Resources
30 Oct 2020
This is a selection of some tools, cheatsheets and presentations I have developed over the years.
Filesystem Cheatsheets
When I started forensics the filesystem was one of the most important artifacts we worked with. In fact one of the key benefits of forensic tools was the ability to recover deleted files! While there are a plethora of valuable forensic artifacts in modern operating systems there are still times when the fundamentals of the filesystem are important, and there are still times when I want to validate what my tools are telling me. These cheatsheets are modeled on the format used in RFCs to describe network packets, 16 bytes wide which is standard for most hex editors (unfortunately most commercial forensic suites do a really poor job of presenting raw hex in a useful format, unless of course you use x-ways).
On a side note if you find these useful feel free to drop me a note and let me know. I have been surprised a few times to find people have been sharing these on a range of courses and tool collections, which is great, but I only once heard from someone that they were using them, although that was to suggest some improvements so is worth bonus points.
- Master Boot Record & GUID Partition Table
- FAT Filesystem
- NTFS Filesystem (really just the boot sector & $MFT)
- Linux EXT filesystem
- Linux XFS filesystem
- Linux Logical Volume Manager (LVM)
Conference Presentations and Training materials
- NTFS Bit by Byte, an introdction to NTFS with worksheets and sample images
- A case study of triage techniques at NSW Police State Electronic Evidence Branch presented at HTCIA 2011
- The Use of Random Sampling in Investigations Involving Child Abuse Material. Presented at DFRWS 2012. This paper presents a methodology which has been used to address two ubiquitous problems of practicing digital forensics in law enforcement, the ever-increasing data volume and staff exposure to disturbing material. It discusses how the New South Wales Police Force, State Electronic Evidence Branch (SEEB) has implemented a “Discovery Process”. Using random sampling of files and applying statistical estimation to the results, the branch has been able to reduce backlogs from three months to 24 h. The process has the added advantage of reducing staff exposure to child abuse material and providing the courts with an easily interpreted report. The software portion of the Discovery process is contained within the framework of Guidance software’s forensic tool, EnCase. This is then further customized for the Discovery process by using the EnCase EnScript language. DFRWS page & slides are here
- Windows Behavioural Analysis. Some tools and techniques to apply behavioural or dynamic analysis techniquest to identifying application artifacts and behaviour. Presented with Jonathan Rajewski at CEIC 2011