File Systems

This category contains 32 posts

SQLite Database Deleted Records Carving & Forensics

SQLite is a compact database engine highly integrated with embedded devices and locally used applications in various Operating Systems. Recent years have seen extensive usage of portable devices like tablets, smartphones, etc. and this has given rise to adaption of the SQLite application. It also amplifies the chances for surfacing digital evidence using forensic analysis … Continue reading

Linux Timestamps, Oh boy!

Timestamps are critical for analysts; they usually deal with different filesystems and understanding how the file timestamps work on each is crucial to what they do. If you do an online search for linux timestamps, you’ll get ton of information but the idea here is to put together different common file operations such as move, … Continue reading

Evidence Acquisition and Analysis from Live Exchange

A great amount of legal and forensics discussion is involved when there is an investigation procedure that involves the seizing of crucial evidence from Live Exchange server. Whenever there is such an investigation, two things remain in focus Identification of suspect evidence from the network Collection approach that maintains exactitude of evidence There has been … Continue reading

Windows Forensics and Security

By Adrian Leon Mare The world we live in today is a technologically advanced world. While on one hand, commercialization of IT (Information technology) revolutionized our modern day lifestyle, it has raised a big question mark about the confidentiality and privacy of the information shared and managed using advanced means of communication. As computer … Continue reading

Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action Group (JTAG)

There have been some issues during data acquisitions with Samsung Galaxy having the Android 4.3, Jelly Bean as the operating system even if using the recommended steps for Logical File Dump, File System, or Physical Acquisitions for Cellebrite UFED Touch, Classic, and UFED4PC. All were unable to connect even if the mobile device was in … Continue reading

Forensic analysis of the ESE database in Internet Explorer 10

———————————————————— Due to me not being able to reformat our thesis in a good way I strongly suggest you look at the whole paper in PDF format here: /Philip ———————————————————— Forensic analysis of the ESE database in Internet Explorer 10 Bachelor thesis June 2013 Authors: Bonnie Malmström & Philip Teveldal Bachelor thesis School of Information … Continue reading

OS X Mavericks Metadata

Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks.  As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the … Continue reading

Analysis Of iOS Notes App

As part of my third year studying Digital Security,Forensics & Ethical Hacking at GCU, I took part in a group research project to study the artifacts created when using the notes app on an iPad Mini, and if they could be used as evidence. This post is really just going to explain what I did, … Continue reading

ForGe – Computer Forensic Test Image Generator

Introduction Creating test material for computer forensic teaching or tool testing purposes has been a known problem. I encountered the issue in my studies of Computer Forensics at the University of Westminster. We were assigned a task to compare computer forensic tools and report results. Having already analysed test images by Brian Carrier ( over … Continue reading

Geo-tagging & Photo Tracking On iOS

As you may already know, Apple has always been criticized for using their extremely popular devices to track users and use this information to expand their own databases. This tutorial assumes that you have already jailbroken your device and you know how to navigate your way through iOS menus, if you don’t then check out our other articles … Continue reading

Interpretation of NTFS Timestamps

Introduction File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place. As these timestamps usually are stored in some internal format, additional software is needed to interpret them and translate them into a format an analyst can … Continue reading

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic.  What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code. … Continue reading

Parallels hard drive image converting for analysis

Abstract The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives.  To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images.  The simplest way I … Continue reading

Android Forensics Study of Password and Pattern Lock Protection

Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process. What is Pattern Lock? Generally pattern lock … Continue reading

Standard Units in Digital Forensics

by Dr Chris Hargreaves Lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. One of the earliest lectures in the MIT Openware programme in Physics begins with the lecture “Units and Dimensional Analysis”. Units of measurement are critical to science, so much so that there is a standard that defines science’s … Continue reading


Get every new post delivered to your Inbox.

Join 836 other followers