National CCDC 2018 Redteam Debrief

Hello Reader,       Another year of CCDC is over and another winner has been crowned. For those of you just here for the presentation, here are this years debrief slides: For those of you looking for more: This year at Nationals we had a lot of success as a red team From 0 knowledge (Except ips in scope) to […]

2018 Updates and Teaching SANS Windows Forensics FOR500 in Singapore

Hello Reader,        I know the blog has been quiet, but if you didn’t know the Youtube channel has been active you can find it here, For those who listen to the podcast I’m sorry I haven’t gotten it up to date with the videos of the Forensic Lunch, I’ll see about getting that done this month. […]

FSEventsParser 3.1 Released

By Nicole Ibrahim G-C Partners’ FSEventsParser python script 3.1 has been released. Version 3.1 now supports parsing macOS High Sierra FSEvents. You can get the updated script here:  Prior versions of the script do not support High Sierra parsing, so it’s important to upgrade to the current version of FSEventsParser. Other recent updates include: Better handling of carved gzip files […]

National Collegiate Cyber Defense Competition Red Team Debrief 2017

Hello Reader,        I’ve been busy lately, so busy I didn’t get around to posting this years red team debrief from the National CCDC. After just leaving Blackhat/ Bsides LV/ Defcon and running our first Defcon DFIR CTF I thought it was important to get these up and talk about the lessons learned. The Debrief First of all […]

Contents in sparse mirror may be smaller than they appear

By Matthew Seyer As many of you know, David Cowen and I are huge fans of file system journals! This love also includes all change journals designed by operating systems such as FSEvents and the $UsnJrnl:$J. We have spent much of our Dev time writing tools to parse the journals. Needless to say, we have lots of experience with file […]

Forensic Lunch with Paul Shomo, Matt Bromiley, Phil Hagen, Lee Whitfield and David Cowen

Hello Reader,     It’s been awhile since I’ve cross posted that the videocast/podcast went up. We had a pretty great forensic lunch with lots of details about programs that are relevant frome everyone from academic students in forensics to serious artifact hunters. Here are the show notes: Paul Shomo comes on to talk about Guidance Software’s new Forensic Artifact Research […]

Windows, Now with built in anti forensics!

Hello Reader,             If you’ve been using a tool to parse external storage device storage devices that relies on USB, USBStor, WPDBUSENUM or STORAGE as its primary key for fining all external devices you might be being tricked by Windows. Windows has been doing something new (to me at least) that I first observed in the […]

DFIR Exposed #1: The crime of silence

Hello Reader,          I’ve often been told I should commit to writing some of the stories of the cases we’ve worked as to not forget them. I’ve been told that I should write a book of them, and maybe some day I will. Until then I wanted to share some of cases we’ve worked where things went […]


Hello Reader,      It’s been awhile! Sorry I haven’t written sooner. Things are great here at camp aka G-C Partners where the nerds run the show. 2 years ago or so I got lucky enough to work with on our favorite customers in generating some standard operating procedures for their DFIR lab. While we list forensic lab consulting as a service […]

Building your own travel sized virtual lab with ESXi and the Intel SkullCanyon NUC

Hello Reader,          It’s been awhile and I know that, sorry for not writing sooner but to quote Ferris Bueller “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” So while I’ve worked on a variety of cases, projects and new artifacts to share I’ve neglected the […]

Daily Blog #381 National CCDC Redteam Debrief

Hello Reader,     The 11th year of the National Collegiate Cyber Defense Competition has ended, congratulations to the University of Central Florida for a their third consecutive win. I hope you make it back next year for another test of your schools program and ability to transfer knowledge to new generations of blue teams. If you want to show your […]

Daily Blog #380: National CCDC 2016

Hello Reader,           I’m in San Antonio for the National Collegiate Cyber Defense Competition which starts at 10am CST 4/22/16. If you didn’t know I lead the red team here at Nationals where the top 10 college teams in the country come and find out who does the best defending their network while completing business objectives. I’m […]

Daily Blog #379: Automating DFIR with dfVFS part 6

Hello Reader,         It’s time to continue our series by iterating through all the partitions within a disk or image, instead of just hard coding the one. To start with you’ll need another image, one that not only has more than one partition but also has shadow copies for us to interact with next. You can download the […]

Daily Blog #378: Automating DFIR with dfVFS part 5

Hello Reader, Wondering where yesterdays post is? Well, there was no winner of last weekends Sunday Funday.That’s ok though because I am going to post the same challenge this Sunday so you have a whole week to figure it out! — Now back to our regularly scheduled series —               I use Komodo from […]

Daily Blog #377: Sunday Funday 4/17/16

Hello Reader,              If  you have been following the blow the last two weeks you would have seen its been all about dfVFS. Phil aka Random Access posted something I was thinking about on his blog,, that I thought was worthy of a Sunday Funday challenge. In short Phil saw that I posted a video […]

Daily Blog #376: Saturday Reading 4/16/16

Hello Reader,           It’s Saturday!  Soccer Games, Birthday Parties and forensics oh my! That is my weekend, how’s yous? If its raining where you are and the kids are going nuts here are some good links to distract you. 1. Diider Stevens posted an index of all the posts he’s made in March, If you are at […]

Daily Blog #375: Video Blog showing how to verify and test your dfVFS install

Hello Reader,        This is a first for me, I’ve created a video blog today to show how to verify and test that your dfVFS installation was successful in Windows. If you want to show your support for my efforts, there is an easy way to do that.  Vote for me for Digital Forensic Investigator of the Year […]

Daily Blog #374: Automating DFIR with dfVFS part 4

Hello Reader,            In our last entry in this series we took our partition listing script and added support for raw images. Now our simple script should be able to work with forensic images, virtual disks, raw images and live disks. If you want to show your support for my efforts, there is an easy way […]

Daily Blog #373: Automating DFIR with dfVFS part 3

Hello Reader,           In our last post I expanded on the concept of path specification objects. Now let’s expand the support of our dfVFS code to go beyond just forensic images and known virtual drives to live disks and raw images. Why is this not supported with the same function call you ask? Live disks and raw […]

Daily Blog #372: Automating DFIR with dfVFS part 2

Hello Reader,        In this short post I want to get more into the idea of the path specification object we made in the prior part. If this post had a catch title it would be zen and the art of path specification. In the prior post, part 1 of the series, we made three path specification objects. […]

G-C Partners