Posted by Administrator

When I need a quick and easy software write blocker to triage some USB devices on Windows 10, I realized the register key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect" does work on Windows 10 machine anymore.

After some researches I developed SoftWriteBlocker, it allows me to quickly enable or disable writing to all USB mass storage devices on my Windows 10 system.

SoftWriteBlocker

Please note: I can't guarantee it's 100% forensically sound. Buy a proven USB hardware write blocker if you want to be sure.

Download SoftWriteBlocker


Posted by Administrator
cover-image

MAC OSX .DS_Store Artifact

  • 10.4 Tiger extended .DS_Stroe use to include "Spotlight" comments
  • Similar to Desktop.ini and Shellbags in Windows
  • Shows folders accessed within Finder
  • Stores "Window view settings", "Icon position", "Sorting preferences", "Window sizes and positions", and other metadata
  • Files are created in the enclosing (parent) folder when viewed in "Icon", "List", or "Gallery" view, but NOT in "Column" view
  • Applies to Local, External and Network locations

Caveats

Full paths are not included

  • "Trash put back locations" are a noted exception (put back location path included)

Timestamp are not included

  • Parsing tools can drive some time-related information based upon "File system timestamps" for the .DS_Store files themselves

Data is volatile

  • When a file is deleted/removed, its associated records are removed
  • When a file is renamed, its associated records are renamed

Takeaways

  • Determine original name and path for files and folders in Trash
  • Show user interaction of files and folders via Finder

Resources

YouTube Video:

What's In .DS Store for You? - macOS Forensics

DSStoreParser:

https://github.com/nicoleibrahim/DSStoreParser

Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 1:

https://ponderthebits.com/2017/01/mac-dumpster-diving-identifying-deleted-file-references-in-the-trash-ds_store-files-part-1/

Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 2:

https://ponderthebits.com/2017/02/mac-dumpster-diving-identifying-deleted-file-references-in-the-trash-ds_store-files-part-2/



Posted by Administrator
  1. Attach the media to a computer with Windows 95, 98, Me, NT, 2000, or XP and a full version of WinHex installed.

  2. Close any application that may write to the media.

  3. Run WinHex.

  4. Select Tools | Open Disk/Disk Editor from the menu (or press F9).

Image Title

  1. Select the media to clear. It must be listed as a physical disk. Click OK.

  2. Select Edit | Fill Disk Sectors from the menu.

Image Title

  1. Select either “Fill with ... hex values” and specify a byte value in hexadecimal notation (without the preceding “0x”) or “Fill with random bytes” and specify a range of allowed byte values in decimal notation (usually 0 to 255). Click OK.

Image Title

In case of large media, the program will warn you that changes will be written immediately to the disk. Remember, you are clearing the media, and any data will be lost. In case of small media like floppy disks, WinHex will buffer the changes and flush them only when closing the edit window, after prompting you to do so.

  1. A small window will display the progress and an ETA. You may abort at any time by pressing the ESC key or by closing that window.

  2. When complete, you may close the edit window and exit WinHex, or repeat the steps 6 and 7 for sanitization (more than one clearing procedure).