This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key: SOFTWARE\Microsoft\Windows NT\CurrentVersion The confusion happens when ...

Before diving into this post, I wanted to say, that I have been teaching digital forensics for a long time by now, and in my Operating System Forensics class, I use Eric Zimmerman‘s tools a lot, an...

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to...

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is th...

During this semester, which technically ends on Sunday 11:59 pm (5/5/2019), I taught this course at the college for a nice group of students. The course has nothing secret and no zero days were fou...

It sure has been a long time since I last wrote anything here, so I remembered there was a blog that is either dead or is about to die :) Anyway, just wanted to say “hi” to everyone out there and ...

Hola, I know it seems that the zone has been abandoned for a year, and that is why I didn’t want the year to end without posting anything. Anyway, this presentation has been covered in Feb-2016, a...

The Case: A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. The file...

Hello, This is my first forensic analysis post in English; as I’m sure you noticed by now that all of it is in Arabic; so excuse me for my bad English :) The whole idea came out when @azeemnow as...

اليوم هو آخر يوم عمل رسمي لي في الجامعة وسوف أنتقل إبتداءاً من الشهر القادم (يوم غد) الى جامعة آخرى. أحببت من خلال هذه التدوينة البسيطة أن أشكر جميع الزملاء الذين عملت معهم سواءاً في نفس القسم أو ن...