The situation arose the other day where I wanted to view the metadata from a group of images as well as see the geographic location of where those images were taken, if they contained GPS information. I looked and found some very good tools that either displayed the metadata of image files, such as NirSoft’s ExifDataView, but didn’t map the location. I also found some good scripts that would take the GPS coordinates contained in the images and map them in Google Maps. Since I didn’t immediately find a tool that did both extract the metadata and map the location, I decided to write my own. Continue reading
Handbook of Digital Forensics and Investigation
Editor: Eoghan Casey
I am currently reading Handbook of Digital Forensics and Investigation edited by Eoghan Casey.
The book is divided into two main sections. Part 1 deals with investigative methodology including forensic analysis, electronic discovery, and intrusion investigation. Continue reading
While attending Citrix Synergy 2017 last week the BlueScreenView tool from NirSoft was mentioned as a tool for troubleshooting desktops in a Citrix VDI environment. Although this tool can be helpful for troubleshooting BSOD in both physical and virtual computers it also struck me as a good tool for incident response and digital forensics.
BlueScreenView is a free tool provided by NirSoft and is used to view the contents of the dump file generated when a BSOD occurs. Continue reading
I am currently taking the Windows Prefetch class in the Surviving Digital Forensics training series presented by Sumuri.
The class has recently been updated to include the format change of the prefetch files in Windows 10. In addition this weeks episode of the Surviving Digital Forensics podcast talks about the format change of the prefetch files but also talks about NirSoft WinPrefetchView version 1.35 application that can be utilized to decode and analyze Windows 10 prefetch files.
Hardware write blockers are key pieces of equipment for any forensic examiner when acquiring a forensic clone of any data. This is true for analysis of memory cards and USB devices as well.
CRU Inc. offers another hardware write blocker to assist in the acquisition of data from memory cards and USB devices known as the WiebeTech Media WriteBlocker. Continue reading
Previous posts outlined some of the benefits of using VMWare Workstation or other virtualization technology to host not only forensic analysis workstations as well as other workstations for test and validation. One of the advantages of utilizing VMWare Workstation is the ability for the host workstation to share a folder with guest workstations in read only mode.
This feature is especially appealing as a way to directly access and analyze the VMDK files of virtual test and validation workstations by a virtual forensic analysis workstation.
To verify that the VMDK file was not modified while utilizing the Read Only option for shared folders in VMWare Workstation I calculated the hash value of the VMDK file via multiple access methods. The results are shown below. Continue reading
In the previous posts we have looked at the ability to run test and validation workstations as well as a forensic examination workstations within VMWare Workstation. The ability to map a drive from within the virtual forensic examination system to directly access the VMDK files of the test workstations was also discussed previously. Continue reading