Digital Investigator

Ext4 Forensics: Inode Table

Joseph Moronwi February 27, 2026

An inode (index node) is a fixed-size data structure that holds metadata about a file, directory, s…

Ext4 Forensics: Inode Bitmaps

Joseph Moronwi February 21, 2026

An inode bitmap is a sequence of bits that tracks inode allocation status within a block group/fl…

Ext4 Forensics: Block Bitmaps

Joseph Moronwi February 18, 2026

In file system forensics, a bitmap is a special metadata structure that records which storage uni…

Ext4 Forensics: Group Descriptors

Joseph Moronwi February 06, 2026

The smallest storage unit addressable by a disk is a sector , which has traditionally been 512 byte…

Ext4 Forensics: The Superblock

Joseph Moronwi January 29, 2026

In the first block of the filesystem, the first 1024 bytes are left for the installation of boot …

NTFS Indexing Forensic Analysis

Joseph Moronwi December 29, 2025

Indexes are used to store groups of attributes in a sorted order. One of the most commonly encoun…

NTFS Timestamps Forensic Investigation

Joseph Moronwi December 16, 2025

Among the various types of digital evidence, temporal footprints are especially valuable because …

NTFS Boot Sector Forensic Analysis

Joseph Moronwi November 18, 2025

When a volume is formatted with the NTFS file system, several system (metadata) files are created…

Deleted File Forensic Recovery In FAT File Systems

Joseph Moronwi November 15, 2025

Data recovery techniques are broadly classified into two categories: logical data recovery and p…

Analyzing The FAT Directory Entry For Digital Evidence

Joseph Moronwi November 13, 2025

Figure 1: Decoding a FAT32 root directory entry In FAT file systems, every file and folder is descr…

Analyzing The FAT Table For Digital Evidence

Joseph Moronwi November 01, 2025

A partition is divided into equally sized clusters — small, contiguous blocks of storage. The actua…

Analyzing The FAT Boot Record For Digital Evidence

Joseph Moronwi October 28, 2025

The File Allocation Table (FAT) file system was originally designed by   Marc McDonald   at Micros…

Analyzing The Master Boot Record (MBR)

Joseph Moronwi September 20, 2025

Typical storage media are organized using a defined partition scheme. Common partition schemes i…

From USB Insert To Data Exfiltration: A Forensic Analysis

Joseph Moronwi May 30, 2025

Insider threats remain one of the most difficult attack vectors to track and mitigate, especially w…

Windows Shell Link Binary Forensics

Joseph Moronwi April 19, 2025

A Windows shortcut file, known as an LNK file, is a small file with information used to access or…

Windows USB Artifacts Forensics

Joseph Moronwi April 06, 2025

Since their inception, portable devices have been one of the main security threats to enterpris…

Uncovering Adversary Tradecraft With Windows Event Logs

Joseph Moronwi March 15, 2025

Microsoft Windows uses Windows Event Logs extensively to store detailed logs of events generated …

Linux Logs Forensic Analysis

Joseph Moronwi November 22, 2024

In the world of DFIR, logs are invaluable resources. They are the fingerprints left behind that…

Decoding Anti-Virus Detection Names For Malware Analysts

Joseph Moronwi November 06, 2024

AntiVirus products are some of the most widely used security protection systems. They are deploye…

Top Malware Anti-VM Techniques And Effective Counter-Measures

Joseph Moronwi October 25, 2024

Malware Analysts and Security researchers rely on Virtual Machines, debuggers, and sandboxes in t…