Stay up to date with our RSS Feed. Get it here 

Epyx Blog

Creating a Virtual Machine of a write-blocked drive using Linux Ubuntu 12.10

    Taking the time to look at a computer in a live manner will allow you to discover things that may not be discovered by looking at an image of a dead box.  One way to do this, would be clone the original drive and place it back into the computer.  Another, would be to convert your forensic image into a virtual hard disk and then run it in a Virtual Machine (VM).  But did you know that you can go straight from a write blocked drive to a VM?

Recognizing Unrecognized File Systems using Linux Ubuntu 12.10

    You have just received an image of a dual-boot.  You add the image to your preferred forensic  suite only to discover that the linux partition of the image is not being recognized.  You immediately wonder.. “I know so and so can read extended 4! The other volume is not encrypted! What's going on?”

Mounting and Malware-scanning Split Android Images in Linux Ubuntu 12.10

    I was recently given the opportunity to attend an advanced mobile forensics course taught by Joe Church from Digital Shield.  As part of the rite of passage certification process, Joe handed us an image of an infected Android device and challenged us to find the malware.  

Mounting Shadow Volumes in Linux Ubuntu 12.04

    While examining an image of a Windows 7 computer, I struggled to find specific files that I knew at one point resided on the computer.  After hours of searching through both the allocated and unallocated area, I found the files in question on the shadow volumes. 

Hash Set Analysis using Linux Ubuntu 12.04

    Recently while examining an image of a computer, I came across the need to determine if the image contained a set of specific files.  For me those specific files were a series of pictures.  I was faced with two options, I can either manually go through all of the folders to search for the pictures, or I can search for those specific pictures using some sort of automated way.  I chose the automated way.

Cloning and Verifying Physical Disks in Linux Ubuntu 12.04

    Whether you need to make a forensic copy of an evidence drive for analysis, or restore a drive to look at the computer in a live manner, at one point or another you are probably going to find yourself needing to clone a drive.  Cloning a drive differs from imaging, in which cloning uses a target drive to make an exact duplicate of the original drive.

Extract the MFT With icat and Parse it With analyzeMFT in Linux Ubuntu 12.04

     The master file table (MFT) is a database that contains information about all files on an NTFS file system.  Among other things, the MFT tracks times, size, name, and location of every file including itself.  It stores this information in entries, appropriately named MFT entries.  Each MFT entry gets assigned its own record number.

Use PhotoRec to Carve for Files With Linux Ubuntu 12.04

   While examining the contents of an external hard drive in a recent case, I came across the need to recover videos from the unallocated area of the drive.  Interestingly enough, the videos in question were in the form of ISO images.  When my preferred commercial carving tool didn’t offer an option to carve for ISO’s, PhotoRec did.   

Registry Analysis using FRED in Linux Ubuntu 12.04

   The Windows registry is used by the operating system to store information about its configuration, users, applications and much more.  It is an excellent source of evidence for the forensic examiner.

Recovering IE History Using Pasco in Linux Ubuntu 12.04

     Reconstructing and examining web browsing history is a task that is required during most forensic examinations.  Luckily, popular commercial tools have done a good job of simplifying the reconstruction process for us. While commercial tools simplify the process, the software often comes with a hefty price tag.