In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.
BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.
Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.
Just a month after we published the Insights post “Digging into Gmail URLs”, Google made the use of their new Gmail interface mandatory. The old Gmail interface (let’s call it the “legacy” interface) had been in use for years, so even though it is no longer available online we expect to be dealing with it within our electronic evidence for years to come. The new Gmail interface includes not only considerable visual changes, but changes in URLs which impacted the Gmail URL decoding we discussed in our previous Insights pos
HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.
Years ago when I was an adjunct professor teaching digital forensics at Bunker Hill Community College in Boston I very much appreciated both the free and discounted licenses provided by commercial software vendors. I am now working on having Arsenal formalize and publicize our practice of providing free software (beyond the “Free Mode” functionality offered in some of our tools) each semester to digital forensics programs at colleges and universities.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
22 Willow Street Chelsea, MA 02150
or (617) 277-3625
Terms & Conditions