Daily Blog #682: Linux Kernel patches for safe forensic imaging

Hello Reader,        Are you using Linux as your DFIR environment of choice? Many are and for good reason. Linux makes many things easy thanks to the wide variety of open source DFIR tools available, premade distributions (SIFT, Paladin, DEFT, etc…) and the ability to quickly turn evidence into mountable file systems. However for all the good there are some Linux […]

Daily Blog #681: DFIR Discord

Hello Reader,        As we are all isolated and looking for more safe social interaction without leaving a permanent public trace (I’m looking at your twitter) it’s good to know there are places we can go to talk DFIR with other practitioners in a less formal environment. Andrew Rathbun has been hosting a DFIR focused Discord server for […]

Daily Blog #680: Apple Unified Audit Logging

Hey Reader,           Today I didn’t have the time I needed to get a test kitchen done so I decided to take this opportunity to point you towards another great blog you should be reading with a different focus. Sarah Edwards over at the Mac4n6 blog has started a series on the apple unified audit logging. If […]

Daily Blog #679: Snapshot 4n6ir Imager

Hello Reader,   I’ve been documenting my own cloud DFIR research but i’m far from alone in this journey. Today I wanted to provide a spotlight on what could be a very useful tool if your looking to up your AWS DFIR game. John Lukach has put out a python script that makes use the AWS EBS Block API I’ve been […]

Daily Blog #678: Sunday Funday 4/19/20

Hello Reader,         We had some strong contenders for last weeks contest and I think most of you understood the expedited need to understand more about these virtual conferencing technologies in this work from home world we are in. Let’s then continue our journey by looking into an application that has been much in the news of late, […]

Daily Blog #677: Solution Saturday 4/18/20

Hello Reader,       I got some good answers this week and picking a winner was tough. This week I’m going to provide links to some additional submissions who almost cranked out a win. However this week’s winner is Mark McKinnon who took a step beyond the others by:A. Identifying the type of data storage in each of the relevant […]

Daily Blog #676: Forensic Lunch 4/17/20 with Zach Wasserman

Hello Reader,  Today on the Forensic Lunch we only had one guest, Zach Wasserman, from OSQuery technical steering committee. We only had one guest because we knew we would have so much to talk to Zach about! From OSQuery’s future in the linux foundation, Kollide Fleet and other fleet managers to Zach’s work at Dactiv, LLC you have alot waiting […]

Daily Blog #675: The curious case of cloud trail and AWS EBS Block API access

Hello Reader,          So my plan was to do a test kitchen and show to search the CloudTrail logs for evidence that the EBS Block API was used. I thought this was important as attackers could be extracting sensitive data out of a snapshot without showing any signs of large transfer. Well as it turns out … […]

Daily Blog #674: Forensic Lunch Podcast is up to date!

Hello Reader,        I was planning to search my cloudtrail logs today in a test kitchen to show my snapshot activity, but life has a way of getting in the way … even when you don’t leave the house. However what I did accomplish today was getting the podcast caught up with the Youtube broadcasts! It was over […]

Daily Blog #673: Working AWS EBS Blocks

Hello Reader,     In the yesterdays blog we tested out the AWS Direct EBS Block API. This allowed us to extract any block we choose from a AWS EBS Snapshot. In the test kitchen below we go deeper, looking into how many 512 sectors make up a Snapshot block (1024) and parse out the MBR to show how to work […]

Daily Blog #672: AWS EBS Snapshot Block Access

Hello Reader,     It’s time for to be side tracked. I’ve been exploring pancake viewer in the past few daily blog, and I do plan to get back to that, but for now I read about something that AWS has published back in December of 2019 (aka the before times) which you can read here: I don’t remember what […]

Daily Blog #671: Sunday Funday 4/12/20

Hello Reader,          We had quite the strong showing last week from Maxim Suhanov. Who else is ready to stand up to the challenge? This week and next week we are focusing on what I think is unexplored territory that is rapidly expanding during the crisis, remote work and conferencing tools. I’m sure all of us will […]

Daily Blog #670: Solution Saturday 4/11/20

Hello Reader,           This weeks winner is a repeat champion who this week brought in an entry so strong I think it scared away all the other contestants! This weeks challenge asked you to test a new but in my opinion unproven execution artifact and boy did the winner deliver. From understanding how the artifact works to […]

Daily Blog #669: Forensic Lunch 4/10/20

Hello Reader,       What a great Forensic Lunch today! On today’s broadcast we had: Yuri Gubanov (@belkasoft) giving an update about whats going on at Belkasoft. Including their IOS 13.4 full file system acquisition using Checkm8, their new IR module in Belkasoft Evidence Center and a neat capability to do managed remote logical phone collections.  Steve Gibson and Spencer […]

Daily Blog #668: Pancake viewer part 4

Hello Reader,       Tonight we had another test kitchen, tonight with Matt Seyer and Joe Sylve. We started by talking about DFVFS and logical volume parsing. Then Matt showed how to do Python hooking to override the functionality of a DFVFS function to fix the logical volume issue with source scanner. Our talk then took a turn with Dr. […]

Daily Blog #667: Pancake Viewer Part 3 with Test Kitchen

Hello Reader,         Tonight we had another Test Kitchen and this one was much more successful than last nights.Tonight we went into Matt’s Pancake Viewer code, followed the functions, talked about how it worked and how it used DFVFS. We ended the night with a demonstration of Pancake Viewer opening a E01 file and what underlying calls/functions were […]

Daily Blog #666: Pancake Viewer Part 2 with Test Kitchen

Hello Reader,        Well it happened, we reached daily blog 666 and as you would expect … it all went wrong.  In order to show how to get DFVFS running I decided to do it in a Test Kitchen live stream that you can watch below, its 2 hours. Yes it took 2 hours and some whiskey to […]

Daily Blog #665: Pancake Viewer part 1

Hello Reader,         If you watched the last Forensic Lunch (I mean why wouldn’t you have) then you know that Matt and I talked about continuing development of Matt’s Pancake Viewer. Specifically Matt suggested that I take over the development.  So with that in mind I thought I would make this a blog series and likely some test […]

Daily Blog #664: Sunday Funday 4/5/20

Hello Reader,          I hope your ready, Sunday Funday’s are back and we are going to challenge you. I’m continuing the trend from last year of making the challenges a week long and with everyone home now I hope you can find a good use of some time here. So let’s see what you can do and […]

Daily Blog #663: Magnet Virtual Summit 2020

Hello Reader,      Next month I was supposed to be eating hot chicken with all of you in Nashville at the Magnet User Summit (MUS) but since it’s still corona time this too has moved to a virtual format. The conference now called the Magnet Virtual Summit (MVS) is set for the whole month of may, it’s Magnet in […]

G-C Partners