Hello Reader, Tonight we extended our search to see if the Syscache hive came back to life by looking into Windows Server 2019, Here is what we learned: No Syscache hive by default in Server 2019 There is a SRUM database by default in Server 2019 There is an Amcache hive by default in Server 2019 There is […]
Hello Reader, New years eve was great and new years day proved to be full of family activities so I missed a day of blogging. I hope you enjoyed your holiday as well, if you had one, and let’s talk DFIR new years resolutions. Here are mine: To continue daily blogging throughout 2019 To build out the […]
Hello Reader, I’m writing this in 2019 as we had way too much fun on new years eve. I haven’t gotten to bed yet so I think this counts as a daily blog still. Tomorrow i’ll post my hopes for the new year of DFIR work but in this post I just want to say thank you. Thank […]
Hello Reader, This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let’s see what your system monitoring/debugging skills are like. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/4/19 7PM CST (GMT -5) The most complete answer wins You […]
Hello Reader, Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start. The Challenge:On server 2008 r2 how would the following be seen in the syscache and what was logged:1. Powershell empire agent2. Meterpeter3. […]
Hello Reader, Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying. If you want to watch the video you can do so here:
Hello Reader, Didn’t get started until very late tonight so I didn’t do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed […]
Hello Reader, One of the things I’ve often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the […]
Hello Reader, At every major holiday I post a recipe on my wife’s advice. She said you would at some point want to read something not technical. So since it’s Christmas I thought I would share one of the recipes I’ve been making for my family and friends. For a number of years I made Nigella Lawson’s […]
Good evening reader,We are all tucked in and hoping that DFIR santa is bringing us new artifacts for Christmas. Tomorrow I’ll likwly be posting a recipe but I wanted to wish you good tidings and a happy new year!
Hello Reader, Let’s finish the year right. The last challenge of 2018 needs to be special. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 12/28/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer after posting If two answers are too similar for one to win, the one […]
Hello Reader,I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission! The Challenge: Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its […]
Hello Reader, Today we had another Forensic Lunch! This week we had: Alissa Torres, (@sibertor) talking all about the changes for FOR526 as a 6 day bootcamp of memory forensic goodness, with daily Netwars challenges! You can find out more and sign up here: https://www.sans.org/event/cyber-threat-intelligence-summit-2019/course/memory-forensics-in-depth Alissa and I also talked about the CTI Summit which is happening the […]
Hello Reader, Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS’s in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned: The Syscache hive exists on an unpatched Server 2008 R2 SP1 system The syscache hive exists […]
Hello Reader, Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned: That pytsk does not have an attribute for parent reference number, so we had to extract […]
Hello Reader, Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned: Bat files are recorded in the Syscache hives when executed Bat files and other executables run from the Desktop are not recorded in the Syscache Powershell files (ps1) are not caught in the Syscache hive Deleting a file did […]
Hello Reader, Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned: The syscache hive seems to record atleast exe, dll, bat and cmd files executed The syscache hive like the Amcache hive […]
Hello Reader, Last week I got you searching for DFVFS, this weeks let’s see you program in DFVFS! We’ve done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you’ve learned. Need some code examples? Look at yesterdays winning answer:https://www.hecfblog.com/2018/12/daily-blog-568-solution-saturday-121518.html The Prize:$100 Amazon […]
Hello Reader,This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win! The Challenge: Find all the projects out there that are making use of DFVFS (https://github.com/log2timeline/dfvfs) […]
Hello Reader, It’s the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you’ll enjoy it! You can read Eric’s Blog here:http://www.afodblog.com/You can follow Eric on twitter here: https://twitter.com/ericjhuberYou can learn more about the NW3C here: https://www.nw3c.org/ Watch the video below:
