The “Last Access” updates are almost back

The purpose of this post is to record the recent findings related to the NTFS “Last Access” updates in Windows 10.

According to ForensicsWiki:

In Windows Vista (presumably as of Windows XP SP3), NTFS no longer tracks the Last Access time of a file by default.

This is no longer the case in the recent versions of Windows 10.

Continue reading “The “Last Access” updates are almost back”

The CIT database and the Syscache hive

The purpose of this post is to record the recent findings related to artifacts of execution and artifacts of executables present in a system. No major details beyond what was posted on Twitter.

David Cowen began his public testing of Amcache artifacts found in Windows 10 operating systems in Forensic Lunch Test Kitchen 11/16/18 (be sure to watch newer videos on this topic).

During these tests, it was found that the Amcache hive may have artifacts for executables that weren’t executed at all. There were other interesting findings outlined in the videos, but I will not focus on them now.

Continue reading “The CIT database and the Syscache hive”

Exploring intermediate states of a registry hive using transaction log files

If you don’t know why transaction log files are important when dealing with registry hives from installations of Windows 8.1 & 10, please read this and this.

In this post, I will talk about an easy way to programmatically explore intermediate states of a registry hive using its transaction log files.

Continue reading “Exploring intermediate states of a registry hive using transaction log files”

Tools that recover deleted registry data don’t do the same job

A registry hive is very similar to a file system. In fact, there isn’t much difference between a file system and a registry hive except that the registry doesn’t follow usual file system naming rules.

Like a file system, a registry hive can contain deleted data, which is often recovered and used in digital forensics, incident response, and similar activities. But tools that recover such deleted data aren’t the same. And here is why.

Continue reading “Tools that recover deleted registry data don’t do the same job”

Effects of running an offline AV scan

An offline antivirus (AV) scanner is used to scan and clean a computer while its usual operating system isn’t running. Such scanners are often launched from a bootable USB drive or from an optical disc. Some scanners include a component to scan and modify the inactive registry of a Windows operating system.

What happens to the registry when a user performs such a scan?

Continue reading “Effects of running an offline AV scan”

Memory compression and forensics

Recent releases of Windows 10 (available since the Insider Preview build 10525) include the memory compression feature, which is capable of reducing the memory usage by compressing some memory pages and storing them in the so-called compression store (these pages are decompressed back to their original form when they are needed).

According to Windows Internals, Part 1 (7th edition), the Xpress algorithm is used to compress memory pages, but no specific details were provided about that algorithm. According to Microsoft, the Xpress algorithm has three variants:

  • LZNT1,
  • plain LZ77,
  • LZ77+Huffman.

Continue reading “Memory compression and forensics”

A live forensic distribution writing to a suspect drive

Previously, I demonstrated that a live forensic distribution can automatically mount file systems on suspect (internal) drives during the boot process. Also, a proof-of-concept scenario was developed to show that this issue can lead to automatic execution of malicious code (i.e., a program located on a suspect drive gets executed by a live forensic distribution during the boot).

Today, let’s talk about other implications of that issue.

Continue reading “A live forensic distribution writing to a suspect drive”

A live forensic distribution executing malicious code from a suspect drive


My name is Maxim Suhanov and this is my first post in this blog. Let’s begin!

Live forensic distributions are extensively used during the triage and acquisition stages of digital media examination. Many practitioners rely on these distributions to perform a forensically sound acquisition of suspect media.

But how do examiners ensure that this acquisition process is forensically sound? Basically, there are four sources to consider when evaluating a tool: claims made by a vendor of a given tool, validation reports from a third-party organization (e.g., NIST), experience shared by other practitioners in the field, and tests conducted by you. The last one is the most important one.

Do you know how to conduct a validation test against a live forensic distribution? Sounds easy… Also, there are some validation guidelines published online. But such tests typically utilize a black-box setup: write known data to a drive – perform an acquisition – compare a copy to original (known) data; and I found that it’s extremely hard to catch many issues with the forensic soundness when performing such black-box tests.

This is why I decided to start a series of blog posts to demonstrate and explain these issues.

Continue reading “A live forensic distribution executing malicious code from a suspect drive”