DFIR

A collection of 10 posts

Google Rapid Response - Build Process

During my SANS 508 I first heard about something called Google Rapid Response (GRR) and it peaked my interest then.  Unfortunately as is normal following a SANS course I was lost in the

Setting Up My Forensic Lab

I have finally bowed to the pressure of my good friend Kev [https://twitter.com/KevTheHermit]and now have a server! I must point out that it is his old server and through

EnScripts – GUI USNJrnl.enscript

Those of you who are following my blog will remember that in my last EnScript blog post [http://chip-dfir.techanarchy.net/?p=138]I created a UsnJrnl EnScript and I promised I would

Timestamp Anomalies - $MFT

Timestamp Anomalies - $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis