As the title says, somewhat of a reverse forensic journey to backtrace the work that's been done on a set of data. I've got a drive that has a filesystem recovered from another drive. Since there are "-slack" files present I suspect the recovery has been done with some forensic/recovery program.

There are many that have "slack support" but my focus is figuring out which one (hopefully singular) has a default setting of outputting "filename.ext-slack".

For example I think that FTK Imager outputs "filename.ext.FileSlack", so that might be ruled out. The problem is that "-slack" doesn't work well with search engines and the manuals for the different programs don't really go into details on what schema they use for output.

I imaged the laptop using Paladin 9, it's a newer Lenovo thinkpad. I threw the image into Magnet after imaging and Magnet doesn't seem to notice it's bitlocker. Did they separate unlocking the drive to a separate program or did I do it wrong?

It's TPM 2.0 - is there a chance there's a trick with the newer TPM?

Hey all, I'm the sole IT person for a company with around 45 employees, and I'm trying to put together a solid set of tools (open-source or paid) to use during a cybersecurity incident.

I'm not just looking at prevention, but specifically tools that help during an active breach; things like detecting threats/breach, investigating compromised endpoints or network activity, analyzing logs/traffic, isolating systems, and actually responding/remediating. We do have an incident response plan, but without an active toolset during a live scenario, the plan doesn't mean much.

Any suggestion?

Hey! Recently, I heard that Wireshark was actually not made for security analysis purposes and that there are other better options, does anyone know these alternatives? I've started using tshark a bit but the commands are too long and somewhat overwhelming, so i guess i'll have to get used to it. But is it the only good option?

Also, any suggestions for network forensics guides? Which guides do you guys think are good? network forensics is probably my weakest side so i'm trying to improve it, it's like i'll open the file and try to spot any unique stuff but i end up with nothing usually, and i don't know how to start analyzing the file well, even when asked specific questions like in CyberDefenders Labs and so on.

Thanks for help in advance.

Hey folks,

Been doing forensics forever on Windows boxes, but first time with a modern Mac (Apple silicon/T2 territory). Got the TX1 ready, but the SSD is that proprietary blade thing – not popping out easy.

How are you guys grabbing a solid physical bit-for-bit these days?

-Yank the drive anyway (pentalobe/spudger fun) and hit it with the TX1 + proper Apple PCIe adapter? Or is Target Disk Mode + Thunderbolt write-block + ddrescue/ewfacquire on a Linux rig still the move?

-If physical's basically dead or too risky, what do I actually need on my Windows forensic workstation for a clean live or dead acquisition? FTK Imager, AXIOM, EnCase, or something else? -Any must-have drivers, bootable stuff, or T2 workarounds?

APFS/FileVault/SIP headaches I should watch for? Does the TX1 play nice with Apple SSDs out of the box or need special firmware/adapters?

Just trying to keep the chain of custody clean. Appreciate any real-world workflows.

Cheers

Forensic readiness is not yet a clean standalone category, but enterprises are already spending on the underlying problem through digital forensics, incident response, and evidence-focused security workflows.

Hey everyone,

I just pushed Crow-Eye version 0.9.1. I completely rewrote the LNK/JumpList parsers from scratch, enhanced the Prefetch parser, and standardized global UTC time handling across all artifacts. It’s faster, more resilient, and the expanded timeline visualization now supports even more artifacts.

But while pushing these updates, I wanted to talk about a growing problem in our field: The "Black Box" of Forensics.

Right now, most people depend heavily on parsers without really knowing the behavior underneath them. With AI becoming more prevalent, this problem is only going to get worse. People will start trusting outputs without understanding the binary structure or the forensic anatomy of what they are actually looking at.

I have a different vision. I believe AI should make it easier for researchers to develop parsers and understand data, not just blindly output answers. That’s why I decided we need a backbone , something to help the next generation deeply understand the forensic anatomy we are studying.

👁️ Introducing "Eye-Describe": Visualizing the Binary Truth

To fix this, I am building a new educational suite called Eye-Describe. It aims to visually explain the internal binary structures of forensic artifacts directly to the user. It will show investigators exactly how the parsers work under the hood. When you are looking at extracted data (like Prefetch or Amcache), you won't just see the result. Eye-Describe will visually highlight the binary structure of the artifact, showing you exactly where in the hex data that specific evidence was extracted from, and why it matters.

A Live Example: The Windows Boot Disk Explorer

To give you a taste of this philosophy, I’ve published the first piece of this initiative online:

The Interactive Tool: Windows Boot Disk Explorer (https://crow-eye.com/Eye-Describe/windows\_boot\_disk\_explorer)

The Deep-Dive Article: The Anatomy of the Windows Boot Process (https://crow-eye.com/booting-process)

Instead of just listing partitions, this interactive tool visually breaks down the actual physical disk architecture (UEFI+GPT vs. BIOS+MBR). When you click a segment (like the ESP or MSR), it reveals its specific forensic role, the file structure inside it, and a node-based visualization showing exactly how the files interact during the system startup sequence.

https://preview.redd.it/b5m273lvu0wg1.png?width=1447&format=png&auto=webp&s=d209ec6a07b5280c796aa21b8a741f8473bfb4de

---

Coming in Crow-Eye 0.10.0: "The Eye" AI Agent

While we are building out this Eye-Describe educational backbone, we are simultaneously working on our AI integration. In our next major release (0.10.0), we are introducing The Eye a feature that allows users to connect their own API keys or CLI agents directly into Crow-Eye. This isn't just a basic chatbot. The Eye will have direct access to the parser results generated by Crow-Eye, making it deeply aware of both your specific forensic data and general artifact behavior. It will assist investigators by:

Spotting the Unseen: By analyzing the parsed results across all artifacts, The Eye can proactively spot anomalies, correlations, or hidden tracks that you might have missed during manual review.

Building & Testing Hypotheses: You can propose an attack scenario, and the agent will use the actual parsed evidence to help you verify if the artifacts support or refute that hypothesis, helping you build a clear picture of the attack.

Evaluating Trust: It will understand the nuances of different artifacts advising you on what data is highly reliable (like the MFT) versus what might be easily manipulated or fragile.

Querying the Database: Helping you search through massive datasets using natural language.

---

🤝 Open Call to Researchers & Reverse Engineers

I’d love for you to check out the Boot Disk Explorer concept and read the article. Let me know what you think what artifacts do you think are the hardest for students to grasp and would benefit most from this kind of visual binary breakdown?

If you have deep knowledge about the binary structure of specific Windows artifacts and want to help visualize them, please reach out! I believe collaborating on this will massively help the DFIR community and the next generation of investigators. You can contact me directly at: Ghassanelsman@gmail.com

GitHub Repo: https://github.com/Ghassan-elsman/Crow-Eye

Eye-Describe : https://crow-eye.com/Eye-Describe/windows_boot_disk_explorer

Boot Process Article: https://crow-eye.com/booting-process

Happy hunting!

Is it possible to image an Apple watch? Does anyone have experience with imaging this device or getting anything off of it forensically? Thanks in advance.

Do you ever have to deal with off network imaging and if so how do you get that image to your lab on the cloud in an efficient way? We are thinking of moving to the cloud. But we have a few clients who always prefer to ship laptops to us. Anyone else deal with that kind of thing?

Any advice for a Chromebook acquisition?

It’s unlocked with no management

Hey everyone!

we just released version 0.9.0 of Crow-eye, and it brings some major updates we've been working hard on.

A big focus for us in this version was removing the friction of dealing with forensic images. We actually added direct support for analyzing images right

inside Crow-eye, so you don't need any other mounting software to get started. You can just point it at the image and let it parse. Right now we support

parsing directly from:

* E01 / Ex01

* VHDX / VHD

* VMDK

* ISO

* Raw / DD

We also decided it was time to move on from the old timeline prototype. We built a brand new version of the Timeline Visualization from the ground up, making it way easier to correlate everything and actually see the full picture in one place.

https://preview.redd.it/t22zt7ty68vg1.png?width=3439&format=png&auto=webp&s=7d5bc5f51cb0e93029ce0641813636a068ba3d58

And finally, something a lot of people asked for: Crow-eye is now completely cross-platform! We updated all the parsers so they no longer depend on Windows APIs for offline artifacts. This means you can now run it natively on Linux to parse offline artifacts and process those forensic images without needing a Windows machine.

GitHub : https://github.com/Ghassan-elsman/Crow-Eye

Let me know how it runs for you, what you think of the new timeline, or if you run into any bugs or issues!

I haven’t taken SANS for500 and was thinking of going straight into for508 instead of taking the for500 since I’ve heard a lot of the material is covered in 508. Does anyone recommend to take 500 first or can I go straight into 508?

Hey everyone,

I don't know about you, but I was getting seriously frustrated with how fragmented our tools are. Trying to piece together an investigation across Windows, Linux, and Mac artifacts usually means jumping between half a dozen different apps, and the centralized "all-in-one" solutions cost some money

So, about 9 months ago, I decided to just try and build the tool I actually wanted to use. It's called Heimdall DFIR. GitHub: https://raiseix.github.io/Heimdall-DFIR

Instead of a bunch of marketing buzzwords, here is what it actually does right now:

• One giant timeline: It takes your artifacts (EVTX, MFT, Prefetch and other Windows artifacts Linux/Mac logs, etc.) and merges them into a single chronological grid. I spent a lot of time trying to make the output actually human-readable instead of just dumping raw JSON on the screen
• RAM Analysis: I hooked it up to VolWeb (Volatility 3). You can upload massive memory dumps directly in the UI and it actually handles the stream without crashing the backend
• Collaborative mode: Investigating alone sucks, so I added a side-chat and an evidence-pinning system so a team can look at the exact same case simultaneously

To be completely transparent with you all: This is very much a Beta. It’s a massive undertaking and it’s still missing a lot of features I want to add before calling it a complete platform

That’s honestly why I’m sharing it today. I’m hoping to get some brutally honest feedback from people who do this daily. What parsers are you constantly missing in open-source tools? What would make you actually want to use this?

If anyone wants to spin it up (Docker compose is ready to go), break it, submit bug reports, or even contribute code to help build this out, I would be incredibly grateful.

Let me know what you think. If you like the vision, a GitHub ⭐ helps a lot!

Has anyone noticed a significant decrease in speed with the last couple months of axiom updates? Or is it just me

Hi everyone,

I recently started a new role where I'm handling laptop returns (rückläufer). My current instructions are simply to copy the user folders and format the drives. Coming from a legal background, I know this is a nightmare for chain of custody and evidence integrity. If any of these cases end up in court, a simple file copy won't hold up.

I’ve been asked to start taking full forensic images of about 1-2 laptops per month for high-risk cases. I know a Write Blocker is essential to ensure the source drive remains untouched.

I found the Tableau bridges, but at €650+, my manager is asking if there are more budget-friendly alternatives since our volume is very low (only a few devices a month).

I have a few questions for the experts here:

1. Is a hardware write blocker mandatory for this volume? Or are there reliable "software" write-blocking methods for Linux/Mac that you would trust in a legal setting?
2. Budget Hardware: Are there reliable alternatives to Tableau? I’ve seen some cheaper USB-C or SATA bridges, but I’m worried about their reliability in a forensic context.
3. Workflow: What is your go-to "budget" stack for imaging (e.g., FTK Imager + a specific bridge)?

I want to do this the right way without breaking the bank, but I also need to convince my boss that "cheap" shouldn't mean "inadmissible in court."

Thanks in advance for your help!

just looking for a few samples of M365 purview exports. does anyone know if there's any available?

Does anyone know where to find a safe copy of this version? I need to get an E01 of a Windows Server 2003 VM. Thanks!