Cyber Forensics Techniques

🔎 The USN Journal: The Windows Time Capsule Attackers Can’t Wipe (but can delete, however, it will automatically create a new one - thanks Tom Le - run “fsutil usn deletejournal” to delete) In digital forensics, we often lean on the Master File Table, event logs, or browser histories. But there’s an obscure #NTFS artifact that quietly records what most attackers overlook: the USN Change Journal ($UsnJrnl). It captures a timeline of what happened, file creations, deletions, renames, even when other logs are missing. And in recent investigations, it’s been decisive: 💻 2025: Ransomware Disappears, but the USN Journal Doesn’t A stealthy ransomware attack left almost no artifacts: the binary was gone, no disk image, nothing to carve, only an AV quarantine record. The USN Journal revealed the missing piece: • AV logs showed Ransomware.exe_ being quarantined. • The USN Journal proved it was renamed from Ransomware.exe. Armed with that, investigators recovered the real payload from quarantine using defender-dump. 🗂️ 2025: Reconstructing Deleted Files with UsnJrnl Rewind CyberCX analysts used UsnJrnl Rewind to correlate $UsnJrnl records with $MFT, rebuilding full paths of deleted files, even after #MFT entries were overwritten. That visibility changed the trajectory of the investigation. 🕵️ Other Classic Use Cases (Still Vital Today) • Detecting #timestomping: mismatches between MFT timestamps and USN Journal updates. • Proving deleted files existed, even if contents are gone. • Extending execution history by analyzing prefetch changes logged in $UsnJrnl. ⚡ Why It Matters The USN Journal is a #forensic time machine. It persists beyond deletion, exposes anti-forensic tricks, and preserves history attackers can’t erase. #DigitalForensics #IncidentResponse #CyberSecurity #DFIR #ForensicArtifacts #ThreatHunting #Ransomware #usnjrnl 📚 References • itm8 – Case study: #ransomware executable traced via USN Journal https://lnkd.in/egWwp2u4 • CyberCX – UsnJrnl Rewind for deleted file path reconstruction https://lnkd.in/ebF2AnAP • HABOOB – Advanced USN Journal forensic techniques https://lnkd.in/e85mWJNZ

Sometimes, to find the truth, you have to let the system run - Why Boot a Suspect System? Because Sometimes, Static Analysis Isn’t Enough. In digital forensics, we often deal with forensic disk images—raw snapshots of digital devices captured during investigations. We carve files, examine logs, and reconstruct timelines. But occasionally, you hit a wall. What if the evidence is hidden in an encrypted app that only runs in the user’s environment? What if credentials are stored in volatile memory and protected behind a PIN? What if you need to observe how malware behaves when the system runs? That’s when we shift from static analysis to live examination. 💡 As a researcher, I built a guide for converting E01 forensic disk images into bootable Windows virtual machines. And honestly, this method has become one of the most practical tools in my investigative workflow. Whether in legal cases, insider threat investigations, or corporate security breaches, I’ve used this approach to: a. Crack login PINs and access protected user accounts b. Simulate and observe real-time malware behavior in sandboxed VMs c. Extract evidence hidden in applications that won’t run outside their native environments d. Interactively explore session data and user behavior e. Validate and reproduce findings before reporting ⚙️ The guide walks you through: Converting E01 images to raw .dd format using FTK Imager Turning the .dd into a VirtualBox .vmdk disk with VBoxManage Booting it as a fully functional Windows VM Troubleshooting EFI and boot errors 🧠 Why it matters: This method transforms how we understand and interact with evidence. It empowers forensic analysts, students, and investigators to go beyond static snapshots—into live, immersive evidence environments. I’ve used this not just as an academic exercise, but in real-world casework at Prudential Associates, where complex investigations demand interactive analysis. 🔗 I’ve also created a full GitHub README and guide with all steps documented—happy to share it with anyone in the forensics, cybersecurity, or legal communities. Sometimes, to find the truth, you have to let the system run. #DigitalForensics #DFIR #CyberForensics #MalwareAnalysis #ForensicVirtualization #E01 #GraduateResearch #UniversityOfBaltimore #PrudentialAssociates #LiveForensics #Cybersecurity #VirtualMachines #IncidentResponse

🧠 Autopsy: Digital Forensics Tool for Windows & Linux Systems 🖥️🐧 Autopsy is a powerful open-source digital forensics platform used by investigators, SOC teams, and cybersecurity students to analyze digital evidence from Windows and Linux environments 🔍💾 🛠️ What is Autopsy? Autopsy is a GUI-based front-end to The Sleuth Kit (TSK) and supports advanced forensic investigations: 🗂️ File recovery 🔎 Timeline analysis 🧠 Keyword & regex search 📱 Mobile data parsing (via modules) 📜 Email, registry, and web history review 🪟 Autopsy on Windows ✅ Native Windows GUI ✅ Easy to use for DFIR teams & law enforcement ✅ Supports E01 images, logical drives, and memory dumps ✅ Great for triage of USBs, external HDDs, and Windows partitions 🐧 Autopsy on Linux 🔧 Typically run via TSK and command-line tools 📁 Supports EXT4, Btrfs, XFS, and raw disk images ⚙️ Advanced use in forensic boot environments (e.g., CAINE, Kali) 💡 Many Linux forensic pros prefer using Sleuth Kit commands (like fls, icat, mmls) directly, with Autopsy as a graphical companion. 🧩 Key Modules: – Hash database matching (NSRL, MD5/SHA1) – YARA integration for malware indicators – EXIF metadata parser for image forensics – Ingest modules for automation ⚠️ Disclaimer: This content is for educational and legal digital forensics training only. Always ensure explicit authorization before analyzing or collecting system data. #Autopsy #DigitalForensics #DFIR #WindowsForensics #LinuxForensics #SleuthKit #IncidentResponse #CyberSecurity #EducationOnly #ForensicsTools #InfoSec

#OSINT Tip - Image Forensics Tools Image forensics has evolved from basic EXIF data usage to advanced methodologies that can be used to detect whether a photo has been edited or modified. Today you can utilize techniques like Error Level Analysis, ML-powered deblurring, and deep learning anomaly detection to extract far more intelligence value from images than you ever could before. Of course, we have been compiling a list of image forensic tools/resources and their capabilities at Farnsworth Intelligence as part of our knowledge base. Today I am releasing a part of that list for free: https://exifmeta.com/ [https://exifmeta[.]com/] EXIFMeta - Free Online EXIF & Metadata Viewer. Get Device information - model, manufacturer etc; GPS - latitude, longitude, altitude etc; Capture information - flash settings, aperture, shutter speed, lens type, focal range etc; Name and copyrights. and more from an image. https://lnkd.in/gpRip-9w [https://29a[.]ch/photo-forensics/#forensic-magnifier] Forensically Beta - Tool for forensic analysis of images. Has modules for: Magnification, Clone Detection, Error Level Analysis, Noise Analysis, Level Sweep, Luminance Gradient, Principal Component Analysis, Meta Data, Geo Tags, Thumbnail Analysis, JPEG Analysis, and String Extraction. Has a detailed help page with explanations, tutorials, and more. https://fotoforensics.com/ [https://fotoforensics[.]com/] FotoForensics - Tool for forensic analysis of images. Has modules for: Digest, Error Level Analysis, Hidden Pixels, ICC+ (Color Profile Emulation), JPEG % Estimator, Meta Data, Strings, and Source https://lnkd.in/gvgCUzfh [https://github[.]com/Vincentqyw/image-matching-webui] Image Matching WebUI (IMCUI) - Efficiently matches image pairs by extracting points in the images using multiple image-matching algorithms. The tool features a Graphical User Interface (GUI) designed using gradio. https://lnkd.in/gcXTftHF [https://mever[.]iti[.]gr/forensics/] Image Verification Assistant - Tool for forensic analysis of images. Includes modules for: OMGFuser algorithm, MM-Fusion algorithm, TruFor algorithm, OW-Fusion algorithm, Double JPEG quantization inconsistencies (DQ), JPEG Ghosts (GHOST), JPEG blocking artifact inconsistencies (BLOCK), Error Level Analysis (ELA), Median filtering noise residue (MEDIAN), High-frequency noise (WAVELET), CAGI-Inversed, Splicebuster, CMFD, CAGI, DCT, Mantranet, Noiseprint, and Metadata Analysis. Includes detailed example cases, explanations of methods, and links to academic studies/papers. Our knowledge base has reached a point where the content of most of our tool categories far exceeds the length that LinkedIn will allow me to post. This category alone has an additional 15+ tools/resources I didn't include. The full list from this post and all posts moving forward will be included in my new newsletter, OSINT Insider: https://osintinsider.com/