Blog

Daily Blog #644: Creating decrypted images of APFS file systems encrypted with T2 Chips with Macquistion

Hello Reader,          Dealing with T2 Chips on recent model Macbooks has been a real pain point for us in the lab so I was very, very happy to read that Blackbag (thanks Joe and Vico!) have figured out how to transparently decrypt the physical blocks of a drive being managed by a T2 chip at imaging […]

Daily Blog #643: Sunday Funday 3/10/19

Hello Reader,        On this blog we focus on a lot of host related issues, but the world is no longer confined to single on premises hosts anymore. This week let’s set our challenge sights to the skies and start seeing what you can research about … the cloud. The Prize:$100 Amazon GiftcardThe Rules: You must post your […]

Daily Blog #642: Solution Saturday 3/9/19

Hello Reader,         I love weeks when we get to crown new winners. Tun is not new DFIR, you may have seen his tweets before, but he is new to the Sunday Funday winners circle. Tun did some great testing which he documented below specifically for OSX. Give his work a look and join me on congratulating Tun […]

Daily Blog #641: Forensic Lunch 3/8/19 Eric Zimmerman Lee Whitfield

Hello Reader,          Today the Forensic Lunch returned! This week we had: Eric Zimmerman talking about KAPE How KAPE works How you can use it How to automate it How you can extend it Lee Whitfield went through all of the nomination categories for this years Forensic 4Cast awards. We also covered the rules of nominating people! […]

Daily Blog #640: Regipy – A new python windows registry forensics library

Hello Reader,        As I was talking about in #638 I believe automation in DFIR is a big part of our future. With the idea of automating the extraction and basic correlation of data so that a human can use their brain. As we work towards that I’m always looking for new libraries that can support that effort, […]

Daily Blog #639: DFRWS CFP and CFT

Hello Reader,       Want an excuse to escape your summer weather for the wonders of the pacific northwest? Well DFRWS the academic / practitioner conference where new and interesting ideas are always heard first is coming to Portland, Oregon this July 14-17. Matt and I went to DFRWS when it was in Austin two years ago and came away […]

Daily Blog #638: Kape and Forensic Lunch

Hello Reader,         If you haven’t already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface  KAPE is what I assume is the first step in a DFIR automation pipeline that most of the large consulting companies, and many of the large DFIR internal organizations, have built. KAPE solves the need of building a flexible triage tool that will extract data from live […]

Daily Blog #637: Forensic 4cast Award Nomination 2019

Hello Reader,          It’s that time of year again, time for you to submit your nominations for the Forensic 4Cast awards! If you are not familiar with the awards or the process let me break it down for you. The Forensic 4Cast awards themselves are currently the only community driven DFIR focused awards we have. The nominations […]

Daily Blog #636: Sunday Funday 3/3/19

Hello Reader,       Let’s see if we can keep your OSX skills sharp. This time with an artifact that spans iOS and OSX, get your sqlite database skills ready for this weeks challenge.   The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 3/8/19 7PM CST (GMT -5) The most complete answer wins You are allowed […]

Daily Blog #635: Solution Saturday 3/2/19

Hello Reader,This week we have a new winner entering the challenge! Please congratulate Amy Francis for her winning answer! The Challenge: On OSX Mojave list all of the Plists that would record a file being interacted with.  The Winning Answer: Amy Francis My answer for the challenge: On OSX Mojave list all of the Plists that would record a file […]

Daily Blog #634: AWS GuardDuty false positives

Hello Reader,               This another post that I’m making in the hopes that someone who is searching for this will find it and get their answer. Do you have VMs running in AWS?Do you have Amazon GuardDuty running?Did you just get an alert that claimed your VM is originating an external connection to an external […]

Daily Blog #633: Things you can’t find in Gsuite logs for $100

Hello Reader,               I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded their Google mail, calendar and drive but couldn’t at the time explain how they knew that. So like any investigator would/should I requested and […]

Daily Blog #632: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1

Hello Reader,            Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out and understand what it was capable of. Kevin was nice enough to write up a quick guide to […]

Daily Blog #631: Elcomsoft IOS Toolkit and IOS 12

Hello Reader,        If you haven’t already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:A. It does not ship with any rootless jailbreaksB. It does not automate the process of installing rootless jailbreaksC. It does not do […]

Daily Blog #630: Sunday Funday 2/24/19

Hello Reader,            Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or Mobile in our daily DFIR endeavors don’t let you Mac skills fall to the wayside when you most need them… in the event […]

Daily Blog #629: Coreanalytics Update

Hello Reader,         Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables run on the system for a month. You can read their original work here: https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/ I’ve noticed that most of the writeups that I’ve seen about […]

Daily Blog #628: DFIR in 120 Seconds

Hello Reader,           I know many of you are looking to get a better understanding of many of the fundamentals of DFIR. In most of my daily writing I focus on new things that I’m researching or find interesting but I don’t typically take the time to cover the basics. Luckily Mathias Fuchs has started a video […]

Daily Blog #627: Deep Freeze and DFIR

Hello Reader,            While I didn’t have any winners for last week’s Sunday Funday I did want to draw your attention to the answers that were already present, from 8 years ago. Lance Mueller who wrote/writes the ForensicKB blog did his own Deep Freeze testing 8 years ago. Jessica Hyde reminded me of this while I […]

Daily Blog #626: Sunday Funday 2/17/19

Hello Reader,         Let’s reevaluate challenges again. Last week I either asked for too much or went to Niche so let’s open it up again. The point of these challenges is to get you the larger DFIR community to get involved in your own research and testing so you can surprise yourself and help others in their work. […]

Daily Blog #625: Solution Saturday 2/16/19

Hello Reader,             I was wondering 6 months ago what would make miss a day of blogging, it turns out the answer is moving! So now that things are settling down I should be back on schedule. Speaking of things that were missed, this weeks contest had no qualifying submissions that I saw. So tune in […]

G-C Partners