Insights

BitLocker for DFIR – Part II

BitLocker for DFIR – Part II

In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.

BitLocker for DFIR – Part I

BitLocker for DFIR – Part I

BitLocker is a Full Volume Encryption (FVE) technology introduced by Microsoft in the Ultimate and Enterprise versions of Windows Vista. BitLocker has come a very long way since Vista, becoming quite flexible (some of our colleagues might prefer the word complicated) and secure if used properly.

The Office Document Cache and Introducing ODC Recon – Part I

The Office Document Cache and Introducing ODC Recon – Part I

Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them.

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Digging Deeper into Gmail URLs & Introducing Gmail URL Decoder

Throughout this Insights post, we will discuss significant differences between URLs related to the legacy and new Gmail interfaces (hereafter, the legacy and new Gmail URLs) as well as the process of decoding information from the now “obfuscated” URLs. By doing so, we will be able to effectively extract important information from both the legacy and new Gmail URLs.

New Versions of HiveRecon and HbinRecon Launched

New Versions of HiveRecon and HbinRecon Launched

HiveRecon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. HiveRecon also extracts volatile hives and can incorporate swap files from the same hibernation session to extract even healthier Registry hives than if using a hibernation file alone.

Sponsoring Arsenal Image Mounter

Sponsoring Arsenal Image Mounter

Colleagues in digital forensics, please ask yourselves – do you find Arsenal Image Mounter (“AIM”) useful? Could your consulting, training, or software/hardware organization use great karma and a boost in public relations?

Arm Yourself!

Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.

Chelsea, Massachusetts

sales@ArsenalRecon.com

(617) ARSENAL

or (617) 277-3625

Site Map

\

Home

\

Products

\

Pricing

\

Training

\

Testimonials

\

Insights

\

Contact

\

FAQ

Legal

\

Privacy Policy

\

Terms & Conditions

\

Cookie Policy

Follow Us

LinkedIn

Twitter

Facebook