Profile cover photo
Profile photo
Chad Tilbury
484 followers -
Computer forensics, incident response, and network security professional.
Computer forensics, incident response, and network security professional.

484 followers
About
Posts

Post has attachment
Chad Tilbury commented on a post on Blogger.
Hi Dave.  Could you clarify this:  "My system drive has 628,480 MFT records, its been in active use for over a year with the current install. Of those 628,480 have POSIX filespace records."   

Are you saying that of 628,480 MFT entries on your test system, 100% had POSIX records?  

Great stuff! -Chad

Post has attachment
If you aren't familiar with the Malware Analysis Quant Project from Securosis, their whitepaper is worth a read.  

Post has attachment
+David Cowen and I were chatting about his recent post on Windows time manipulation.  Here is an example of a time change event occurring in the System event log (Windows 8).  In this case it was an automatic update as evidenced by the User field showing the SYSTEM account.  If a user initiated the time change we would see their account recorded.

http://hackingexposedcomputerforensicsblog.blogspot.com/2013/10/daily-blog-128-detecting-fraud-sunday.html  
Photo

Post has attachment
Chad Tilbury commented on a post on Blogger.
The Security log should be the first place to check for time manipulation in Win7/8, but if for some reason the log has rolled over or auditing was turned off, you will also often find similar reporting in the System event log  - Event ID 1 (Kernel-General). 

Post has attachment
I recently re-read Chris Ries' whitepaper, Inside Windows Rootkits, and was impressed at how well he explains Windows internals concepts.  The paper is surprisingly relevant seven years later.    

Post has attachment
Windows 8 memory forensics is here!

Post has attachment
If you haven't played with the most recent Volatility plugins for Linux (and Mac) memory forensics, you really should.  The capabilities they provide are impressive.   

Post has attachment

Post has attachment
Investigate Shadow Copies from your Windows forensic workstation:  ShadowKit v1.6 released!

While I am thankful that we finally have excellent tools for investigating shadow copies (i.e. ShadowKit and Joachim Metz's libvshadow project), I find it frustrating that it took so many years for good solutions to emerge.  Now with the emergence of Windows 8, we are back to where we started (Windows 8 has a different implementation for "previous versions").  Shadow copies are arguably the most important forensic artifacts available in Windows 7.  Why are commercial forensic vendors not at the cutting edge of providing these kinds of capabilities?    

Post has attachment
Excellent infographic from Ange Albertini showing the universe of executable packers.
Wait while more posts are being loaded