HeX-OR Forensics

Digital Forensics & Information Assurance

Search

Tags

Analysis Apple Backup Data Exfiltration Driver Stacks Enumeration Exfiltration File System FSEvents Google iOS Mac Artifacts MSC MTP News OS X osx Parsers privacy PTP Python Registry Research USB Devices Wifi
Menu Close
  • Resources
  • About
0

SANS DFIR Summit 2017: Mac OS X and iOS FSEvents Presentation

Posted on July 1, 2017 by Nicole Ibrahim

Another big thank you going out to the SANS crew for inviting me to speak at the DFIR summit 2017 in Austin. It was a great pleasure and an amazing conference. My presentation slides are available for download here Mac… Continue Reading →

Conferences, Mac
3

Apple FSEvents Forensics

Posted on June 7, 2017 by Nicole Ibrahim

Undocumented, unexplored, and underutilized, that is until now. Apple FSEvents or File System events are an invaluable artifact for every Apple examiner and should be a go to resource for artifacts relating to file system activity that occurred in the past.… Continue Reading →

Mac, Research, Scripting Apple, File System, FSEvents, iOS, Mac Artifacts, OS X, osx, Parsers, Python
5

SANS DFIR Summit 2014 Presentation Slides: USB Devices and Media Transfer Protocol

Posted on June 11, 2014 by Nicole Ibrahim

https://digital-forensics.sans.org A big thank you to SANS for inviting me to speak at the 2014 DFIR summit in Austin. It was a great experience and I hope to do it again in the future. Another big thank you goes out to… Continue Reading →

Conferences
7

Part 6: USB Device Research – Open File Artifacts (LNK Files)

Posted on January 3, 2014 by Nicole Ibrahim

From the previous tests conducted, it has become apparent that for USB devices attached to a system, the transport protocol used by the device plays a role in the types of artifacts generated. This can also include the content and… Continue Reading →

Research, Windows Analysis, Data Exfiltration, MSC, MTP, Research, USB Devices
8

Part 5: USB Device Research – Directory Traversal Artifacts (Shell bagMRU Entries)

Posted on December 26, 2013 by Nicole Ibrahim

In this post I will cover artifacts related to directory traversal. In the last post I went over the differences between USB transport protocols for when a USB is first attached to a system. In this post I will continue… Continue Reading →

Research, Windows Analysis, Data Exfiltration, MSC, MTP, Registry, Research, USB Devices
4

Part 4: USB Device Research – The Testing Environment & Registry Artifacts for USB Devices at First Insert

Posted on December 21, 2013 by Nicole Ibrahim

In the previous posts I posited my research goals and introduced the three major USB transport protocols: MSC, PTP and MTP; as well as some basic information about each. Then, I discussed some of the basic concepts surrounding how Windows… Continue Reading →

Research Analysis, Enumeration, Registry, Research, USB Devices
3

Part 3: USB Device Research – USB Enumeration in Windows

Posted on October 16, 2013 by Nicole Ibrahim

Have you ever wondered how or why Windows uses different drivers and configurations for what appears to be USB devices of the same type? I certainly have. That question is part of what sparked my interest in researching MSC, PTP… Continue Reading →

Research Driver Stacks, Enumeration, Exfiltration, MSC, MTP, PTP, Registry, Research, USB Devices
2

Google’s Data Collection Abilities

Posted on September 23, 2013 by Nicole Ibrahim

Recently, I was listening to CyberJungle’s latest podcast release and they mentioned something I found quite interesting. They talked about an article posted on ComputerWorld about how android phones are secretly collecting WiFi passwords and sending it off to google.… Continue Reading →

Ramblings Backup, Google, News, privacy, Wifi
3

Part 2: USB Device Research – MSC vs. PTP vs. MTP

Posted on September 18, 2013 by Nicole Ibrahim

In the previous post of this series, I talked about the objectives and reasoning for approaching this angle of USB device research. Today I will be going over the three major USB transfer protocols. Emphasis will be placed on the… Continue Reading →

Research Enumeration, Exfiltration, MTP, PTP, Research, USB Devices
1

Part 1: USB Device Research

Posted on September 13, 2013 by Nicole Ibrahim

Hello All, It’s about time to do some real blogging, item of discussion: MTP and PTP enabled USB devices in Windows. I’m planning on making this topic a series of posts as it includes a lot of information, but in… Continue Reading →

Research Analysis, Data Exfiltration, MTP, PTP, Research, USB Devices

Post navigation

Older Articles

Recent Posts

  • SANS DFIR Summit 2017: Mac OS X and iOS FSEvents Presentation
  • Apple FSEvents Forensics
  • SANS DFIR Summit 2014 Presentation Slides: USB Devices and Media Transfer Protocol
  • Part 6: USB Device Research – Open File Artifacts (LNK Files)
  • Part 5: USB Device Research – Directory Traversal Artifacts (Shell bagMRU Entries)

Recent Comments

  • Joachim Metz on Apple FSEvents Forensics
  • FSEventsParser 3.1 Released : Learn DFIR on Apple FSEvents Forensics
  • The Windows 7 Event Log and USB Device Tracking :: Digital Forensics Stream on Part 4: USB Device Research – The Testing Environment & Registry Artifacts for USB Devices at First Insert
  • Apple FSEvents Forensics – Cyber Forensicator on Apple FSEvents Forensics
  • ShellBags Explorer 0.9.0.0 released! – sec.uno on Part 5: USB Device Research – Directory Traversal Artifacts (Shell bagMRU Entries)

Archives

Categories

  • Conferences
  • Mac
  • Ramblings
  • Research
  • Scripting
  • Windows
© 2021 HeX-OR Forensics. All rights reserved.
Hiero by aThemes