Blog

Daily Blog #620: Magnet User Summit 2018 CTFd site is closing

Hello Reader,              With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it’s time that I close down the 2018 site. You can access it for the month of February here: https://magnetctf.ctfd.io/ Why shut it dowh?Well CTFd charges me $100 a month […]

Daily Blog #619: SANS DFIR Summit 2019 CFP is open!

Hello Reader,             A quick reminder that the 2019 SANS DFIR Summit call for presentations is open! https://www.sans.org/event/digital-forensics-summit-2019/call-for-presentations Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown […]

Daily Blog #618: Magnet User Summit 2019 CTF is Full

Hello Reader,          I registered today for the Magnet User Summit (https://magnetusersummit.com/schedule)  and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full! If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn’t […]

Daily Blog #617: Sunday Funday 2/3/19

Hello Reader,           2019 is becoming a pretty great year for responses to these challenges. It’s always tough to weight different answers to find the one that is ‘most complete’ and I appreciate all the hard work all of you put into it. Even if you don’t submit an answer and just work on the challenge I […]

Daily Blog #616: Solution Saturday 2/2/19

Hello Reader,        I had some great submissions this week as people really got into shellbags research. This week Kevin Pagano managed to edge out a win with the extra work he did in showing the differences in how the data was recorded with different preferences in sorting and other features. The biggest thing that I took away […]

Daily Blog #615: Forensic Lunch 2/1/19 Blanche Lagney Amcache DFIR Review

Hello Reader,          We had another Forensic Lunch! This was a great episode and here are the details. This week we have: Blanche Lagny talking about her paper on Amcache The DFIR Review crew talking about .. DFIR Review! The DFIR Review crew entails: Jessica Hyde Vico Marziale Brett Shavers Tony Knutson You can watch it here:

Daily Blog #614: Forensic Lunch Test Kitchen 1/31/19 Deep Freeze Windows 10

Hello Reader,        Tonight we continued testing Deep Freeze on Windows 10 to find out what data was recoverable and how or if the data had been changed. Here is what we learned: The deleted data appears not just to be partially overwritten but moved physically on the disk When new data is written the older data from […]

Daily Blog #613: Forensic Lunch Test Kitchen 1/30/19 Deep Freeze on Windows 10

Hello Reader,         I’ve been asked quite a lot about recovering data from Windows 10 if deep freeze was installed. Now I’ve had theories and hypothesis regarding how Deepfreeze works and what should be possible but tonight I got an evaluation version of Deepfreeze and a new Windows 10 VM to find out for sure. Here is what […]

Daily Blog #612: Unified Log Parsing

Hello Reader,            Yogesh Khatri continues to push out new OSX forensic tools, if you haven’t used mac_apt you really should be https://github.com/ydkhatri/mac_apt. Now Yogesh has given us a Unified Log Parser which will allow you to parse unified logs on any platform and since its python it should be easy to extend or reuse his code […]

Daily Blog #611: Forensic Lunch Schedule 2019

Hello Reader,           So I’ve been pretty bad at pre-scheduling forensic lunches lately so I decided to look at my calendar and commit to a schedule for the first quarter of 2019. So what follows are the scheduled dates for the first quarter of 2019. I already have guests lined up for 2/1/19 and I’ll be looking […]

Daily Blog #610: Sunday Funday 1/27/19

Hello Reader,            Last week I may have asked a bit much, so I’m reeling myself back in. This week I’ve posted a lot of links to other peoples work as I’ve been teaching SANS FOR500 during the day at the CTI Summit and doing my case work at night. However thanks to great students sharing […]

Daily Blog #609: Solution Saturday 1/26/19

Hello Reader,              Looks like my 2019 streak is now broken, this week we have no qualifying answers. When this happens I take it as a sign that the question was harder than I expected which means I really need to focus on finding a real answer myself. I’ll be working on that and the […]

Daily Blog #608: DFIR Review

Hello Reader,          A new organization within an organization has formed! The DFIR Review group within DFRWS has officially emerged from ‘stealth mode’ and is ready to give your DFIR research peer review and fast feedback. With a combination of academics and practitioners volunteering their time they are pledging to help you validate your work and look […]

Daily Blog #607: FOR498 Battlefield Forensics & Data Acquisition

Hello Reader,             SANS is announcing a new DFIR course written by Kevin Ripa and Eric Zimmerman called FOR498: Battlefield Forensics & Data Acquisition. It’s a course that focuses on dealing with all the onsite triage you will encounter when gathering evidence in a variety of environments with a big focus on preserving data from a […]

Daily Blog #606: Elcomsoft blog about Factory Access Mode

Hello Reader,           I know this came out a week ago but I don’t think I wrote about it. I found this article written by Elcomsoft employee Oleg Afonin to be fascinating! Oleg is writing all about how to get a SSD drive into factory access mode allowing an examiner to get access to all the data […]

Daily Blog #605: CTI Summit 2019

Hello Reader,             Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI […]

Daily Blog #604: New Amcache Resarch Paper you really should read

Hello Reader,      If you’ve been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche […]

Daily Blog #603: Sunday Funday 1/20/19

Hello Reader,            Last week’s challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let’s switch focus back to the Syscache hive for this weeks challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/25/19 7PM CST (GMT -5) The most […]

Daily Blog #602: Solution Saturday 1/19/19

Hello Reader,        This weeks’ challenge has an interesting twist, I have two answers but neither was submitted before the deadline. So I thought I would post the two answers for everyone’s benefit so it’s not lost to the twitter timeline. The Challenge: In Windows 10 what behavior appears to determine if a program will show up in […]

Daily Blog #601: Live registry triage and testing

Hello Reader,          Well I attempted to do a test kitchen tonight but VMWare Workstation didn’t want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman: https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files […]

G-C Partners