SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Registry Forensics, Volume Shadow Copies and Windows 8

It's the "better late than never" edition of Case Leads and I've got lots of great stuff for you this week. Lots of great articles and papers to read, including a very cool post by Andrew Case on recovering registry hives from a system that's been reformatted and had the OS reinstalled, as well as several how to articles by Harlan Carvey. Rob Lee also checks in with an excellent article on timelines and volume shadow copies. Yes, all that and more, so let's get started! Oh, by the way, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.

<strong>Tools:</strong>
<ul>
<li><a href="http://dfsforensics.blogspot.com/2011/09/announcnig-registry-decoder.html">Registry Decoder</a> I know this was mentioned in last week's Case Leads, but I wanted to mention it again. This is an excellent tool and will have updates and new features in the very near future.</li>

<li>Windows 8 Developer Preview Download The pre-beta release of the next version of Windows. Time to start testing!</li>
</ul>

<strong>Good Reads:</strong><ul>
<li>Recovering and Analyzing Deleted Registry Files Very cool article by Andrew Case on the DFS blog detailing the recovery of registry files-well worth reading

<li>Shadow Timelines And Other Volume Shadow Copy Digital Forensics Techniques with the Sleuthkit on Windows An excellent article by our own Rob Lee

The next three are all from Harlan Carvey's Windows IR blog. I really enjoy reading "how to's" on forensic blogs and these don't disappoint.
<li>How to: Creating Mini Timelines For those times when a Super Timeline is more than you really need</li>
<li>How to: File Extension Analysis Determining which application a file "belongs" to </li>
<li>How to: Mount and Access VSC's Working with Volume Shadow Copies</li></ul><strong>News:</strong>
<ul>
<li>Paraben Device Seizure 4.5 released</li>
<li>NYU-Poly CSAW High School Forensics Competition</li>
</ul><strong>Levity:</strong>
<ul>
<li>Dilbert Bad connection?</li>
</ul><strong>Coming Events:</strong>

Digital Forensics Case Leads is a (mostly) weekly publication of the week's news and events relating to digital forensics. If you have an item you'd like to share, please send it to caseleads@sans.org.

<em>Digital Forensics Case Leads for 17, September 2011 was compiled by Ken Pryor, GCFA. Ken is a police officer and does computer forensic investigations for his and several other police departments in his area. He is also an adjunct instructor for Lincoln Trail College in Robinson, IL, teaching computer forensic and related courses.</em>