Blog

Daily Blog #458: Object IDs

Hello Reader,        In Hideaki Ihara’s blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows […]

Daily Blog #457: Sunday Funday 8/19/18

Hello Reader,Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn’t notice. Lets see what you can determine in this weeks lnk file challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 8/24/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer […]

Daily Blog #456: Solution Saturday 8/16/18

Hello Reader,           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would […]

Daily Blog #455: Perfect Score in the Defcon DFIR CTF

Hello Reader,       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before […]

Daily Blog #854: SQLite Write Ahead Logs and Python

Hello Reader,           If you haven’t already done so check out this blog post from Malware Maloney:https://malwaremaloney.blogspot.com/2018/08/windows-10-notification-wal-database.html In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the […]

Daily Blog #453: Winners of the Unofficial Defcon DFIR CTF

Hello Reader,        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by: SANS – Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigsAlso if you were in the […]

Daily Blog.#452 Dealing with deleted shadow copies

Hello Reader,       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results. Looks like two researchers out of Japan are attempting to […]

Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

Hello Reader,            This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it’s your turn to give the challenge a try. The first image password is ‘tacoproblems’ CTF Site:https://defcon2018.ctfd.io/ Download […]

Daily Blog #450: Sunday Funday 8/12/18

Hello Reader,Defcon is over and with it our CTF. For this weeks challenge lets look at some browser forensics artifacts that could be helpful to you when I open up the forensic ctf to the public tomorrow.          The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 8/17/18 7PM CST (GMT -5) The most […]

Daily Blog #449: Solution Saturday

Hello Reader,Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out. The Challenge: Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed.  The Winning Answer: The majority of Anti-Forensic tools are just […]

Daily Blog #448: Defcon DFIR CTF update

Hello Reader,      Another late post after a long day in Vegas. We launched the ctf today and already have a fight for the top 3 spots. As more people get the evidence I’m expecting it to get really interesting. We initially planned to do a live stream today but spent most of the day finishing the last questions […]

Daily Blog #447 Defcon 2018 Forensic CTF

Hello Reader,Just a reminder that the ctf starts tomorrow afternoon. If you are in Vegas and have not signed up yet here is the link:https://www.eventbrite.com/e/unofficial-defcon-dfir-ctf-2018-tickets-47978189055?ref=estw Prizes:1st. DFIR Netwars Continuous for a year from SANS and. Lego mini fig2nd. Magnet prize loaded backpack, Lego mini fig and license of forensic email collector3rd. Blackbag prize pack It’s not too late to sign […]

Daily Blog #446: Sparse image blues

Hello Reader,     A quick one before I fall asleep after a long day of ctf prep and Vegas fun. If you are using the fresponse imager to capture a full disk be aware that it seems to default to a sparse image format and leaves out shadow copies. However imaging the same fresponse mounted image with another tool will […]

Daily Blog #445: F-Response and the Cloud

Hello Reader,           Today I’m sharing a lesson I learned from acquiring systems in the cloud from another cloud hosted system in the same provider. I was adding the agents and getting ready to acquire the systems, but they kept dropping off the F-Response management list of subjects. I was quite confused, I checked the network and […]

Daily Blog #444: Sunday Funday 8/5/18

Hello Reader,           Thank you for all of the responses in the blog comments, on twitter and on LinkedIn to my question regarding Anti Forensics tools used in the wild. It was great to expand everyone’s knowledge of what tools to look for and make a list of those I need to test to see what traces […]

Daily Blog #443: Solution Saturday 8/4/18

Hello Reader,           Another week where Adam Harrison has again dominated the entries. For those of you thinking about trying out next weeks contest don’t be deterred. You too can be a winner with just some basic effort and some good documentation skills! The Challenge:Windows 10 keep changing and with it its behavior. In Windows 8.1 and […]

Daily Blog #442: Anti Forensic Tools in the wild

Hello Reader,       Today I have a question for you. In my work I’ve encountered tools that my suspects have used to clean or wipe their system. However I’m wondering what others are out there that I haven’t seen yet. So here is my list CCleaner Evidence Eliminator System Soap PC Optimizer Pro BCWipe Eraser Sdelete What additional wipers […]

Daily Blog #441: Changes in Windows 10

Hello Reader,           One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is now being marked as a feature release. These releases are changing the behaviors we rely on in forensics and we are going […]

Daily Blog #440: Windows 10 Notifications Database

Hello Reader,       I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party in a litigation we are working and suddenly saw a directory full of notification images and got curious again. Since Yogesh first blogged about it the […]

Daily Blog #439: Jumplist maximum storage

Hello Reader,          There is some interesting testing going on with shell item storage. The quirks of lnk files naming and storage by extension is surprising and needs more testing before its documented. Something that has been tested though is how many items a jumplist will store. When Eric Zimmerman was first writing Jumplist Explorer we were […]

G-C Partners