Hello Reader, This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg’s testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near […]
Hello Reader, I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around […]
Hello Reader, With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it’s time that I close down the 2018 site. You can access it for the month of February here: https://magnetctf.ctfd.io/ Why shut it dowh?Well CTFd charges me $100 a month […]
Hello Reader, A quick reminder that the 2019 SANS DFIR Summit call for presentations is open! https://www.sans.org/event/digital-forensics-summit-2019/call-for-presentations Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown […]
Hello Reader, I registered today for the Magnet User Summit (https://magnetusersummit.com/schedule) and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full! If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn’t […]
Hello Reader, 2019 is becoming a pretty great year for responses to these challenges. It’s always tough to weight different answers to find the one that is ‘most complete’ and I appreciate all the hard work all of you put into it. Even if you don’t submit an answer and just work on the challenge I […]
Hello Reader, I had some great submissions this week as people really got into shellbags research. This week Kevin Pagano managed to edge out a win with the extra work he did in showing the differences in how the data was recorded with different preferences in sorting and other features. The biggest thing that I took away […]
Hello Reader, We had another Forensic Lunch! This was a great episode and here are the details. This week we have: Blanche Lagny talking about her paper on Amcache The DFIR Review crew talking about .. DFIR Review! The DFIR Review crew entails: Jessica Hyde Vico Marziale Brett Shavers Tony Knutson You can watch it here:
Hello Reader, Tonight we continued testing Deep Freeze on Windows 10 to find out what data was recoverable and how or if the data had been changed. Here is what we learned: The deleted data appears not just to be partially overwritten but moved physically on the disk When new data is written the older data from […]
Hello Reader, I’ve been asked quite a lot about recovering data from Windows 10 if deep freeze was installed. Now I’ve had theories and hypothesis regarding how Deepfreeze works and what should be possible but tonight I got an evaluation version of Deepfreeze and a new Windows 10 VM to find out for sure. Here is what […]
Hello Reader, Yogesh Khatri continues to push out new OSX forensic tools, if you haven’t used mac_apt you really should be https://github.com/ydkhatri/mac_apt. Now Yogesh has given us a Unified Log Parser which will allow you to parse unified logs on any platform and since its python it should be easy to extend or reuse his code […]
Hello Reader, So I’ve been pretty bad at pre-scheduling forensic lunches lately so I decided to look at my calendar and commit to a schedule for the first quarter of 2019. So what follows are the scheduled dates for the first quarter of 2019. I already have guests lined up for 2/1/19 and I’ll be looking […]
Hello Reader, Last week I may have asked a bit much, so I’m reeling myself back in. This week I’ve posted a lot of links to other peoples work as I’ve been teaching SANS FOR500 during the day at the CTI Summit and doing my case work at night. However thanks to great students sharing […]
Hello Reader, Looks like my 2019 streak is now broken, this week we have no qualifying answers. When this happens I take it as a sign that the question was harder than I expected which means I really need to focus on finding a real answer myself. I’ll be working on that and the […]
Hello Reader, A new organization within an organization has formed! The DFIR Review group within DFRWS has officially emerged from ‘stealth mode’ and is ready to give your DFIR research peer review and fast feedback. With a combination of academics and practitioners volunteering their time they are pledging to help you validate your work and look […]
Hello Reader, SANS is announcing a new DFIR course written by Kevin Ripa and Eric Zimmerman called FOR498: Battlefield Forensics & Data Acquisition. It’s a course that focuses on dealing with all the onsite triage you will encounter when gathering evidence in a variety of environments with a big focus on preserving data from a […]
Hello Reader, I know this came out a week ago but I don’t think I wrote about it. I found this article written by Elcomsoft employee Oleg Afonin to be fascinating! Oleg is writing all about how to get a SSD drive into factory access mode allowing an examiner to get access to all the data […]
Hello Reader, Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI […]
Hello Reader, If you’ve been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche […]
Hello Reader, Last week’s challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let’s switch focus back to the Syscache hive for this weeks challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/25/19 7PM CST (GMT -5) The most […]
