Daily Blog #602: Solution Saturday 1/19/19

Hello Reader,        This weeks’ challenge has an interesting twist, I have two answers but neither was submitted before the deadline. So I thought I would post the two answers for everyone’s benefit so it’s not lost to the twitter timeline. The Challenge: In Windows 10 what behavior appears to determine if a program will show up in […]

Daily Blog #601: Live registry triage and testing

Hello Reader,          Well I attempted to do a test kitchen tonight but VMWare Workstation didn’t want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman: Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files […]

Daily Blog #600: Windows 10 Search Artifacts are going to change again

Hello Reader,            I saw this article over on the verge: In this article they describe how Cortana is going to be separated from the search function. Currently we find the Windows 10 search artifacts in the NTUSER registry under the softwaremicrosoftwindowscurrent versionsearch. So keep an eye out for this change as we expect changes in […]

Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz

Hello Reader,   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned: The time delay did not effect our results A shutdown/power on did not add a new entries The registry explorer and hasher entries still had no hash We still saw no entries […]

Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

Hello Reader,       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache Tonight we learned: Syscache does not appear to duplicate entries by hash We got some entries to appear without a hash We are giving the VM enough time to run its background […]

Daily Blog #597: Tool Spotlight MD Viewer

Hello Reader,          I was out late helping a friend so rather than a test kitchen tonight I’m going to do a tool highlight. David Dym our colleague at G-C Partners, LLC has written a number of tools we use like: ShadowKit MetaDiver SqliteDiver and now he’s come out with a new tool MDViewer or Meta Diver […]

Daily Blog #596: Sunday Funday 1/13/19

Hello Reader,          We’ve had a back to back great answers in this new year which I hope is just sitting the trend for the rest of 2019. We’ve bounced around a couple of topics but let’s see if you can finish one out for all of us. The Prize:$100 Amazon GiftcardThe Rules: You must post your […]

Daily Blog #595: Solution Saturday 1/12/19

Hello Reader,        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c’er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed […]

Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

Hello Reader,  Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2. Here is what we learned: The Syscache hive did not appear to log the 64 bit mimikatz executable from the first execution It did log the 32 bit mimikatz executable on first execution It […]

Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist

Hello Reader,         Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer […]

Daily Blog #592: Syscache and SHA 16bit hashes

Hello Reader,          Tonight I’m applying my Syscache research in some casework and while testing things out I realized something that I don’t think was properly documented before. The Syscache SHA-1 hashes appear to be base16 hashes not base32 hashes. So before you begin looking for that malicious executable make sure you’ve generated the correct hash!

Daily Blog #591: SANS Jeddah March 2019

Hello Reader,            Are you in the Middle East? If so I’m to Jeddah Saudi Arabia for the first time to teach SANS FOR500 Windows Forensics: If you like any of the things I write about or show here on the blog you will love this 6 day class as we go deep into Windows Forensics […]

Daily Blog #590: No Country for Old Unicorns

Hello Reader,      Well the need to resurrect Unicorns in Office 365 appears to finally be coming to an end. According to the latest Office 365 updated feature notes the default mailbox auditing permissions we all hoped would be there are finally rolling out to everyone.  This means that in TLDR: Office365 starting 2/1/19 (that’s from the action required […]

Daily Blog #589: Sunday Funday 1/6/19

Hello Reader,         We had some great submissions last week and hopefully this will be the trend for the new year. Let’s keep the pace with this weeks challenge The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/11/19 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer […]

Daily Blog #588: Solution Saturday 1/5/19

Hello Reader,       Sometimes you have a winning entry that exceeds all of your expectations. This week is that week for me. Maxhim Suhanov has come through with some pretty thorough testing to show what processes write to the Syscache hive and what dll’s reference it. This is great work and I look forward to trying out the application […]

Daily Blog #587: Forensic Lunch Test Kitchen 1/4/19 Server 2019 Amache

Hello Reader,     Tonight we continued our exploration of Server 2019 with a look into how Amcache is behaving on it. Here is what we learned: Amcache is still scanning the desktop for executables and adding them to the Amcache when the Application experience scheduled task runs, even if the executable was never run Like Server 2008 R2 Amcache is […]

Daily Blog #586: Forensic Lunch Test Kitchen Server 2019 Shimcache Srum Syscache

Hello Reader,      Tonight we extended our search to see if the Syscache hive came back to life by looking into Windows Server 2019, Here is what we learned: No Syscache hive by default in Server 2019 There is a SRUM database by default in Server 2019 There is an Amcache hive by default in Server 2019 There is […]

Daily Blog #585: Happy new year 2019

Hello Reader,        New years eve was great and new years day proved to be full of family activities so I missed a day of blogging. I hope you enjoyed your holiday as well, if you had one, and let’s talk DFIR new years resolutions. Here are mine: To continue daily blogging throughout 2019 To build out the […]

Daily Blog #584: New Years Eve 2018

Hello Reader,      I’m writing this in 2019 as we had way too much fun on new years eve. I haven’t gotten to bed yet so I think this counts as a daily blog still. Tomorrow i’ll post my hopes for the new year of DFIR work but in this post I just want to say thank you. Thank […]

Daily Blog #583: Sunday Funday 12/30/18

Hello Reader,      This will be the first Sunday Funday for 2019 since when the submissions are received and judged the winner will be announced in 2019. Let’s see what your system monitoring/debugging skills are like. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 1/4/19 7PM CST (GMT -5) The most complete answer wins You […]

G-C Partners