Blog

Daily Blog #586: Forensic Lunch Test Kitchen Server 2019 Shimcache Srum Syscache

Hello Reader,      Tonight we extended our search to see if the Syscache hive came back to life by looking into Windows Server 2019, Here is what we learned: No Syscache hive by default in Server 2019 There is a SRUM database by default in Server 2019 There is an Amcache hive by default in Server 2019 There is […]

Daily Blog #585: Happy new year 2019

Hello Reader,        New years eve was great and new years day proved to be full of family activities so I missed a day of blogging. I hope you enjoyed your holiday as well, if you had one, and let’s talk DFIR new years resolutions. Here are mine: To continue daily blogging throughout 2019 To build out the […]

Daily Blog #584: New Years Eve 2018

Hello Reader,      I’m writing this in 2019 as we had way too much fun on new years eve. I haven’t gotten to bed yet so I think this counts as a daily blog still. Tomorrow i’ll post my hopes for the new year of DFIR work but in this post I just want to say thank you. Thank […]

Daily Blog #583: Sunday Funday 12/30/18

Hello Reader,      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let’s see what your system monitoring/debugging skills are like. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/4/19 7PM CST (GMT -5) The most complete answer wins You […]

Daily Blog #582: Solution Saturday 12/29/18

Hello Reader,         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start. The Challenge:On server 2008 r2 how would the following be seen in the syscache and what was logged:1. Powershell empire agent2. Meterpeter3. […]

Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

Hello Reader,         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying. If you want to watch the video you can do so here:

Daily Blog #580: Applocker and Windows 10

Hello Reader,          Didn’t get started until very late tonight so I didn’t do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed […]

Daily Blog #579: The meaning of Syscache.hve

Hello Reader,     One of the things I’ve often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the […]

Daily Blog #578: Merry Christmas 12/25/18

Hello Reader,        At every major holiday I post a recipe on my wife’s advice. She said you would at some point want to read something not technical. So since it’s Christmas I thought I would share one of the recipes I’ve been making for my family and friends. For a number of years I made Nigella Lawson’s […]

Daily Blog #577: Christmas Eve 12/24/18

Good evening reader,We are all tucked in and hoping that DFIR santa is bringing us new artifacts for Christmas. Tomorrow I’ll likwly be posting a recipe but I wanted to wish you good tidings and a happy new year!

Daily Blog #576: Sunday funday 12/23/18

Hello Reader,    Let’s finish the year right. The last challenge of 2018 needs to be special. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 12/28/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer after posting If two answers are too similar for one to win, the one […]

Daily Blog #575: Solution Saturday 12/22/18

Hello Reader,I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission! The Challenge: Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its […]

Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve

Hello Reader,        Today we had another Forensic Lunch! This week we had: Alissa Torres, (@sibertor) talking all about the changes for FOR526 as a 6 day bootcamp of memory forensic goodness, with daily Netwars challenges! You can find out more and sign up here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/memory-forensics-in-depth Alissa and I also talked about the CTI Summit which is happening the […]

Daily Blog #573: Forensic Lunch Test Kitchen 12/20/18 Syscache and Server 2008 R2

Hello Reader,       Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS’s in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned: The Syscache hive exists on an unpatched Server 2008 R2 SP1 system The syscache hive exists […]

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python

Hello Reader,      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned: That pytsk does not have an attribute for parent reference number, so we had to extract […]

Daily Blog #571: Forensic Lunch Test Kitchen 12/18/18 Syscache

Hello Reader,        Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned: Bat files are recorded in the Syscache hives when executed Bat files and other executables run from the Desktop are not recorded in the Syscache Powershell files (ps1) are not caught in the Syscache hive Deleting a file did […]

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned: The syscache hive seems to record atleast exe, dll, bat and cmd files executed The syscache hive like the Amcache hive […]

Daily Blog #569: Sunday Funday 12/16/18

Hello Reader,             Last week I got you searching for DFVFS, this weeks let’s see you program in DFVFS! We’ve done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you’ve learned. Need some code examples? Look at yesterdays winning answer:https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html The Prize:$100 Amazon […]

Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win! The Challenge: Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) […]

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,         It’s the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you’ll enjoy it! You can read Eric’s Blog here:http://www.afodblog.com/You can follow Eric on twitter here: https://twitter.com/ericjhuberYou can learn more about the NW3C here: https://www.nw3c.org/ Watch the video below:

G-C Partners