History Index files removed from Chrome v30

The new update of Chrome (v30) released yesterday has a number of security fixes, new features, and improvements, but it also unfortunately came with some bad news for forensicators: the History Index files are no more.  These files were SQLite DBs named ‘History Index YYYY-MM’ and had the text content of most websites a user […]

Hindsight User Guide

This is a user guide for Hindsight that covers the basics on how to get the tool installed and running and then interpret the final report.  It also details some Chrome artifacts and explains at a high level what Hindsight extracts from them. A pdf version of this guide is available on the Hindsight Google […]

Announcing Hindsight – A New Free Chrome Forensics Tool

Hindsight is a free tool for extracting, interpreting, and reporting on Google Chrome artifacts. Hindsight can extract useful data from a number of Chrome artifacts, including URLs, archived URLs, the text content of some viewed pages (from Index data), download history, autofill records, normal cookies, and Local Storage records (HTML5 cookies). Once the data is […]

Deleted File Recovery using foremost

For this example a program for Linux called foremost will be used to recover files, both existing and deleted, from a .dd image.  foremost is what is as known as a data-carving utility.  It operates by examining data, bit by bit, and extracting sets of data that meet a defined pattern. foremost references its configuration […]

Slack Space

Slack space can exist when a file’s size is not a multiple of the file system’s cluster size.  As a little refresher, a sector is the smallest amount of data that a hard drive can read or write at one; in many cases, this is 512 bytes.  A cluster, which can be made up of […]

Write Blocking Using the Windows Registry

It is possible to use the Windows registry to write protect USB mass storage devices.  An investigator can combine this USB write-blocking trick with an USB-IDE or USB-SATA adapter to protect the vast majority of evidence drives that he or she might encounter.  The write-blocking functionality was added with Windows XP SP2, and has worked […]

Imaging Using dcfldd

In this example, a 128MB USB thumb drive will be imaged on a Linux system using dcfldd onto a 1GB USB thumb drive. dcfldd is an improved version of dd; most of the syntax is identical, just a few functions have been added. It is important to locate the name that Linux uses to refer to […]