ImageMapper: A PowerShell Metadata and Geo Mapping Tool for Images

The situation arose the other day where I wanted to view the metadata from a group of images as well as see the geographic location of where those images were taken, if they contained GPS information.  I looked and found some very good tools that either displayed the metadata of image files, such as NirSoft’s ExifDataView, but didn’t map the location. I also found some good scripts that would take the GPS coordinates contained in the images and map them in Google Maps. Since I didn’t immediately find a tool that did both extract the metadata and map the location, I decided to write my own. Continue reading

RFID Cloning with the ChameleonMini and Powershell

ChameleonMini RevG

During Citrix Synergy 2017 Remko Weijnen and Geert Braakhekke presented session SYN712: Analysis of a Hack: How to Defend and Protect with Citrix. Although it could be argued that this session was more about hacking and security than protecting Citrix implementations specifically, the information provided was extremely entertaining and informative.

One demo shown during the presentation that intrigued me the most was cloning RFID cards utilizing the ChameleonMini RevG from Kasper Oswald. Remko showed a demonstration utilizing the ChameleonMini to clone hotel key cards, public transportation passes, and even the Citrix Synergy attendee badge.  I knew I had to give it a try. Continue reading

Microsoft OneNote for Case Notes – Part Three

Part 1 of this series illustrated my search for the best application to keep forensic case notes and research.  Part 2 covered the organization of the notebook and the various section groups, sections, and pages.  In this third and final installment I will discuss how Microsoft OneNote integrates with other applications to both store relevant information and be able to retrieve that information later for generating final reports, emails, etc. Continue reading

Microsoft OneNote for Forensic Case Notes – Part Two

In Part 1 of this series, I discussed my search for a tool to keep my forensic notes and research organized while providing readability and searchability.  I decided on Microsoft OneNote as the ideal solution to fit my needs.  In this post, I will show how I have decided to organize my OneNote notebook and the sections that go into it. Continue reading

Microsoft OneNote for Forensic Case Notes

Good notes, documentation, and reports are all keys to successful work as a forensic
analyst.  In addition, it is also important to be able to quickly locate relevant details in those bodies of work. All three can be accomplished with pen and paper, a word processing application, a digital notes application, an application specifically for case notes, or any combination of the above.

Not being able to read my own handwriting pretty much ruled out pen and paper for me, hence my search for a better tool for my forensic note taking and documentation needs. Continue reading

Currently Reading…

Handbook of Digital Forensics and Investigation

Editor: Eoghan Casey

I am currently reading Handbook of Digital Forensics and Investigation edited by Eoghan Casey.

The book is divided into two main sections. Part 1 deals with investigative methodology including forensic analysis, electronic discovery, and intrusion investigation. Continue reading

NirSoft – BlueScreenView v1.55

While attending Citrix Synergy 2017 last week the BlueScreenView tool from NirSoft was mentioned as a tool for troubleshooting desktops in a Citrix VDI environment.  Although this tool can be helpful for troubleshooting BSOD in both physical and virtual computers it also struck me as a good tool for incident response and digital forensics.

BlueScreenView is a free tool provided by NirSoft and is used to view the contents of the dump file generated when a BSOD occurs. Continue reading

XenServer 6.5 Performance Issues

During a recent migration of virtual servers from a XenServer 6.2 pool to a XenServer 6.5 pool severe performance issues were noticed.  These issues were most apparent on XenDesktop workstation with client applications that connected to back end SQL servers. Continue reading

Windows 10 Prefetch and WinPrefetch View

I am currently taking the Windows Prefetch class in the Surviving Digital Forensics training series presented by Sumuri.

The class has recently been updated to include the format change of the prefetch files in Windows 10. In addition this weeks episode of the Surviving Digital Forensics podcast talks about the format change of the prefetch files but also talks about NirSoft WinPrefetchView version 1.35 application that can be utilized to decode and analyze Windows 10 prefetch files.

Continue reading

WiebeTech Media Write Blocker

Hardware write blockers are key pieces of equipment for any forensic examiner when acquiring a forensic clone of any data.  This is true for analysis of memory cards and USB devices as well.

CRU Inc. offers another hardware write blocker to assist in the acquisition of data from memory cards and USB devices known as the WiebeTech Media WriteBlocker.  Continue reading