038978noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-26773073851251720942017-10-16T11:23:12.930-07:002017-10-16T11:23:12.930-07:00Awesome post Mari ! Many thanks !Awesome post Mari ! Many thanks !Mitch Impeyhttps://www.blogger.com/profile/15321296469098994211noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-55529458531432682892017-10-16T10:39:21.548-07:002017-10-16T10:39:21.548-07:00This is an excellent write up and research! Thanks...This is an excellent write up and research! Thanks for sharing!Obi_Juanb8bhttps://www.blogger.com/profile/09641047567172501803noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-7898710478530496582017-10-16T09:30:02.243-07:002017-10-16T09:30:02.243-07:00Really great post, Mari! As always! Thanks!Really great post, Mari! As always! Thanks!Shellyhttp://www.nerdiosity.comnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-64131207019918197292017-07-20T04:21:28.673-07:002017-07-20T04:21:28.673-07:00What about internet history synced between an iPho...What about internet history synced between an iPhone and a mac? Can you tell which device actually created the entry in the safari history?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-13304718234512280132017-07-18T08:30:09.139-07:002017-07-18T08:30:09.139-07:00Try to use xmount
xmount --in ewf --out dd MAC_FC...Try to use xmount<br /><br />xmount --in ewf --out dd MAC_FC.E* /mnt/raw/thinkinginforensicshttps://www.blogger.com/profile/14851232514534814653noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-72644174335467575422017-07-03T14:49:19.152-07:002017-07-03T14:49:19.152-07:00Great catch, appreciate the post.Great catch, appreciate the post.Ben Meredithhttps://www.blogger.com/profile/08172944521379508847noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-21505358531262783292017-04-26T08:16:13.897-07:002017-04-26T08:16:13.897-07:00So the Windows 10 OS has yet another registry subk...So the Windows 10 OS has yet another registry subkey, this one in the SYSTEM hive file: "\Setup\Source OS." The InstallDate information here is the original computer OS install date/time. It also tells you when the update started, ie; "\Setup\Source OS (Updated on xxxxxx)." This may of course not be when the update ends, the user may choose to turn off instead of rebooting when prompted, etc. The update can actually complete on a different day, and "\Setup\Source OS (Updated on xxxxxx)" will reflect the date/time it started the update. <br /><br />You can also find instances of multiple "\Setup\Source OS (Updated on xxxxxx)" subkeys, each one reflecting an update.Anonymoushttps://www.blogger.com/profile/16845497695244094797noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-76456749306287826342017-04-26T05:55:53.139-07:002017-04-26T05:55:53.139-07:00I am assuming from the "Windows.old" ref...I am assuming from the "Windows.old" reference that these are updates to Windows 10 and not a clean install of the full OS ?? I checked my installs which were Windows 10 Pro 64-bit and Windows Home 64-bit and the install dates were correct Dec. 2016 and April 2017. But since the install disks were newer I speculate that the update that tripped your dates and times was already on the OS I installed. Although the Pro was prior to Feb 2017. At least the new Redstone 3 "Creators Update" that installed just earlier this week did not muck up the install dates and times. J. Jones Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-74097274454128812182017-04-10T04:57:40.533-07:002017-04-10T04:57:40.533-07:00Thanks the script has been very usefulThanks the script has been very usefulvINAY jAINhttps://www.blogger.com/profile/15238791807159879893noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-4822830039824651132017-04-05T22:40:25.724-07:002017-04-05T22:40:25.724-07:00good workgood workAnonymoushttps://www.blogger.com/profile/09855381429591816256noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-27308813569724578002017-02-28T10:26:09.396-07:002017-02-28T10:26:09.396-07:00Just to state for the record, when any "featu...Just to state for the record, when any "feature" release is installed, it will indeed wipe out and start over the log files. All event logs to before the feature release are wiped and placed in the windows.old folder on the system. Not exactly the most forensically nice way to do it. Also be aware that the Windowsupdate.log file is historically and horrifically now unreliable as they don't publish the symbol files. The Get-windowsupdate powershell command may post out unusable output.Susan Bradleyhttp://www.patchmanagement.orgnoreply@blogger.com