Category Archives: Investigations

Investigating USB Drives using Mount Points Not Drive Letters

Yes, another excellent question came up by one of my students: If a user mounts the volume to a mount point, what artifacts could we find for the USB? Starting I think from Windows 8.1 or 10, a user could … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Leave a comment

No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked: If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry? Short answer is, YES it will still … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Leave a comment

Howto Setup and use the CuckooVM v2

This post should cover the basics of how to import and run a basic analysis using the Cuckoo VM which could be found here. I’m referring to this VM as CuckooVM version 2, since if you’ve been following, you already … Continue reading

Posted in DFIR, Forensics, Investigations, Malware, Virtualization | Tagged , , , , , , | Leave a comment

Investigating Windows Systems (Book Review)

Hello, We have a saying in Arabic “ان تأتي متآخراً، خيراً من أن لا تأتي أبدا” and in English “Better late, than never!”. This is my review to Harlan Carvey‘s last book titled “Investigating Windows Systems” which I should have … Continue reading

Posted in Books, Forensics, Investigations, Windows | Tagged , , , , , , , , , | Leave a comment