Last week, I had the opportunity to attend the first DFIR online meetup. The meetup was hosted by Mike Wilkinson of Champlain College and featured a presentation from Mike on an interesting assault case, as well as a presentation from Harlan Carvey on accessing VSCs. I really liked the layout of the technology that was used. There were two chat areas: one directed towards the speaker/presenter and a general chat area for everything else. As Mike mentioned in his blog, the conversation died down after the recording started, but I think that also may have been because the presentations had begun and people were paying attention to the speakers instead.
Mike’s case study was an interesting assault case that dealt with a machine that had four OS’s on two hard drives. The main issue in this case was involving computer use during a specific timeframe. I won’t go into details, but the presentation really hit on the fact that you should know your tools and understand how they present data to you as an examiner. Time conversions from UTC to local or visa versa can make significant impacts on a case if you’re not aware that they’re happening in the background.
Harlan’s presentation went through the steps necessary to mount and access data stored in volume shadow copies. He’s outlined the steps in his blog before, but it’s nice to hear it straight from the source to help reinforce the process. What made this even better is that is you had a specific question about mounting and accessing VSCs or an issue you’ve had in the past when working with these, you could ask it during or after the presentation and receive an answer from Harlan or one of the other attendees that may have dealt with a similar situation.