Blog

Daily Blog #403: Sunday Funday 6/24/18

Hello Reader,             Thanks to your great submissions last week I had a really tough time picking a winner. In the end the community as a whole has benefited from your research. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and […]

Daily Blog #402: Solution Saturday 6/23/18

Hello Reader,             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil […]

Daily Blog #401: Magnet User Summit CTF is now open to the public

Hello Reader,              Yesterday we released the evidence files and today since I am on a train going to Canberra at the moment and can’t exactly record a Test Kitchen and subject a train full of people to that I am opening up the CTF site for public access. Go here:https://magnetctf.ctfd.io/challenges Register a team and start submitting! Have fun!

Daily Blog #400 – Forensic challenge image for the Magnet User Summit

Hello Reader,        If you watched last Friday’s Forensic Lunch you would have heard that we are releasing the forensic image we used for the Magnet User Summit challenge so you can try it for yourself. Here is the a dropbox link to the images:https://www.dropbox.com/sh/85v4wsawyijxd9r/AAAa75lptg8oF0tpO2zPnXSna?dl=0 Download the images and we are going to work on getting the scoreboard open so you […]

Daily Blog #399: Exploring Extended MAPI part 10

Hello Reader,          In yesterdays post, i’m in the middle of a 37 hour journey to Sydney so its all a blur to me, we talked about the ClientInfo propert within the extended MAPI data. I was talking about how this property could be found in sent messages but didn’t consider that MAPI data from a sender would be carried over […]

Daily Blog #398: Exploring Extended MAPI part 9

Hello Reader,           As I write this I’m flying over Canada and on my way to Sydney via Dubai. Satellite inflight internet really is an amazing thing! In this post I was going to talk about what was set on the message I forwarded and received yesterday but as I was looking at the extended MAPI fields in OutlookSpy I noticed […]

Daily Blog #397: Exploring Extended MAPI part 8

Hello Reader,                   In this post I wanted to look at more actions and their effect on Extended MAPI. Today I’m looking at what a forward does to a message. After forwarding the message you can see that within Outlook it is notifying me that the message was forwarded and when. This data we know is stored in the PR_LAST_VERB_EXECUTED extended […]

Daily Blog #396: Sunday Funday 6/17/18

Hello Reader,             We had a large number of great submissions last week and I hope we continue that trend this week! You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find […]

Daily Blog #395: Solution Saturday 6/16/18

Hello Reader,         Well this weeks challenge had a lot of submissions! It was very tough picking a winner but as the rules state the most complete answer wins. When it comes to complete answers this week Kevin Pagano did the most testing of extended mapi attributes in his testing with screenshots and a follow up email to fill in even […]

Daily Blog #394: Forensic Lunch 6/15/18

Hello Reader,            Today we had another episode of the Forensic Lunch! This week Matthew and I talked to Jaco_ZA about the Magnet User Summit CTF he won and we created. Watch below to see how Jaco approached the problems and ultimately clutched victory with seconds left! If you are interested in playing our next CTF […]

Daily Blog #393: Exploring Extended MAPI part 7

Hello Reader,          I’ve been wondering in the last several posts about what happens to exported messages when different users edit the message. I finally got a chance to test this today and document my results here. To do this I exported a message from my SANS FOR500 instructor laptop on to a USB external storage device. Once I exported the […]

Daily Blog #392: Exploring Extended MAPI part 6

Hello Reader,        I will continue my testing next week with multiple user accounts modifying a message but one thing has caught my attention. I have noticed that for Office 365 atleast the X-Originating IP header has returned and id also present in the Extended MAPI data. As seen below the test message I have been working with and replying to […]

Daily Blog #391: Exploring Extended MAPI part 5

Hello Reader,           In the prior post we went thought what dates were preserved when a message was exported out of a mailbox and into a PST. I put forth the question to myself what would happen if I then took that exported message and copied it to another volume, what would change within the message? I copied the MSG file […]

Daily Blog #390: Exploring Extended MAPI part 4

Hello Reader,                In our last post in this series we looked at how to find the raw values that make up the Extended MAPI we found within Outlook Spy. In order to get this data we had to export out the message out of Outlook and into a MSG file on my desktop. I had to do this to get […]

Daily Blog #389: Sunday Funday 6/10/18

Hello Reader,             Another week begins and with it comes a new challenge. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information. This week we’ve been talking about Extended […]

Daily Blog #388: Soltuion Saturday 6/9/18

Hello Reader,           It’s Saturday and based on the new blog schedule that means it’s Solution Saturday where we reveal the winner of the week’s Sunday Funday contest. I wanted to try this new format to give people more time to participate in the challenges and while I saw alot of people viewing and discussing the challenge I actually only received […]

Daily Blog #387:Forensic Lunch 6/8/18 live from the DFIR Summit

Hello Reader,           It’s Friday which means I’m either posting a Forensic Lunch or a Test Kitchen video. This week it’s a Forensic Lunch we recorded live from the DFIR Summit. I apologize for the background audio but hopefully you’ll find this rundown of what to expect from the talks that are being uploaded from the DFIR Summit to Youtube! On […]

ETW Event Tracing for Windows and ETL Files

By Nicole Ibrahim Hello reader,       Looking for a “new” Windows artifact that is currently being under-utilized and contains a wealth of information? Event Tracing for Windows (ETW) and Event Trace Logs (ETL) may be your answer. There’s nothing new about them. They have existed for quite some time. However, their use from a forensics standpoint has been lacking. […]

Daily Blog #386:Exploring Extended MAPI Part 3

Hello Reader,            In the prior post with the help of an Outlook plugin we examine the value of a single Extended MAPI property. Now that’s great for my testing but what if in your work you need to prove that value exists within the structure and validate the tools output? I thought before we continued on our journey into Outlook/Exchange […]

Daily Blog #385:Exploring Extended MAPI Part 2

Hello Reader,           In the last post in this series we discussed the Extended MAPI data resident within Outlook and Exchange messages. In this post we will look at what within the Extended MAPI data changes when a user marks the message as unread but performs no other action against it. First I made a new message […]

G-C Partners