Blog

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned: The syscache hive seems to record atleast exe, dll, bat and cmd files executed The syscache hive like the Amcache hive […]

Daily Blog #569: Sunday Funday 12/16/18

Hello Reader,             Last week I got you searching for DFVFS, this weeks let’s see you program in DFVFS! We’ve done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you’ve learned. Need some code examples? Look at yesterdays winning answer:https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html The Prize:$100 Amazon […]

Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win! The Challenge: Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) […]

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,         It’s the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you’ll enjoy it! You can read Eric’s Blog here:http://www.afodblog.com/You can follow Eric on twitter here: https://twitter.com/ericjhuberYou can learn more about the NW3C here: https://www.nw3c.org/ Watch the video below:

Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18

Hello Reader,         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name’s out of the file name attributes for every file referenced in the Syscache hive Object key. This isn’t done though as next week I need to add in […]

Daily Blog #565: Seeing Double (access dates)

Hello Reader,         Got some medicine today so hopefully I’ll be able to stop coughing tomorrow. In the meantime I’d like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here: https://twitter.com/errno_fail/status/1073012513187479553 Maxim found that Windows is keeping two last access dates, one on the disk and one in […]

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor. You can check it out here:https://github.com/Silv3rHorn/ArtifactExtractor What Silv3rHorn has […]

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found: Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve Programs executed from a […]

Daily Blog #562: Sunday Funday 12/9/18

Hello Reader,        We’ve had a lot of different kinds of challenges to attract different people within the community to participate. This week I’m changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer […]

Daily Blog #561: Solution Saturday 12/8/18

Hello Reader,       Another challenge where a new victor has emerged! One of the great things about these weekly challenges is that let’s people within the larger community a chance to show what they got. This week Zach Stanford has made his mark with his winning submission. The Challenge: Document the order that the following shims are executed/data written […]

Daily Blog #560: Forensic Lunch 12/7/18

Hello Reader,        This week we had a Forensic Lunch with Eric Zimmerman! We talked about Eric’s new tool RBCMD https://ericzimmerman.github.io/Software/RBCmd.zip Eric’s updated MFTEcmd which now supports $BOOT, $SDS, and USN Journal parsing https://binaryforay.blogspot.com/2018/12/mftecmd-0360-released.html Eric’s soon to be released plugins for the CIT registry key and the Syscache hive You can watch the video here:

Daily Blog #559: Forensic Lunch Test Kitchen 12/6/18

Hello Reader,  Tonight we tested the new NTFSDisableLastAccessUpdate registry key in Windows 10 1803. Here’s what we learned: We learned that reading double negatives can be hard, it turns out my system did have last access dates on (value of 2) as Maxim Suhanov stated as my system drive was <= 128gb in size We learned that drives larger than […]

Daily Blog #558: Forensic Lunch Test Kitchen 12/5/18

Hello Reader,     Tonight we were testing the Syscache.hve that Maxim Suhanov found in his testing of the Amcache and Recentcache.bcf files, you can read his write up here: https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/ From our testing tonight here is what we learned: The syscache hive has three indexes The ObjectID key (no relation to $objid) which is inserted into the hive sequentially as new […]

Daily Blog #557: Changes in the NtfsDisableLastAccessUpdate key

Hello Reader,        It looks like as of at least Windows 10 1803 a new change has come to an old registry key. The NtfsDisableLastAccessUpdate key found in ‘SYSTEMCurrentControlSetControlFileSystem’ no longer is just a true/false 1/0 value. It now has four possible values stating how the access dates in NTFS were enabled or disabled. Looking at my laptop’s registry […]

Daily Blog #556: NCCDC Red Team Call for Volunteers

Hello Reader,         It’s coming around to CCDC competition time for much the of the United States, some schools are already in invitationals. This is the yearly call for volunteers for the NCCDC red team. If you have the following to bring to the table: Custom malware Custom command and control  An active Github repository  The ability to […]

Daily Blog #555: Sunday Funday 12/2/18

Hello Reader,             We’ve had some great research coming out by working together. This weeks challenge is less about trying something new, and more about trying to understand more about what we already know. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 12/7/18 7PM CST (GMT -5) The most complete answer wins […]

Daily Blog #554: Solution Saturday 12/1/18

Hello Reader,        This week we have a clear winner with Maxim Suhanov not only answering the question but finding a new artifact and writing a proof of concept extractor for it in the process! The Challenge: On a  Windows 7 system how long does it take for a new gui executable to appear in the Amcache. What […]

Daily Blog #553: Forensic Lunch 11/30/18

Hello Reader,         We had a forensic lunch today! It was just Matt and I as all of our scheduled guests had to reschedule but we made the most of our time. Thanks for those of you who tuned in live and expect Forensic Lunch to return in December on: December 7th, 2018 at Noon CSTDecember 14th, 2018 […]

Daily Blog #512: Forensic Lunch Test Kitchen 11/29/18

Hello Reader,       Tonight we tested out Maxim Suhanov’s YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CITSystem key we talked about last night. Here is what we learned: YARP is a great python registry library, clearly I’m just scratching the surface of what it can do LZNT1 requires a minimum […]

Daily Blog #552: Forensic Lunch Test Kitchen 11/28/18

Hello Reader,       Tonight we had a test kitchen with ups and downs as some things worked and others didn’t. Here’s what we learned: All of the lznt1 libraries we tried to decompress the system binary registry entries Maxim Suhanov found failed YARP has support for the lznt1 format used in the registry, I’ve downloaded it and we will […]

G-C Partners