Autopsy is an open-source digital forensics platform widely used for investigating and analyzing digital media, such as hard drives, memory cards, and smartphones. Developed by Basis Technology, it serves as the graphical front-end for The Sleuth Kit (TSK), a powerful collection of command-line tools for forensic analysis. It also includes additional tools like PhotoRec. Autopsy simplifies the forensic process by offering a user-friendly interface and features like timeline analysis, keyword searching, file carving, and metadata extraction.
ReadRegRipper is a collection of powerful perl scripts that allow to dump the content of a registry hive file into readable text. RegRipper relies on a plugin mechanism. Hence in this post I will show how to create your own plugin for RegRipper. The example will be very basic, and will extract the value of the Current ControlSet.
ReadPhotoRec is file data recovery software designed to recover lost files from hard disks, solid state drives, CD-ROMs and digital camera memory.
ReadIn a previous blog post, I presented the forensics tools written by Eric Zimmerman. Although these tools were originally developed for Windows, you can also run them on a Linux. This allows to run a full forensic investigation using a Linux computer.
ReadVelociraptor is a digital forensic and incident response tool that allows to collect information on multiple endpoints at once, and easily analyze the collected data using Notebooks and a query language (called Velociraptor Query Language, VQL), which is very similar to SQL. This makes Velociraptor a valuable tool for threat hunting over a large network.
ReadThe Windows Registry is a kind of database that stores a lot of important configuration parameters for Windows and installed applications. The specific of this database is that the data is actually stored in different files called hives. One of these is the SAM (Security Account Manager) hive, which stores, among others, user passwords. Let’s explore this hive a little..
ReadSysinternals is a collection of powerful utilities for Windows. They can be used by system administrators to perform local or remote system administration, and also by analysts to perform some forensics tasks. The tools were originally developed by Mark Russinovich, and are now maintained by Microsoft. Here is how to install them…
ReadInterpreting a 1-D array of pixels is not possible by the human eye. And yet such data is available in several circumstances, like the dump of pixel arrays from RAM or disk, the availability of image files in RAW format (without the width) or when solving a Capture-The-Flag cybersecurity challenge with images.
ReadImage format testing is a necessary action for digital preservation to ensure that the data will be readable in the long term. It may also be part of the solution to detect image manipulation for cybersecurity defense or in Capture-The-Flag exercises.
ReadEric Zimmerman has written a collection of powerful forensics analysis tools. The installation process requires some work, but here is a step by step guide to install the tools on a Windows 11 computer.
ReadIf you are using the current version of the SIFT workstation, the installed version of RegRipper has a bug that shows the following error message: ‘Global symbol “$plugindir” requires explicit package name’. Luckily this bug is easy to fix. Here is how…
ReadSometimes it happens that files we did not want to delete are removed from the computer or external drives, or in the case of forensics analysis, we want to look for files that were previously on the system, but now are gone. Luckily, there are still ways to recover such data with relative ease!
Read