Hello 🙂, I am a Senior Digital Forensics & Incident Response Specialist. I blog about DFIR topics and develop tools to support industry professionals
On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.
TLDR; $SDS is an artifact for NTFS file systems. This artifact contain security descriptors to all files and folders on the drive, which means it will contain information of the file owner and permissions of the file. I also wrote a Rust 🦀 parser for this artifact that you can download from my Github.
Analysing the digital forensics artifacts for the Impacket tool smbexec.py
I decided to start a new blog post series that will focus on windows forensic artifacts. In these posts, I will try to go through all windows artifacts (at least until I get bored 😁), understand its structure, and write a rust parser for them.
certutil is a build-in tool on windows systems that is used to manage certificates. However certutil could be used to download files from the internet. In this blog we will take a look at the artifacts generated by certutil when downloading a file
Analysing the digital forensics artifacts for the Impacket tool atexec.py
