Logs location data/log/batterystats/newbatterystatus* - keyword "shutdown" (also contains screen stat, wifi status and other artefacts) data/log/power_off_reset_reason.txt and data/log/power_off_reset_reason_backup.txt - keyword "shutdown" and "reason: no power"
When I need a quick and easy software write blocker to triage some USB devices on Windows 10, I realized the register key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect" does work on Windows 10 machine anymore.
After some researches I developed SoftWriteBlocker, it allows me to quickly enable or disable writing to all USB mass storage devices on my Windows 10 system.
Please note: I can't guarantee it's 100% forensically sound. Buy a proven USB hardware write blocker if you want to be sure.
MAC OSX .DS_Store Artifact
Caveats
Full paths are not included
Timestamp are not included
Data is volatile
Takeaways
Resources
YouTube Video:
What's In .DS Store for You? - macOS Forensics
DSStoreParser:
https://github.com/nicoleibrahim/DSStoreParser
Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 1:
Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 2:
A GUI tool on Raspberry Pi for creating Images from digital media. Forensic Imager is targeted to be easy to use, portable and forensically sound.
https://github.com/johntcw/Forensic-Imager
QtDesigner is part of QtCreator. To use QtDesigner:
Launch QtCreator, and from the menu bar (outside QtCreator), click on: File>New File or Project
You will be presented with a New File or Project dialog window. In the Files And Classes section, select Qt. In the middle pane, select QtDesigner Form. Then click on the Choose button in the lower right corner.
You will be presented with a QtDesigner Form dialog window. Then you can select Main Window or Dialog with Buttons Bottom, etc. Then click on the Continue button in the lower right corner.
In the Location dialog window, use a name like mainwindow1.ui, and for the path you might want to step aside and create a directory called forms, e.g. $ mkdir /Users/7stud/qt_projects/forms, then enter that as the path.
Enter any other details and click on Done. That will land you in QtCreator with the Design button selected (which I guess means you are in QtDesigner), and you will be able to drag and drop widgets onto your window.
To convert the .ui file to a .py file that you can import into your python program:
$ pyuic5 mainwindow.ui -o mainwindow.py-o => output file (default is stdout)
That command converts the .ui file mainwindow1.ui to a .py file named mainwindow1.py.
To re-open the file: File>Open File or Project. If you select a file with a .ui extension, it will be opened with QtCreator's Design button pre-selected, i.e. you will be inside QtDesigner.
Attach the media to a computer with Windows 95, 98, Me, NT, 2000, or XP and a full version of WinHex installed.
Close any application that may write to the media.
Run WinHex.
Select Tools | Open Disk/Disk Editor from the menu (or press F9).
Select the media to clear. It must be listed as a physical disk. Click OK.
Select Edit | Fill Disk Sectors from the menu.
In case of large media, the program will warn you that changes will be written immediately to the disk. Remember, you are clearing the media, and any data will be lost. In case of small media like floppy disks, WinHex will buffer the changes and flush them only when closing the edit window, after prompting you to do so.
A small window will display the progress and an ETA. You may abort at any time by pressing the ESC key or by closing that window.
When complete, you may close the edit window and exit WinHex, or repeat the steps 6 and 7 for sanitization (more than one clearing procedure).