I did more testing (and actual real-case use) of the Guardonix since the last post. In short, with the latest update to the Guardonix, the speed is faster. Like most people, I like things to be faster! But practically, I know that speed is fine, but accuracy is final.

From last year, my go-to write blocker became the Guardonix. I was sold on the ' data recovery ' aspect of the Guardonix, in that I had an original evidence drive in a real case that had bad sectors. I knew that the drive had problems because when it was given to me by the IT point-of-contact, the drive had a yellow sticker note of "bad drive". Visions of sending the drive off to a lab for recovery meant waiting for a week..or two weeks...or however long it would take.  But, I was able to image the entire drive with Guardonix

Read more

***UPDATE:    Check out https://www.dfir.training/dfir-training-blog/more-testing-with-the-deepspar-guardonix for additional testing results (hint: Imaging was way faster)***

Short version:

You want this write blocker (because it is not just a write blocker).

Longer version:

I wrote up my personal opinions of the DeepSpar Guardonix here: https://www.dfir.training/dfir-blog/if-you-don-t-already-have-a-deepspar-guardonix-you-might-want-to-get-one . If you don’t know what the Guardonix is, take a look at the post. Basically, this is the most economical data recovery device that recovers bad sectors and works as a write-blocker along with a few other really neat features. It is not just a write-blocker. It is way more.

So then comes an update…and then another update…

As I mentioned, the Guardonix is not just a write-blocker. It is a hardware device that can work through bad sectors better than any write-blocker on the market short of an all-out-data-recovery-device, especially since write-blockers are not designed to recover data from bad drives. They only block writes.


Read more

There are times when a full forensic suite is best for a specific case and there are times when a *small tool is best. Only you can decide which is best.

Side Note: * small does not mean “lesser”. I say “small” to mean a forensic tool that is singularly focused on one or few analysis tasks rather than being able to do practically everything possible.

Too long; didn’t read

Foxton Forensics’ Browser History Examiner is super easy to use, really fast in processing Internet user-profiles and does what it says it does. There are some cool free tools offered too.

The longer version

I have often written my opinion on the selections and lists of “best” forensic tools.  In my opinion, it is impossible to have a list of the best of anything, whether that be the best vacation destination, best car or truck, or best DFIR software application.

Read more

When I first started examining smartphones (in a galaxy far, far away), there wasn’t much to it. For criminal investigations, it was more of the phone call logs and cell tower dumps that were important since not that much data was on the phones. Most phones at that time practically had no data anyway because they were just portable phones, not portable computers.

Fast forward to today and a mobile device examination can take longer and be more labor-intensive than any typical workstation examination. Plus, mobile devices have a ton of difficulties just to reach the data if you can access it all.  Considering that a mobile phone may have dozens of apps more than the user’s home computer, it is easy to be overwhelmed by the sheer amount of user data, storage capacity, and near 24/7 logged activity on the typical mobile device.

At one point of fighting to

Read more
Latent Wireless Review

Around the time when I was released from FTO and in my own patrol car, my agency started using LoJack . At first, LoJack sounded like a great idea. The way it works is that if someone’s LoJack-enabled car was stolen, police cars outfitted with LoJack detection would be able to find the stolen car through homing signals.

It’s more technical than that, but basically, the stolen LoJack car emits a signal that police cars with LoJack are able to track when in close proximity, much like the game of “Hot and Cold” works. Latent works in the same concept, but with more accuracy, and with a map, coupled with a directional antenna.

To be honest, I patrolled my district for probably a year, and completely forgot about the LoJack. Then my LoJack sounded off and I found a stolen car.  Even though the stolen

Read more


Here is the WinFE website with build instructions: www.winfe.net .

Brief overview of some details that may be helpful to know

Developed by Troy Larson of Microsoft in 2008, further developed into a GUI build (WinBuilder) by a number of developers in 2009, with a great write protect tool written by Colin Ramsden in 2012, noted in digital forensic books such as Computer Forensics InfoSec Pro Guide and Computer Forensics and Investigations , taught by FLETC , SEARCH , IACIS , and DFIR Training , documented in dozens of blogs and magazines, WinFE has become a widely accepted and commonly used digital forensics tool. And now you can boot an ARM device and image it with WinFE 10.

Windows Forensic Environment Training available

Typically, WinFE has mostly been law enforcement or association-membership only. Actually, there are no training courses outside of government training. Government training courses have been provided

Read more
The Second Decade of the 2000s is almost over!

We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown! Whether you were born or have been doing DFIR work during this period, there has been much going on.

We’ve gone from “pull the plug and image the entire drive” to “fit the process to the totality of the situation”.  Processes and methods have grown exponentially in what we keep learning about digital forensics. Whether we are triaging terabytes of data prior to collection or doing live examinations involving volatile memory, the field has grown quickly over the past two decades compared to simply imaging hard drives (which we still do of course).

Let’s fly over just some of the highlights of only a few of the areas. Keep in mind that there is so much that has happened, that I only selected a few

Read more
You may want to pay attention to Arsenal Recon

There are some forensic apps that come out and you just know that they will become an integral part of most everyone’s forensic tool kit over time (sometimes right away).

I have seen this with several tools over the years in the broad spectrum of DFIR, but in particular where digital forensics is concerned, I have seen several single-purpose, small tools come out and become major players in the field, with a few of the small tools evolving into full-fledged forensic suites.

Short version: Arsenal’s tools are a must-have in a forensic analyst’s toolbox.

Plus, if you want a chance to win the tools, enter your info in the following form. Drawing is on Nov 29 and you don’t have to be present to win (you do have to answer your email to claim the win on the day of the drawing, otherwise, failure to answer the winning email means

Read more

In this post..

How to save your job. How to save your reputation. A chance to win a 3-year license of Forensic Notes.

Notetaking is boring.

Many jobs require writing in some form or another. Writing can range from documenting inventory of empty boxes to full-blown and extremely detailed legal briefs of a complex criminal investigation.  Your basic report writing and notetaking falls somewhere between these two ends of the spectrum. Generally when we write, we suck at it. <I might be speaking only for myself…>. We suck at it because we don't like doing it as it is boring.

“If you don’t document it, it never happened.”

One thing about history is that history has been documented.  There is probably a lot of world history that no one will ever know because it wasn’t documented. All we know is that which has been documented in stone, parchment, or paper. 

Read more

How do you know if you improved your skill and knowledge base over the past years, or even over the past week? Did you even improve anything from yesterday? And if you did, how do you know?  Are you better working the DFIR today than yesterday? There is something you can do to check.

Pit yourself against your most fearsome opponent: Yourself !

We are our own worst enemy in many facets of life. We are the most critical of ourselves compared to anyone, even compared against the most overprotective parents or the strictest music teacher you’ve ever had or seen. We are tough on ourselves. Let’s take that toughness and use it for a benefit!

To see how much you have grown and developed in DFIR skills, block out a day to check yourself against a younger version of yourself. If you have a case or analysis from years

Read more


Belkasoft Evidence Center lives up to its tagline of “forensics made easier”.  For a near complete automated case work, it works. An intuitive interface and automated processes make processing practically user-error free.

The review

I took Belkasoft Evidence Center (BEC) for a test drive, ran it across several images, and validated what I saw with a different forensic suite.  Everything that I tested, worked. Plus, it did a few things that my other tools do not.

At this point of digital forensics software development, especially with name brand companies such as Belkasoft, I am not going to get into the things that every forensic suite should be able to do, such as; adding images or imaging or data carving or creating bookmarks of items, unless there is something substantially different.  If a tool cannot do the basics, then I don’t want to touch that tool or let it touch

Read more