A Roadmap for the Forensics Fundamentals Series

I've got some lofty goals for the collection articles about forensics and e-discovery. Right now I've got a lot of common tasks covered:

  • Collecting email from Outlook using PST files
  • Collecting email from Gmail
  • Extracting text messages and other data from an iOS devices
  • Collecting documents from a person's computer using WinZip

Next we'll turn to some other core concepts that you commonly encounter in the world of forensics and e-discovery like:

  • MD5 Hashes and Checksums
  • Forensic image file formats
  • Understanding File System and Document Metadata

After that, I'm open to suggestions. If you've got an idea for something you'd like to have covered, drop me a line.

Happy Birthday, Little Guy

Ten years ago today, I impatiently sat through a CLE program in the basement of some downtown hotel and then dashed down to the Country Club Plaza to get in line. My future bride couldn't make it until later, but the people around me in line were pretty chill about her joining me later on as I spent the last couple hours with my trusty and beloved T-Mobile Sidekick 3. It was a super cool phone and I'd rigged it up so that I could SSH into the Mac at my house and control iTunes from anywhere.

A lot has changed since that original iPhone came out. Somehow though, I'm still waiting on a frictionless way to control music throughout my house from my phone, but I guess we'll have to see what the HomePod brings us.

What's new in Apple File System - WWDC 2017

This fall a new file system is coming to Apple computers. It's already been deployed to iOS with little impact on the digital forensics community, but APFS on the desktop is fairly big news.

If you're someone who uses a Mac to analyze Macs, then getting support is easy. Upgrade your machine to High Sierra. If you use tools on Windows to analyze Macs I'm not sure what you'll be looking at in terms of support.

Malware attack update | DLA Piper Global Law Firm

On 27 June, our advanced-warning system detected suspicious activity in our network, which, based on our investigation to date, appears to be related to a new variant of the "Petya" malware. Our IT team acted quickly to prevent the spread of the suspected malware by taking down our systems as a precautionary measure.


We immediately began our investigation and remediation efforts, working closely with leading forensic experts and relevant authorities, including the FBI and UK National Crime Agency.

Our experts are working to bring our systems back online as quickly and safely as possible and we are aiming for our email system to be up and running today, 29 June.

This is really bananas. A huge part of that firm has been without email for two days right before a holiday weekend. Hopefully they find some sympathetic ears when they have to ask for extensions for filing deadlines, although I'm not sure a small firm who's compromise might not be so public would receive the same. Best of luck to everyone working to respond to this incident.