Blog

Daily Blog #515: Asking for your input regarding future testing

Hello Reader,                I’m not doing a test kitchen tonight. However I thought I would take this opportunity to ask you dear reader what you want to see tested. Currently my plan is to: Finish testing ObjectIDs Finish the bitlocker update test Continue testing extended mapi data Test more attacker tools and deep dive […]

Daily Blog #514: Sunday Funday 10/21/18

Hello Reader,       Adam Harrison returned this week to reclaim the prize, but every week is a new week and a new challenge. This week we are mixing things up both in the test kitchen were we are focusing on traces left behind by popular pentest tools and the sunday funday challenges to. I focus on a lot of […]

Daily Blog #513: solution Saturday 10/20/18

Hello Reader,      While this weeks winning answer did not directly answer the challenge asked it is the most complete and fills in some much needed knowledge. Congratulations to returning Sunday funday champion Adam Harrison for this weeks answer. The Challenge: What artifacts of execution exist on a Windows Server 2008+ that do not exist on Windows 7+? In […]

Daily Blog #512: Forensic Lunch Test Kitchen 10/19/18

Hello Reader,        Another test kitchen on the books! Tonight we took a break from ObjectIDs and took a look at something I’ve been wanting to test for awhile, smb brute forcing tools. We ran a couple SMB Brute forcing tools: Hydra Medusa Ncrack Nmap’s SMB login script Metasploits smb_login module Patator And then went into the windows […]

Daily Blog #511: Forensic Lunch Test Kitchen 10/18/18

Hello Reader,             Back to the test kitchen tonight! While tonight’s broadcast was a later than normal (showed the kids the few episode of the new Doctor Who season) we did have some good testing done. Tonight we tested my theory of what was recoverable from an external drive formatted NTFS in regards to ObjectIDs. The […]

Daily Blog #510: Office 2016 Backstage Artifacts

Hello Reader,         New versions of software often bring new artifacts and Office 2016 is no exception. We were working an investigation when we found directory paths that no longer exist on the disk under a directory called:  ‘Users\AppDataLocalMicrosoftOffice16.0BackstageInAppNavCache’ Underneath that directory you will find a series of directories for each of storage locations the user could save […]

Daily Blog #509: ObjectIDs and Domains

Hello Reader,             Well YouTube was down for awhile tonight and at this point I’ll need to get to bed before I could finish a test kitchen broadcast (if it would even work tonight!). So instead I decided to follow up on a question by Dr. Joe Sylve who asked in last nights Test Kitchen if […]

Daily Blog #508: Forensic Lunch Test Kitchen 10/15/18

Hello Reader,          Tonight Matt Seyer virtually joined me for another test kitchen! We decided to examine the ObjectID index to determine what is really happening when a file is deleted and its ObjectID index entry is deleted. Matt presented his theory, Dr. Sylve contributed what he knew and the rest was solved with testing, tsk utilities, […]

Daily Blog #507: Sunday Funday 10/14/18

Hello Reader,        The weeks have gone by quickly with nightly testing videos and weekly challenges. The schedule works well for me typically as weekend nights I have less time to do testing as I’m spending more time with my family. Let’s see how you’ll be spending your week with this weeks challenge. The Prize:$100 Amazon GiftcardThe Rules: […]

Daily Blog #506: Solution Saturday 10/13/18

Hello Reader,          This week no qualifying submissions, as a reminder this was the challenge: The Challenge: The TypedPaths key as we have seen recreates the key each time File Explorer exits. What other artifacts could we use to replace the data that we would have found there? I’ll have to address the answer in a blog […]

Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18

Hello Reader,            A shorter test kitchen tonight, mainly because the answer came much quicker than I expected but only in part. Tonight we deleted files from the command line and the GUI to see what effect deleting them would have on the ObjectID Index found at /$Extend/$ObjID:$O. I used the updated $O parser from Matt […]

Daily Blog #504: Forensic Lunch Test Kitchen 10/11/18

Hello Reader,          Tonight we had what I think is a very exciting broadcast of the Forensic Lunch. When discussing on twitter whether or not a ObjectID would be created when a file is accessed over a network share DR Joe Sylve (watch the video to see why i capitalized doctor) hypothesized that it would not, while […]

Daily Blog #503: Forensic Lunch Test Kitchen 10/10/18

Hello Reader,        We had a long night in this session of the test kitchen. Mainly because I was trying to debug making changes to Maxim Suhanov’s yarp-timeline script without an IDE to help me find my dumb mistakes. In the end though we were able to find and display all of the transition states within the transaction […]

Daily Blog #502: Forensic Lunch Test Kitchen 10/9/18

Hello Reader,           Another night of testing on the test kitchen! This evening we revisited the TypedPath key and registry transaction logs as Maxim Suhanov pointed out I did not wait a full 60 seconds, instead I just let the clock roll over to the next minute. The timing is important as transaction logs are written to […]

Daily Blog #501: Forensic Lunch Test Kitchen 10/8/18

Hello Reader,           It’s Monday and it’s time for another test kitchen! Tonight I tested Maxim Suhanov’s assertion that waiting 60 seconds would allow the changes I made to the registry by closing file explorer would allow the transaction logs to be written to. So I did that test and even waited two minutes prior to exiting. […]

Daily Blog #500: Sunday Funday 10/7/18

Hello Reader,           This is the 500th Daily Blog! Which also just so happens to land on a Sunday Funday challenge which means, this one must be special …. even if it isn’t. We’ve looked into a lot of topics this last couple weeks, lets see if you’ve been paying attention. The Prize:$100 Amazon GiftcardThe Rules: You […]

Daily Blog #499: Solution Saturday

Hello Reader,      This week Kevin Pagano grabbed the win with a nice primer on registry monitoring. I m looking forward to testing more registry monitoring tools next week and trying out Maxim Suhanov’s suggestion of waiting 30 seconds for transactions to be written.The Challenge: How would you monitor/record changes to registry keys? What could you do to get more […]

Daily Blog #498: Forensic Lunch 10/5/18

Hello Reader,           We had a Forensic Lunch today! Matthew and I talked with all of you about: The state of the DFIR Conference circuits with what we are told is the end of Enfuse. (Enfuse is being moved into the Opentext Conference from what we’ve been told).  What other DFIR Conferences exist The idea of going […]

Daily Blog #497: Forensic Lunch Test Kitchen 10/4/18

Hello Reader,        Another test kitchen! Tonight we went back to the TypedPaths overwrite mystery while Matthew finishes his $OBJID:$O parser to show tomorrow on the forensic lunch. We got YARP installed on our Windows 10 test VM and performed the same test of opening multiple file explorer windows, going to unique paths and watching the TypedPaths key […]

Daily Blog #496: Forensic Lunch Test Kitchen 10/3/18

Hello Reader,      Today we come close to a conclusion on our exploration of ObjectIDs within the MFT. We went in and both extracted MFT attributes with pytsk as well as ran/validated the same information with mftecmd to determine why we had duplicate objectids in our file system. We learned that: Duplicate ObjectIDs appear to happen in hard links […]

G-C Partners