computer forensics
UAV - Unmanned aerial vehicle forensics
DatConcase study: flight logs, motor speeds, battery usage, a tool designed to interpret .DAT files specifically from DJI UAVCsvView and DatCon are free offline apps that provide the means to analyze log files produced by the Phantom 3, Phantom 4, Phantom 4 Pro, Inspire 1, Spark, and Mavic Pro drones. To use one, or both, of these apps just download and install on your PC, Mac or Linux machine.https://datfile.net/
DJIFixcarves images and videos through the commandlineRepairing Corrupt DJI Video Filesif you accidentally power off your DJI quadcopter (Phantom, Mavic, Spark, or Inspire) before stopping video recording, you'll be left with a file that's corrupt, and cannot be played.http://djifix.live555.com/
ST2Dash der Flightlog Konverter für die ST10+/Q500.https://www.drohnen-forum.de/index.php/Thread/12303-ST2Dash-der-Flightlog-Konverter-f%C3%BCr-die-ST10-Q500/
DroneLogbookSTANDARD FreePerfect for the hobbyist and individual user who wants to track key flightLog your flights with detailImport your flight log to fill info automatically, view GPS trace and replay it in 3D.https://www.dronelogbook.com/hp/1/index.html
Gryphon Drone Forensics Toolthis tool aims to extract critical events happened during the flight of an Unmanned Aerial System/Vehicle, running Ardupilot flight stack. This tool is part of the research paper Gryphon: Forensics on Dataflash and Telemetry Logs.https://github.com/emantas/gryphon_dft
process accounting on LinuxRHEL : yum install psacctUbuntu : sudo apt-get install accthttps://man7.org/linux/man-pages/man5/acct.5.html
Anti-Forensics
TimestampsTimeStompparse MFT fileshttps://github.com/dkovar/analyzeMFTExtract $MFT record info and log it to a csv file.https://github.com/jschicht/Mft2Csvcollect MFT fileshttps://github.com/orlikoski/CyLRParser for $UsnJrnl on NTFShttps://github.com/jschicht/UsnJrnl2CsvParser for $LogFile on NTFShttps://github.com/jschicht/LogFileParserhttps://github.com/jschicht/SetMaceHiding Data in Slack Space using bmaphttp://dl.packetstormsecurity.net/linux/security/bmap-1.0.17.tar.gzslacker.exeFinding Data in Slack Spacesleuthkit/autopsyDisable Timestamps - UserAssistregistry key that maintains dates and hours when each executable was run by the userDisabling UserAssistSet two registry keys both to zeroHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgsHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabledDisable Timestamps - Prefetchinformation about the applications executed with the goal of improving the performance of the Windows systemHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParametersSet two registry keys both to zeroEnablePrefetcher and EnableSuperfetchDisable Timestamps - Last Access TimeWhenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to update a timestamp field on each listed folder, called the last access timHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemset value to 1NtfsDisableLastAccessUpdateDelete USB HistoryUSBSTOR registry key that contains sub keys which are created whenever you plug a USB DeviceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTORsaves information about the USBsC:\Windows\INF\setupapi.dev.loghttps://www.nirsoft.net/utils/usb_devices_view.htmlDisable Shadow Copies#List shadow copiesvssadmin list shadowstorage#Delete shadow copiesvssadmin delete shadowdisable shadow copiesservices-Volume Shadow Copy-Properties-Startup type-DisabledOverwrite deleted filesDelete Windows event logseventvwr.msc-Windows Logs-Clear LogGet-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }Disable Windows event logsservices-Windows Event Log-Properties-Startup type-Disabledreg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /fDisable $UsnJrnlfsutil usn deletejournal /d c