Computer Forensics

Gunters' site

Quod non est in actis non est in mundo

Computer Forensics


Link - 

Prefetch folder

Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open. ... The prefetch folder is a subfolder of the Windows system folder. The prefetch folder is self-maintaining, and there's no need to delete it or empty its contents.


Potpourri I,II,III,IV,V

Whois (IP adressen opzoeken)

Spyderweb (vanalles opzoeken ... e-mail,

Convert files (OCR) via Google Documents

Google location

GSM (Mobile) number belongs to which provider (welke provider op basis van GSM nummer

Identifcation of a mobile via an IMEI number

Position of the Mobile antennas (GSM masten positie en coordinaten)

Compare mobile networks (signaalsterkte meten van Base Proximus Mobistar)

Find your Ipad Iphone or Ipod via Icloud (IPhone zoeken vinden  via Icloud)

Find your Android device (Android toestel zoeken vinden via Google account)

Verify e-mail address (kijken of e-mail adres nog bestaat)

FACEBOOK custom Tools (Facebook speciale opzoekingen)


Go to the Facebook user profile of the target.

Right-click on an empty area of the page and select "view source code". You will get a new page with the source code.

Search for the term profile_owner.

The number located next to profile_owner is the unique Facebook ID.

TWITTER search

Social Media Checker (kan ik nog registreren met een naam op bepaade sociale media)


Google image search (Foto  zoeken via Google)

Reverse image search (Foto opzoeken via TinEye) Reverse image search (Foto opzoeken via TinEye)

Stolen camera finder (gebruik foto's om via de metadata foto's op het internet terug te vinden die met dezelfde camera werden getrokken)

E-mail header analysis (e-mai headers analyseren)

Website copier (volledige website kopieren)

Video to JPG converter (video omzetten in JPG)

Nirsoft (veel gratis programma's

FoneFunShop (allerhande tools voor GSM )

Mac address finder (Mac adres opzoeken)

RAM (Random Access Memory) investigation

GPS coordinaten ingeven in Google Maps

Reverse engineering

Which files are encrypted? (ransomware geëncrypteerde bestanden identificeren

Ransomware identification (ransomware identificeren)

All kind of tools to use for system analysis

Download for the suite here

Computer Forensics Tutorials

Hoe lost u boot en opstart problemen op met UEFI

Device configuration overlay (DCO) changer

Detection tools[edit]

HDAT2 a free software program can be used to create/remove Host Protected Area (HPA) (using command SET MAX) and create/remove DCO hidden area (using command DCO MODIFY). It also can do other functions on the DCO.

Data Synergy's free ATATool utility can be used to detect a DCO from a Windows environment. The current version does not allow a DCO to be removed.[3]

What is DCO (harddisk verborgen gebied) ook HPA

HPA (Host Protected Area) Verborgen gedeelte op harddisk

X-Ways lessons with video

X‐Ways Forensics (v15.4) QuickStart Guide

X-Ways Forensics manual (handleiding)

X-Ways Forensics extended File Type Categories

Regular expressions (  Grep ) - long list (Master Card, Bitcoin, e-mail.......) 

How to Pull Passwords from a Memory Dump

Windows File Encryption (former to Windows Bitlocker)


Created: 12 Aug 2006 11:34:14 - this is when the file was created at that location. Here 'created' doesn't necessarily mean made.

Modified: 14 July 2006 09:05:45 - this is when the file content was last changed and then saved.

Accessed: 12 Aug 2006 12:05:34 - this was when the file was last touched in some way. Be careful because this could include an AV application checking the file and doesn't necessarily infer user interaction.

What is ARP cache

Petya ransomware outbreak: Here’s what you need to know

What is PgP (Pretty Good Privacy)