Dump password of application pool user from IIS >= 6.0

IIS Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. Application pools used to isolate our web application for better security, reliability, and availability and performance and keep running with out impacting each other . The worker process serves as the process boundary that separates […]

Data Carving Issues

by Chetan Gupta, NII Consulting Many a times as an investigator, I have to deal with the issue of carving data from unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them […]

Article on Dissecting NTFS Hidden Streams

NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected. This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. […]

UserAssist Revisited!

By Chetan Gupta, NII Consulting In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations. Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes […]