Blog

Daily Blog #702: Sunday Funday 8/9/20

  Hello Reader,            It’s been awhile! I wish I could tell you what all I’ve been up too, but needless to say real investigations got so crazy between May-August that I couldn’t even find time to blog without losing even more sleep. So let’s pick up where we left off with a Sunday Funday! This […]

Daily Blog #701: Magnet Virtual Summit CTF 2020 Results

Hello Reader,          If you watched the live commentary boy were you in for a treat! So much so that I deleted the video afterwords. No reason to let that hot mess live on forever. What will live on forever though is the winners of the CTF! Congratulations Evangelos Dragonas aka theAtropos4n6 for winning 1st place! We will hopefully see […]

Daily Blog #700: New version of Plaso

Hello Reader,           Ryan Benson’s #130 Daily DFIR tweet mentioned something I think is interesting: He pointed out that there is a new version of Plaso out which by itself is good news but whats interesting is that they have now switched to libfsntfs for NTFS parsing. Why is that interesting? Every previous version of Plaso and DFVFS backed tools […]

Daily Blog: #699: Sunday Funday 5/10/20

Hello Reader.        We’ve bounced from Windows to OSX and around the cloud. What we haven’t done though is venture in the deep waters of Linux forensics. Today let’s help out our fellow examiners who are in the trenches with few landmarks to lead their way in the linux forensics wasteland with this weeks challenge focused on Auditd. […]

Daily Blog #698: Solution Saturday 5/9/20

Hello Reader,         It was week of returning champs coming to see who could win and this week that was Oleg Skulkin who did some solid work on updating a previous challenge on KnowledgeC. So congrats Oleg another win for the board! The Challenge:KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to […]

Daily Blog #697: Forensic Lunch 5/8/20 – Jack Farley, Josh Brunty, Kevin Pagano, Tom Pace, Jim Arnold

Hello Reader,        Another week of crisis times means another weekly Forensic Lunch! This week on the Forensic Lunch we had: Josh Brunty, @joshbrunty,  talking about his DFIR program at Marshall   https://www.marshall.edu/cyber/ Tom Pace of Blackberry Cyclance and Jim Arnold of KPMG talking about recent ransomware trends.  Kevin Pagano, @kevpagano3,  talking about his Sunday Funday and the Magnet Virtual CTF  Jack […]

Daily Blog #696: Free Autopsy Training

Hello Reader,       I know right now not everyone is heads down in DFIR investigations like we are. I know that we are fortunate to retain our jobs and keep doing the work we love. So for those of you who know individuals who are looking to transition into DFIR or those already in it who are looking to […]

Daily Blog #695: Magnet Virtual Summit CTF Live Commentary!

Hello Reader,      If your going to play the Magnet Virtual CTF or just want to watch as others do then join: Brian Moran – Famous social media influencer and well known campaign manager  Matthew Seyer – Master of rabbits, maker of beards and eater of tacos Myself As we provide live commentary digging deep into the questions, contestants […]

Daily Blog #694: AZCopy and SAS Tokens

Hello Reader,     If you read #DFIR twitter daily, I mean who doesn’t!, then you likely saw this post by Jordan Barth Let me explain what Jordan’s talking about and  why you should care if your doing DFIR in Azure.  Full disclosure Jordan is a fellow KPMGer and he knows his Azure. So first, AZCopy is an utility created by […]

Daily Blog #693: Patent Powered

Hello Reader,           Many years ago, seven to be precise, I wrote all the way back in Daily Blog #53 that we filed a patent on the idea behind anjp aka triforce. You can read that here: https://www.hecfblog.com/2013/08/daily-blog-53-triforce-is-now-patent.html Well, 7 years later in 2020 the patent got issued! You can read it here:http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=cowen.INNM.&OS=IN/cowen&RS=IN/cowen  https://pdfpiw.uspto.gov/.piw?Docid=10628263&homeurl=http%3A%2F%2Fpatft.uspto.gov%2Fnetacgi%2Fnph-Parser%3FSect1%3DPTO2%2526Sect2%3DHITOFF%2526p%3D1%2526u%3D%25252Fnetahtml%25252FPTO%25252Fsearch-bool.html%2526r%3D1%2526f%3DG%2526l%3D50%2526co1%3DAND%2526d%3DPTXT%2526s1%3Dcowen.INNM.%2526OS%3DIN%2Fcowen%2526RS%3DIN%2Fcowen&PageNum=&Rtype=&SectionNum=&idkey=NONE&Input=View+first+page So there you go, it may have […]

Daily Blog #692:

Hello Reader,              Another week of fun and challenges! I’m really enjoying seeing all of you get into this and hope I find more time this week myself to do more testing. Let’s face it most of us are still at home, so why not turn some of your downtime into DFIR research time! This week we move over to MacOS […]

Daily Blog #691: Solution Saturday 5/2/20

Hello Reader,       This week an previous winner stepped up the challenge. Not only have they won a Sunday Funday before but they are also a Magnet DFIR CTF winner! This week Kevin Pagano stepped up and brought in the win with a good bit of research! The Question:Windows Timeline is an amazing source of user data, however like all things […]

Daily Blog #690: Forensic Lunch 5/1/20 – Oleg Skulkin (FeatureUsage), Brian Marks (Office 365) , Lee Whitfield (Forensic 4Cast Nomations)

Hello Reader,      This week the Forensic Lunch went into Overtime! We went a full 25 minutes over the usual hour because we had so much to talk about. On this weeks show: Matt Seyer (@forensic_matt) talked all about the etl parser and monitor he’s working on in Rust! https://github.com/forensicmatt/RsWindowsThingies Oleg Skulkin (@oskulkin) talked about how he approaches Sunday Funday’s (he’s […]

Daily Blog #689: Feature Usage from Oleg Skulkin

Hello Reader,       Tomorrow on the Forensic Lunch I’ve asked Oleg Skulkin to join. I mainly asked Oleg to join because he won last week’s Sunday Funday contest and this is a new thing I’m trying to start, having the prior winner to come on and talk about what they did in their research.  Well in the mean time […]

Daily Blog #688: How to make AWS EBS Direct Block API Events appear in Cloudtrail

Hello Reader,           If you read the previous post you would know that in my testing the with the AWS EBS Direct Block API I could not find any Cloudtrail logs written. Well John Lukach has taken up the task of figuring out how to solve this by creating a role that the python script can assume […]

Daily Blog #687: Forensic Lunch schedule for the next 4 weeks

Hello Reader,       Its taking some work but I’m lining up guests a month in advance now. Here is the schedule for the next four weeks so you can plan out what episodes you want to see Date Guest 1 Guest 2 Guest 3 Guest 4 5/1/2020 Brian Marks Lee Whitfield Oleg Skulkin 5/8/2020 Cylance/Jim Jack Farley w/ MEAT […]

Daily Blog #686: Want to be on the Forensic Lunch?

Hello Reader,         Now that the Forensic Lunch is weekly I’m trying to work extra hard to book guests in advance, which I maayyy have been lax about the last year or so. I’m now booked for the next 4 weeks but I’m looking to find new voices, new research and new cool stuff that the community at large wants to […]

Daily Blog #685: Sunday Funday 4/26/20

Hello Reader,       I hope your enjoying the return of these weekly challenges. I’ve enjoyed seeing more people understanding that there is so much we don’t know and how we together can push things forward. This week we will continue that effort with a change in focus, let’s talk about Windows Timeline before moving onto MacOS next week. The Prize:$100 Amazon […]

Daily Blog #684: Solution Saturday 4/25/20

Hello Reader,        Another week of competition is concluded and a victor has a emerged. This week we continued the video conferencing artifacts and Oleg Skulkin with his sheer persistence every week has pulled out the win! The Question: When looking at Zoom from a DFIR perspective: 1. Where are the artifacts? 2. What format are they in? […]

Daily Blog #683: Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)

Hello Reader,      We had a jam packed Forensic Lunch today with a portion of the Google IR team today talking all about the open source tools they develop, use and support in their work at Google. Specifically we had : Mikhail Bushkov giving a big update on GRR https://github.com/google/grr Johan Berggren (https://twitter.com/jberggren) and Kristinn Gudjonsson (https://twitter.com/el_killerdwarf) talking about […]

G-C Partners