Blog

Contents in sparse mirror may be smaller than they appear

By Matthew Seyer As many of you know, David Cowen and I are huge fans of file system journals! This love also includes all change journals designed by operating systems such as FSEvents and the $UsnJrnl:$J. We have spent much of our Dev time writing tools to parse the journals. Needless to say, we have lots of experience with file […]

Forensic Lunch with Paul Shomo, Matt Bromiley, Phil Hagen, Lee Whitfield and David Cowen

Hello Reader,     It’s been awhile since I’ve cross posted that the videocast/podcast went up. We had a pretty great forensic lunch with lots of details about programs that are relevant frome everyone from academic students in forensics to serious artifact hunters. Here are the show notes: Paul Shomo comes on to talk about Guidance Software’s new Forensic Artifact Research […]

Windows, Now with built in anti forensics!

Hello Reader,             If you’ve been using a tool to parse external storage device storage devices that relies on USB, USBStor, WPDBUSENUM or STORAGE as its primary key for fining all external devices you might be being tricked by Windows. Windows has been doing something new (to me at least) that I first observed in the […]

DFIR Exposed #1: The crime of silence

Hello Reader,          I’ve often been told I should commit to writing some of the stories of the cases we’ve worked as to not forget them. I’ve been told that I should write a book of them, and maybe some day I will. Until then I wanted to share some of cases we’ve worked where things went […]

SOPs in DFIR

Hello Reader,      It’s been awhile! Sorry I haven’t written sooner. Things are great here at camp aka G-C Partners where the nerds run the show. 2 years ago or so I got lucky enough to work with on our favorite customers in generating some standard operating procedures for their DFIR lab. While we list forensic lab consulting as a service […]

Building your own travel sized virtual lab with ESXi and the Intel SkullCanyon NUC

Hello Reader,          It’s been awhile and I know that, sorry for not writing sooner but to quote Ferris Bueller “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” So while I’ve worked on a variety of cases, projects and new artifacts to share I’ve neglected the […]

Daily Blog #381 National CCDC Redteam Debrief

Hello Reader,     The 11th year of the National Collegiate Cyber Defense Competition has ended, congratulations to the University of Central Florida for a their third consecutive win. I hope you make it back next year for another test of your schools program and ability to transfer knowledge to new generations of blue teams. If you want to show your […]

Daily Blog #380: National CCDC 2016

Hello Reader,           I’m in San Antonio for the National Collegiate Cyber Defense Competition which starts at 10am CST 4/22/16. If you didn’t know I lead the red team here at Nationals where the top 10 college teams in the country come and find out who does the best defending their network while completing business objectives. I’m […]

Daily Blog #379: Automating DFIR with dfVFS part 6

Hello Reader,         It’s time to continue our series by iterating through all the partitions within a disk or image, instead of just hard coding the one. To start with you’ll need another image, one that not only has more than one partition but also has shadow copies for us to interact with next. You can download the […]

Daily Blog #378: Automating DFIR with dfVFS part 5

Hello Reader, Wondering where yesterdays post is? Well, there was no winner of last weekends Sunday Funday.That’s ok though because I am going to post the same challenge this Sunday so you have a whole week to figure it out! — Now back to our regularly scheduled series —               I use Komodo from […]

Daily Blog #377: Sunday Funday 4/17/16

Hello Reader,              If  you have been following the blow the last two weeks you would have seen its been all about dfVFS. Phil aka Random Access posted something I was thinking about on his blog, https://thisweekin4n6.wordpress.com, that I thought was worthy of a Sunday Funday challenge. In short Phil saw that I posted a video […]

Daily Blog #376: Saturday Reading 4/16/16

Hello Reader,           It’s Saturday!  Soccer Games, Birthday Parties and forensics oh my! That is my weekend, how’s yous? If its raining where you are and the kids are going nuts here are some good links to distract you. 1. Diider Stevens posted an index of all the posts he’s made in March, https://blog.didierstevens.com/2016/04/17/overview-of-content-published-in-march/. If you are at […]

Daily Blog #375: Video Blog showing how to verify and test your dfVFS install

Hello Reader,        This is a first for me, I’ve created a video blog today to show how to verify and test that your dfVFS installation was successful in Windows. If you want to show your support for my efforts, there is an easy way to do that.  Vote for me for Digital Forensic Investigator of the Year […]

Daily Blog #374: Automating DFIR with dfVFS part 4

Hello Reader,            In our last entry in this series we took our partition listing script and added support for raw images. Now our simple script should be able to work with forensic images, virtual disks, raw images and live disks. If you want to show your support for my efforts, there is an easy way […]

Daily Blog #373: Automating DFIR with dfVFS part 3

Hello Reader,           In our last post I expanded on the concept of path specification objects. Now let’s expand the support of our dfVFS code to go beyond just forensic images and known virtual drives to live disks and raw images. Why is this not supported with the same function call you ask? Live disks and raw […]

Daily Blog #372: Automating DFIR with dfVFS part 2

Hello Reader,        In this short post I want to get more into the idea of the path specification object we made in the prior part. If this post had a catch title it would be zen and the art of path specification. In the prior post, part 1 of the series, we made three path specification objects. […]

Daily Blog #371: Sunday Funday 4/10/16 Winner!

Hello Reader,           Another challenge has been answered by you the readership. This week our anonymous winner claims a $200 Amazon Gift card for showing what the impact of installing and running PowerForensics is. You too can join the ranks of Sunday Funday winners and I think I’m going to do something special for all past and […]

Daily Blog #370: Sunday Funday 4/10/16

Hello Reader,              If  you watched the Forensic Lunch Friday you would have heard us talking to Jared Atkinson about PowerForensics, his DFIR framework all written in Power Shell. Let’s see what your determination of its forensic soundness is in this weeks Sunday Funday challenge.The Prize:$200 Amazon GiftcardThe Rules: You must post your answer before Monday […]

Daily Blog #369: Saturday Reading 4/9/16

Hello Reader,           It’s Saturday! I’m excited to post my first Saturday Reading in almost two years!. While I get to work on seeing whats changed in the world of rss feeds and twitter tags since I last did this, here is this weeks Saturday Reading!1. We had a great forensic lunch this week.  We had Jared […]

Daily Blog #368: Forensic Lunch 4/8/16 with Jared Atkinson talking about Forensics with Powershell

Hello Reader,         What a great Forensic Lunch today with Jared Atkinson talking all about how to do forensics on a live system or mounted image with his Powershell framework PowerForensics. You can grab your own copy of PowerForensics on Github here:https://github.com/Invoke-IR/PowerForensics Read his Blog here:www.invoke-ir.com Vote for him in the Forensic4Cast Awards here:https://forensic4cast.com/forensic-4cast-awards/Reminder I’m up for voting […]

G-C Partners