Kevin Breen

111 posts •

RSS

Timestamp Anomalies - $MFT

Going through my SANS 508 material I decided to have a closer look at some of the material on the Master File Table ($MFT) in the NTFS file system and how the analysis

Full Story

Decoding NanoCore Rat

Extracting and decrypting the config block from NanoCore malware

Full Story

Timeline Creation - Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the

Full Story

Timeline Creation - Part 1 (Filesystem Timeline)

As I mentioned previously I am currently studying for my GCFA (GIAC Certified Forensic Analyst) exam and as part of my revision I am completing the exercises in the workbook. One area I

Full Story

Grep and icat

Just a very brief blog post regarding the power of grep and icat in relation to forensic images. I am currently revising for my GCFA certification and as part of this revision was

Full Story

Chrome Cache - Where's the stash (Part 2)

In Part 1 of this blog I mentioned the metadata regarding one of the separate files contained within the deleted cache. I stated that I would further explain what is contained within that

Full Story

Kevin Breen

Timestamp Anomalies - $MFT

Decoding NanoCore Rat

Timeline Creation - Part 2 (Super Timeline)

Timeline Creation - Part 1 (Filesystem Timeline)

Grep and icat

Chrome Cache - Where's the stash (Part 2)

Recent Posts

BGINFO - A Posh Recreation

Grumpy Admin Is Back... Sorry

Analysing an O.MG cable