Hal Pomeranz, Deer Run Associates I came across a small but interesting artifact in the course of a recent investigation. Quick Google searching failed to find any documentation elsewhere, so here's a brief summary of my findings. The bottom line is that residue of old resident $DATA entries may exist in NTFS MFT records after … Continue reading Resident $DATA Residue in NTFS MFT Entries
Mike Wilkinson's DFIROnline Meetups continue to provide huge value to the community. The next one happens to fall on April 19th, during the SANS Northern Virginia event. We thought it would be fun to provide a space for people to gather and mingle while watching the presentations. If you happen to be in the area, … Continue reading April 19th: Community Night at SANS NoVA!
Hal Pomeranz, Deer Run Associates I've received a lot of positive feedback from the forensics community about this series of articles, but what's really rewarding is when other forensics researchers teach me something I didn't know. I recently received an email from a colleague in Europe who was looking at the extent trees for a … Continue reading Understanding EXT4 (Part 5): Large Extents
Hal Pomeranz, Deer Run Associates As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique involves … Continue reading How to Mount Dirty EXT4 File Systems
Hal Pomeranz, Deer Run Associates In Part 3 of this series we looked at the EXT4 extent tree structure for dealing with very large or very fragmented files- basically any situation where you need more than the four extent structures available in the inode. Go back and read that part now if you haven't already, … Continue reading Understanding EXT4 (Part 4): Demolition Derby