Have any Question?

You can ask below or enter what you are looking for!

LNK Files…

Link files are created by the system when a file is opened, even if that file is opened and edited on removable media and never copied to the system, a link file will be created. Link files contain a whole host of useful information including the original location of a . . . Read more

First / Last USB Plugged in

Navigate to the following file: %WINDIR%\inf\setupapi.dev.log This is very similar to the setupapi.log from Windows XP, except Microsoft moved it slightly further away. They have a habit of doing this I suspect its to charge more for consultancy or something. Setupapi.dev.log can be viewed in a highly complex program known . . . Read more

USB Forensics Volume Serial Number

We are now going to move on to the Volume Serial Number, this is created by Windows Vista and up Operating Systems each time the device is formatted. We will be looking in the EMDMgmt key for the Volume Serial Number, which according to this Technet blogaround Windows Vista, is where . . . Read more

USB Forensics Volume Name

We will discover the Volume Name of the USB device. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally go as supporting evidence if the user has named the volume after their own name, or better . . . Read more

USB Serial Number

To find the Serial number from of a USB device we must start our investigation on the Registry’s System Hive. Navigate to the following Key SYSTEM\CurrentControlSet\Enum\USBSTOR This key will display all of the USB devices plugged into the machine regardless of user. The serial number will be a sub-key of . . . Read more

Mobile Forensics Process

There is a procedure to complete mobile device forensic activity. These processes are as follows: Seizure: The seizure of the mobile device is crucial in forensics. An examiner should use the best way to seize the mobile device and make sure changing, manipulating, overwriting the memory does not take place. The . . . Read more

File Carving or File Recovery

File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system that originality created the file. It is a method that recovers files at unallocated space without any file information and is used to . . . Read more

Network Forensic Analysis and Examination

Introduction Devices connected to network continue to proliferate; computers, smartphones, tablets etc. As the number of attacks against networked systems grow, the importance of network forensics has increased and become critical. To deploy immediate response in case of an attack, network clerks should be able to discover and understand what . . . Read more

Embedded Device Forensics

Introduction Nowadays, digital devices are everywhere and everything is connected via the Internet. These devices include digital watches, gaming consoles, multimedia appliances, etc. The growing use of such devices brings greater attention to embedded devices forensics. This article is concerned with forensic analysis of embedded devices and shows the examination . . . Read more