Surviving Internet Crimes

The FBI’s Internet Crime Complaint Center (IC3)recently published their 2017 Internet Crime Report. The report contains statistics on the state of crimes […]

Metrics That Matter

I’m frequently asked what metrics a security program should be collecting. The answer is complicated. It really depends on multiple factors, including […]


It is always better to be forthcoming and proactive with breach notifications. Having customers hear about a breach from the company in […]


What’s in a name? That which we call a profile By any other name would still let us log in.   I […]

On Espionage

I recently read an article that included the following quote: “During Chinese President Xi Jinping’s recent state visit, the two countries agreed […]


Named Key cells are the data structures within the Registry that hold the Keys and provide the parent/child data necessary to build […]


The contents of Registry files are saved in Hive Bins. The previously mentioned header to the Registry file is a 4k block with […]


Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file […]

Registry File Specification

After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look […]

Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. […]


There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) […]

Collection Scripts

For many years now I’ve tried to do all my live collection on systems via command line scripts. The goal when I wrote […]

Useful Windows Commands

These are useful command lines that are all based on built-in Windows programs. They were tested on Windows 7, but most should […]

Utilities by the Thousands

As I was putting together the list of command line tools to make Windows terminal more meaningful, I found myself wanting to […]

Command Line Happiness

There is no contesting that the command line in a Linux/Mac environment kicks Windows’s cmd.exe without even trying hard. There are entire blogs […]


Plist files are found sprinkled throughout OS X and iOS and contain the various configuration settings and other information of use to the OS and applications.

People still use Word macros!?!

I got an interesting email today.     The headers: Received: from ( by ( with Microsoft SMTP Server id […]


I’m not sure how I missed it when it came out in 2009, but Peter Norris has put together an absolutely fantastic […]

RAW Images

Many digital cameras will compress their images into JPEG files, making them much easier to deal with for the average consumer. But, […]

NTFS Fix-Ups

I was asked what this Fix-up thing was that I mentioned in my last post. Fix-ups are used by NTFS to keep […]

$I30 INDX Parsing

I needed to walk a directory index for another script I was working on. I figured, as long as I was there […]

MFT Parsing

So, I was having lunch with my good friend Mike. Great guy. If you get a chance, take Mike to lunch. Anyway, […]


This is an EnCase EnScript I wrote a few years back.  The original design goal was to implement Sysinternals Autoruns.exe inside EnCase […]