...

AbdulRhman Alfaifi

Hello 🙂, I am a Senior Digital Forensics & Incident Response Specialist. I blog about DFIR topics and develop tools to support industry professionals

Exploring Windows Artifacts: Notepad Files

Exploring Windows Artifacts: Notepad Files

On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.

Exploring Windows Artifacts : $Security Artifact

Exploring Windows Artifacts : $Security Artifact

TLDR; $SDS is an artifact for NTFS file systems. This artifact contain security descriptors to all files and folders on the drive, which means it will contain information of the file owner and permissions of the file. I also wrote a Rust 🦀 parser for this artifact that you can download from my Github.

Impacket Remote Execution Tools: smbexec.py

Impacket Remote Execution Tools: smbexec.py

Analysing the digital forensics artifacts for the Impacket tool smbexec.py

Exploring Windows Artifacts : LNK Files

Exploring Windows Artifacts : LNK Files

I decided to start a new blog post series that will focus on windows forensic artifacts. In these posts, I will try to go through all windows artifacts (at least until I get bored 😁), understand its structure, and write a rust parser for them.

Certutil Artifacts Analysis

Certutil Artifacts Analysis

certutil is a build-in tool on windows systems that is used to manage certificates. However certutil could be used to download files from the internet. In this blog we will take a look at the artifacts generated by certutil when downloading a file

Impacket Remote Execution Tools: atexec.py

Impacket Remote Execution Tools: atexec.py

Analysing the digital forensics artifacts for the Impacket tool atexec.py