Blog

Daily Blog #649: How to pick something to test

Hello Reader,         One of the questions I get asked on a semi regular basis is, how do I pick what to test/research? The answer is more simple than you would expect: Selection pool:  I look at an interaction I just experienced while using the operating system I think about an artifact I don’t feel I full understand […]

Daily Blog #648: How to stream your own test kitchen

Hello Reader,       As I prepare to get the test kitchen back in service I thought I’d share what I use for others who are looking to do the same. I got this idea after this tweet from Gerald Davis So here is my setup:Hardware: I have a Windows 10 desktop with a Nvidia GTX 980 an i7 processor […]

Daily Blog #647: Windows Forensics in San Diego

Hello Reader,                Looks like I’ll be heading to sunny San Diego California to teach SANS FOR500: Windows Forensics this May 9 2019. The event is called Security West and its one of the bigger SANS events of the years. If you wanted to learn Windows Forensics, see San Diego and see some great […]

Daily Blog #646: Sunday Funday 3/17/19

Hello Reader,              I always appreciate it when people spend their time researching rather than doing other fun things, like playing video games or reading a non-technical book. When we share what we know, even if we don’t know everything about something, it helps someone else leap frog forward and learn more. This week let’s […]

Daily Blog #645: Solution Saturday 3/16/19

Hello Reader,         Spring break is ending which means kids are going back to school soon and I’ll be back on track with blogging. Here is this weeks winner! The Challenge:Name and describe all of the available forensic data sources provided by Amazon AWS for EC2 The Winning Answer:Jonathan Yan CloudTrail LogsCloudtrail is an audit log that is […]

Daily Blog #644: Creating decrypted images of APFS file systems encrypted with T2 Chips with Macquistion

Hello Reader,          Dealing with T2 Chips on recent model Macbooks has been a real pain point for us in the lab so I was very, very happy to read that Blackbag (thanks Joe and Vico!) have figured out how to transparently decrypt the physical blocks of a drive being managed by a T2 chip at imaging […]

Daily Blog #643: Sunday Funday 3/10/19

Hello Reader,        On this blog we focus on a lot of host related issues, but the world is no longer confined to single on premises hosts anymore. This week let’s set our challenge sights to the skies and start seeing what you can research about … the cloud. The Prize:$100 Amazon GiftcardThe Rules: You must post your […]

Daily Blog #642: Solution Saturday 3/9/19

Hello Reader,         I love weeks when we get to crown new winners. Tun is not new DFIR, you may have seen his tweets before, but he is new to the Sunday Funday winners circle. Tun did some great testing which he documented below specifically for OSX. Give his work a look and join me on congratulating Tun […]

Daily Blog #641: Forensic Lunch 3/8/19 Eric Zimmerman Lee Whitfield

Hello Reader,          Today the Forensic Lunch returned! This week we had: Eric Zimmerman talking about KAPE How KAPE works How you can use it How to automate it How you can extend it Lee Whitfield went through all of the nomination categories for this years Forensic 4Cast awards. We also covered the rules of nominating people! […]

Daily Blog #640: Regipy – A new python windows registry forensics library

Hello Reader,        As I was talking about in #638 I believe automation in DFIR is a big part of our future. With the idea of automating the extraction and basic correlation of data so that a human can use their brain. As we work towards that I’m always looking for new libraries that can support that effort, […]

Daily Blog #639: DFRWS CFP and CFT

Hello Reader,       Want an excuse to escape your summer weather for the wonders of the pacific northwest? Well DFRWS the academic / practitioner conference where new and interesting ideas are always heard first is coming to Portland, Oregon this July 14-17. Matt and I went to DFRWS when it was in Austin two years ago and came away […]

Daily Blog #638: Kape and Forensic Lunch

Hello Reader,         If you haven’t already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface  KAPE is what I assume is the first step in a DFIR automation pipeline that most of the large consulting companies, and many of the large DFIR internal organizations, have built. KAPE solves the need of building a flexible triage tool that will extract data from live […]

Daily Blog #637: Forensic 4cast Award Nomination 2019

Hello Reader,          It’s that time of year again, time for you to submit your nominations for the Forensic 4Cast awards! If you are not familiar with the awards or the process let me break it down for you. The Forensic 4Cast awards themselves are currently the only community driven DFIR focused awards we have. The nominations […]

Daily Blog #636: Sunday Funday 3/3/19

Hello Reader,       Let’s see if we can keep your OSX skills sharp. This time with an artifact that spans iOS and OSX, get your sqlite database skills ready for this weeks challenge.   The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 3/8/19 7PM CST (GMT -5) The most complete answer wins You are allowed […]

Daily Blog #635: Solution Saturday 3/2/19

Hello Reader,This week we have a new winner entering the challenge! Please congratulate Amy Francis for her winning answer! The Challenge: On OSX Mojave list all of the Plists that would record a file being interacted with.  The Winning Answer: Amy Francis My answer for the challenge: On OSX Mojave list all of the Plists that would record a file […]

Daily Blog #634: AWS GuardDuty false positives

Hello Reader,               This another post that I’m making in the hopes that someone who is searching for this will find it and get their answer. Do you have VMs running in AWS?Do you have Amazon GuardDuty running?Did you just get an alert that claimed your VM is originating an external connection to an external […]

Daily Blog #633: Things you can’t find in Gsuite logs for $100

Hello Reader,               I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded their Google mail, calendar and drive but couldn’t at the time explain how they knew that. So like any investigator would/should I requested and […]

Daily Blog #632: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1

Hello Reader,            Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out and understand what it was capable of. Kevin was nice enough to write up a quick guide to […]

Daily Blog #631: Elcomsoft IOS Toolkit and IOS 12

Hello Reader,        If you haven’t already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:A. It does not ship with any rootless jailbreaksB. It does not automate the process of installing rootless jailbreaksC. It does not do […]

Daily Blog #630: Sunday Funday 2/24/19

Hello Reader,            Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or Mobile in our daily DFIR endeavors don’t let you Mac skills fall to the wayside when you most need them… in the event […]

G-C Partners