Blog

Daily Blog #640: Regipy – A new python windows registry forensics library

Hello Reader,        As I was talking about in #638 I believe automation in DFIR is a big part of our future. With the idea of automating the extraction and basic correlation of data so that a human can use their brain. As we work towards that I’m always looking for new libraries that can support that effort, […]

Daily Blog #639: DFRWS CFP and CFT

Hello Reader,       Want an excuse to escape your summer weather for the wonders of the pacific northwest? Well DFRWS the academic / practitioner conference where new and interesting ideas are always heard first is coming to Portland, Oregon this July 14-17. Matt and I went to DFRWS when it was in Austin two years ago and came away […]

Daily Blog #638: Kape and Forensic Lunch

Hello Reader,         If you haven’t already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface  KAPE is what I assume is the first step in a DFIR automation pipeline that most of the large consulting companies, and many of the large DFIR internal organizations, have built. KAPE solves the need of building a flexible triage tool that will extract data from live […]

Daily Blog #637: Forensic 4cast Award Nomination 2019

Hello Reader,          It’s that time of year again, time for you to submit your nominations for the Forensic 4Cast awards! If you are not familiar with the awards or the process let me break it down for you. The Forensic 4Cast awards themselves are currently the only community driven DFIR focused awards we have. The nominations […]

Daily Blog #636: Sunday Funday 3/3/19

Hello Reader,       Let’s see if we can keep your OSX skills sharp. This time with an artifact that spans iOS and OSX, get your sqlite database skills ready for this weeks challenge.   The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 3/8/19 7PM CST (GMT -5) The most complete answer wins You are allowed […]

Daily Blog #635: Solution Saturday 3/2/19

Hello Reader,This week we have a new winner entering the challenge! Please congratulate Amy Francis for her winning answer! The Challenge: On OSX Mojave list all of the Plists that would record a file being interacted with.  The Winning Answer: Amy Francis My answer for the challenge: On OSX Mojave list all of the Plists that would record a file […]

Daily Blog #634: AWS GuardDuty false positives

Hello Reader,               This another post that I’m making in the hopes that someone who is searching for this will find it and get their answer. Do you have VMs running in AWS?Do you have Amazon GuardDuty running?Did you just get an alert that claimed your VM is originating an external connection to an external […]

Daily Blog #633: Things you can’t find in Gsuite logs for $100

Hello Reader,               I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded their Google mail, calendar and drive but couldn’t at the time explain how they knew that. So like any investigator would/should I requested and […]

Daily Blog #632: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1

Hello Reader,            Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out and understand what it was capable of. Kevin was nice enough to write up a quick guide to […]

Daily Blog #631: Elcomsoft IOS Toolkit and IOS 12

Hello Reader,        If you haven’t already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:A. It does not ship with any rootless jailbreaksB. It does not automate the process of installing rootless jailbreaksC. It does not do […]

Daily Blog #630: Sunday Funday 2/24/19

Hello Reader,            Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or Mobile in our daily DFIR endeavors don’t let you Mac skills fall to the wayside when you most need them… in the event […]

Daily Blog #629: Coreanalytics Update

Hello Reader,         Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/ I’ve noticed that most of the writeups that I’ve seen about […]

Daily Blog #628: DFIR in 120 Seconds

Hello Reader,           I know many of you are looking to get a better understanding of many of the fundamentals of DFIR. In most of my daily writing I focus on new things that I’m researching or find interesting but I don’t typically take the time to cover the basics. Luckily Mathias Fuchs has started a video […]

Daily Blog #627: Deep Freeze and DFIR

Hello Reader,            While I didn’t have any winners for last week’s Sunday Funday I did want to draw your attention to the answers that were already present, from 8 years ago. Lance Mueller who wrote/writes the ForensicKB blog did his own Deep Freeze testing 8 years ago. Jessica Hyde reminded me of this while I […]

Daily Blog #626: Sunday Funday 2/17/19

Hello Reader,         Let’s reevaluate challenges again. Last week I either asked for too much or went to Niche so let’s open it up again. The point of these challenges is to get you the larger DFIR community to get involved in your own research and testing so you can surprise yourself and help others in their work. […]

Daily Blog #625: Solution Saturday 2/16/19

Hello Reader,             I was wondering 6 months ago what would make miss a day of blogging, it turns out the answer is moving! So now that things are settling down I should be back on schedule. Speaking of things that were missed, this weeks contest had no qualifying submissions that I saw. So tune in […]

Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive

Hello Reader,             I’m writing this post to serve as a bookmark for the future for anyone out there searching for this. If it’s late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use … take a […]

Daily Blog #623: Sunday Funday 2/10/19

Hello Reader             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let’s keep this amazing streaming going with this weeks DeepFreeze challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 2/15/19 […]

Daily Blog #622: Solution Saturday 2/9/19

Hello Reader,             This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg’s testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near […]

Daily Blog #621: ADFS accounts in SAM hives

Hello Reader,            I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around […]

G-C Partners