Strings on Windows

The Many Shapes and Sizes of Strings on Windows Earlier this week I was toying around with the idea of implementing a lnk file parser in the go language. Yes, I occasionally do things like this for fun. Just to get a feel for things, I grabbed the most easily accessible lnk file I could […]

Announcing the BETA release of DAMM

Announcing the BETA release of DAMM, a FOSS memory analysis platform built on top of Volatility Memory analysis is the new(-ish) big thing in the incident response, malware analysis, digital forensics space for the moment, and so all the cool kids seem to be doing it. While memory analysis is an incredibly powerful technique, we […]

What We Have Been Up To: March, April, and May in Review

So much has happened and it’s time to let you know what we have been up to these last couple months. Our own Vico Marziale was recently a guest on Forensics Lunch with David Cowan not once, but three times! Forensics Lunch is a weekly webcast featuring digital forensics practitioners and researchers who discuss current […]

Forensics Tools – find_times.py

Recently, we had the pleasure to join David Cowen on several episodes of his weekly show Forensic Lunch.  In this particular episode on Youtube, we discussed some of our recent research on discovering previously unknown Windows registry values with embedded timestamp information.  As promised, we are releasing our script to the community at large so […]

Registry Analysis for Digital Forensics and Incident Response Master Class: NOW LIVE

Digital forensics experts Vico Marziale, Joe T. Sylve , Jerry Stormo of 504ensics, and Andrew Case are instructors in Hacker Academy’s  Registry Analysis for Digital Forensics and Incident Response Master Class. The Registry Analysis Master Class is a self paced course that teaches investigators how to use and understand registry forensics during their own investigations, […]

504ENSICS Releases Digital Forensics Tool: SPOTLIGHT INSPECTOR

504ENSICS Labs just released Spotlight Inspector, a free application for computer forensic investigation of Mac OSX computers. Until now, there has never been an effective cross-platform forensics tool for accessing Spotlight internal data from Mac OSX systems – which is where all of the information about files indexed on a computer can be accessed by […]

A Framework for Differential Analysis of Malware in RAM

Current analysis methods for images of RAM are limited in that they are designed to analyze a single memory image at a time. When attempting to analyze malware, it is a common technique to spin up a clean VM, infect it with that malware and then acquire a snapshot of RAM. This infected snapshot is […]

Forensic Analysis of the OS X Spotlight Search Index

Although not yet nearly as widespread as the Windows platform, Mac OS X-based machines are quickly gaining market share, and are now commonly seen in real-world investigations. While some research exists for analysis on this platform, almost none exists for deep parsing of the Spotlight index, which is used by the Mac OS X Spotlight […]

Application-Level Memory Forensics for Dalvik

Dalvik is the process Virtual Machine used by Android that powers all non-native applications used on Android devices. Through Dalvik memory analysis, a wealth of insight can be gained into the workings of a running application, including all instantiated objects (classes) and the variables, methods, and other per-instance class information. Analysis of structures at this […]