Ideally, your workstation should be free of previous user and client data when you begin your collections. This is not always possible when you are at a client site and requested to image multiple devices. If you can, image the devices to an encrypted external drive or an encrypted file/partition. The big caveat to this is when you are using iTunes as your collection method, which saves the backups to its default location. On Windows, […]
A few people have reached out asking how I got into forensics, so before I dive too deeply into tech posts (and following up on yesterday’s iTunes Backup post), I figured I should stop to answer this. As a child of the 80s, I grew up with the best TV shows – my favorites being Thundercats, Laverne & Shirley, MacGyver, and Inspector Gadget. The last two really drew me to puzzles, investigations, and keeping me […]
Quick way to preview iTunes backups of iOS devices.
Recap of the SANS DFIR Summit and FOR585 Training.
It’s no secret that people have pushed for more community sharing in DFIR, assuming one’s company or role allows that sharing. A few years ago, David Cowen entered a daring experiment to write a daily blog. This was based on Lenny Zeltser’s challenge, lovingly termed “The Zeltser Challenge” among the community, in which one writes a blog post every day for a year. Matt Bromiley also embarked on the challenge. The goal of the challenge is […]
“Reunited and it feels so good…” That lyric sums up my overall thoughts on the annual SANS DFIR (Digital Forensics and Incident Response) Summit experience in Austin, TX. Although, so does this song by Dual Core. This conference is easily my favorite of the year. The talks are highly technical, but not to the point of overwhelming with your eyes glazing over. You can find the links to the presentations here. There were a surprising […]