Blog

Daily Blog #606: Elcomsoft blog about Factory Access Mode

Hello Reader,           I know this came out a week ago but I don’t think I wrote about it. I found this article written by Elcomsoft employee Oleg Afonin to be fascinating! Oleg is writing all about how to get a SSD drive into factory access mode allowing an examiner to get access to all the data […]

Daily Blog #605: CTI Summit 2019

Hello Reader,             Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI […]

Daily Blog #604: New Amcache Resarch Paper you really should read

Hello Reader,      If you’ve been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche […]

Daily Blog #603: Sunday Funday 1/20/19

Hello Reader,            Last week’s challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let’s switch focus back to the Syscache hive for this weeks challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/25/19 7PM CST (GMT -5) The most […]

Daily Blog #602: Solution Saturday 1/19/19

Hello Reader,        This weeks’ challenge has an interesting twist, I have two answers but neither was submitted before the deadline. So I thought I would post the two answers for everyone’s benefit so it’s not lost to the twitter timeline. The Challenge: In Windows 10 what behavior appears to determine if a program will show up in […]

Daily Blog #601: Live registry triage and testing

Hello Reader,          Well I attempted to do a test kitchen tonight but VMWare Workstation didn’t want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman: https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files […]

Daily Blog #600: Windows 10 Search Artifacts are going to change again

Hello Reader,            I saw this article over on the verge:https://www.theverge.com/2019/1/16/18185490/microsoft-cortana-windows-10-search-changes In this article they describe how Cortana is going to be separated from the search function. Currently we find the Windows 10 search artifacts in the NTUSER registry under the softwaremicrosoftwindowscurrent versionsearch. So keep an eye out for this change as we expect changes in […]

Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

Hello Reader,   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned: The time delay did not effect our results A shutdown/power on did not add a new entries The registry explorer and hasher entries still had no hash We still saw no entries […]

Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

Hello Reader,       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache Tonight we learned: Syscache does not appear to duplicate entries by hash We got some entries to appear without a hash We are giving the VM enough time to run its background […]

Daily Blog #597: Tool Spotlight MD Viewer

Hello Reader,          I was out late helping a friend so rather than a test kitchen tonight I’m going to do a tool highlight. David Dym our colleague at G-C Partners, LLC has written a number of tools we use like: ShadowKit MetaDiver SqliteDiver and now he’s come out with a new tool MDViewer or Meta Diver […]

Daily Blog #596: Sunday Funday 1/13/19

Hello Reader,          We’ve had a back to back great answers in this new year which I hope is just sitting the trend for the rest of 2019. We’ve bounced around a couple of topics but let’s see if you can finish one out for all of us. The Prize:$100 Amazon GiftcardThe Rules: You must post your […]

Daily Blog #595: Solution Saturday 1/12/19

Hello Reader,        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c’er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed […]

Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

Hello Reader,  Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2. Here is what we learned: The Syscache hive did not appear to log the 64 bit mimikatz executable from the first execution It did log the 32 bit mimikatz executable on first execution It […]

Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

Hello Reader,         Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer […]

Daily Blog #592: Syscache and SHA 16bit hashes

Hello Reader,          Tonight I’m applying my Syscache research in some casework and while testing things out I realized something that I don’t think was properly documented before. The Syscache SHA-1 hashes appear to be base16 hashes not base32 hashes. So before you begin looking for that malicious executable make sure you’ve generated the correct hash!

Daily Blog #591: SANS Jeddah March 2019

Hello Reader,            Are you in the Middle East? If so I’m to Jeddah Saudi Arabia for the first time to teach SANS FOR500 Windows Forensics:https://www.sans.org/event/jeddah-march-2019/course/windows-forensic-analysis If you like any of the things I write about or show here on the blog you will love this 6 day class as we go deep into Windows Forensics […]

Daily Blog #590: No Country for Old Unicorns

Hello Reader,      Well the need to resurrect Unicorns in Office 365 appears to finally be coming to an end. According to the latest Office 365 updated feature notes the default mailbox auditing permissions we all hoped would be there are finally rolling out to everyone.  This means that in TLDR: Office365 starting 2/1/19 (that’s from the action required […]

Daily Blog #589: Sunday Funday 1/6/19

Hello Reader,         We had some great submissions last week and hopefully this will be the trend for the new year. Let’s keep the pace with this weeks challenge The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/11/19 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer […]

Daily Blog #588: Solution Saturday 1/5/19

Hello Reader,       Sometimes you have a winning entry that exceeds all of your expectations. This week is that week for me. Maxhim Suhanov has come through with some pretty thorough testing to show what processes write to the Syscache hive and what dll’s reference it. This is great work and I look forward to trying out the application […]

Daily Blog #587: Forensic Lunch Test Kitchen 1/4/19 Server 2019 Amache

Hello Reader,     Tonight we continued our exploration of Server 2019 with a look into how Amcache is behaving on it. Here is what we learned: Amcache is still scanning the desktop for executables and adding them to the Amcache when the Application experience scheduled task runs, even if the executable was never run Like Server 2008 R2 Amcache is […]

G-C Partners