Blog

Daily Blog #531: DFIR In Depth: Windows Forensics

Hello Reader,         After an excellent suggestion yesterday, thanks Bobby Joe, I’ve decided to get book writing again. However this time I’m going to try to push out iterative updates as I complete it via LeanPub. My plan is to push out the first outline and first chapter as the first ‘completed book’ and then take advantage of […]

Daily Blog #531: DFIR In Depth: Windows Forensics

Hello Reader,         After an excellent suggestion yesterday, thanks Bobby Joe, I’ve decided to get book writing again. However this time I’m going to try to push out iterative updates as I complete it via LeanPub. My plan is to push out the first outline and first chapter as the first ‘completed book’ and then take advantage of […]

Daily Blog #530: Teaching SANS Windows Forensics in the USA

Hello Reader,             I think it’s been a year since I’ve taught a public SANS FOR500 class in the USA. I’m happy to say I’ll be teaching FOR500 Windows Forensics at the SANS CTI Summit in Arlington, VA January 23- 28, 2018. I’ll also be there for the CTI Summit and look forward to meeting you […]

Daily Blog #530: Teaching SANS Windows Forensics in the USA

Hello Reader,             I think it’s been a year since I’ve taught a public SANS FOR500 class in the USA. I’m happy to say I’ll be teaching FOR500 Windows Forensics at the SANS CTI Summit in Arlington, VA January 23- 28, 2019. I’ll also be there for the CTI Summit and look forward to meeting you […]

Daily Blog #529: Human Bias and Shimcache

Hello Reader,         I’ve had the pleasure of teaching the SANS FOR500 Windows Forensics around the world the last couple of years. In that time I’ve been doing a bit of an experiment in each country and keeping track of where the students were from. For every class in every country I bring up a spreadsheet of parsed […]

Daily Blog #529: Human Bias and Shimcache

Hello Reader,         I’ve had the pleasure of teaching the SANS FOR500 Windows Forensics around the world the last couple of years. In that time I’ve been doing a bit of an experiment in each country and keeping track of where the students were from. For every class in every country I bring up a spreadsheet of parsed […]

Daily Blog #528: Sunday Funday 11/4/18

Hello Reader,           We had some great submissions last week so I’m hoping to keep the trend up with similar challenges! The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 11/9/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer after posting If two answers are too […]

Daily Blog #528: Sunday Funday 11/4/18

Hello Reader,           We had some great submissions last week so I’m hoping to keep the trend up with similar challenges! The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 11/9/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer after posting If two answers are too […]

Daily Blog #527: Solution Saturday 11/3/18

Hello Reader,             This week I got multiple qualifying submissions all of which answered the base challenge, meaning that it came down to the most complete answer. This week a new challenger arises victorious! Sandor Tokesi in his first submission has won the day with not only addressing the challenge for both Windows 7 and Windows […]

Daily Blog #526: Where are we going?

Hello Reader,         A long day of flying but luckily I have inflight wifi. Today I wanted to point you to a tweet from Pasquale Stirparo https://twitter.com/pstirparo/status/1058301948145922048?s=09I have a dream where, in our community, everyone would stop building his/her own “yet another new” #FOSS tool to fix the same problem as may other already there, instead of joining […]

Daily Blog #525: Office 2016 Backstage artifact parser

Hello Reader,            One of the things I love the most is collaboration within the DFIR world. Today I’m happy to link to Brian Gerdon’s (of Arsenal Recon) implementation of the Office 2016 backstage artifact into a python parser so you don’t have to just stare at a bunch of text files or json files. You […]

Daily Blog #524: Forensic Lunch 10/31/18

Hello Reader,             This week on the Forensic Lunch we had Hal Pomeranz talking all about XFS file systems and XFS forensics. Tune in and hear about how XFS works and what we can recover:

Daily Blog #523: Forensic Lunch Test Kitchen 10/30/18

Hello Reader,         Another test kitchen focused on the Recycle.Bin tonight continuing last nights testing. Last night the question we were left with is what triggers the initial creation of the Recycle.Bin directory since its not part of the initial format. Here is what we learned: Creating a file on the drive will trigger a Recycle.Bin Waiting 5 […]

Daily Blog #522: Forensic Lunch Test Kitchen 10/29/18

Hello Reader,        Tonight on the test kitchen we followed up on a viewer request from Neck aka @AaronSWeiss  on twitter to do some $Recycle.Bin testing on Windows 10 and Windows 7. I validated some facts I’ve tested before, but not necessarily on Windows 10 as well learned new things. Here is what we learned: On a fixed disk […]

Daily Blog #521: Sunday Funday 10/28/18

Hello Reader,              In an attempt to engage you and get your inner researcher going I’m again changing things up this week. This week let’s get back to basics and see what you can tell me. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 11/2/18 7PM CST (GMT -5) The most […]

Daily Blog #520: Solution Saturday 10/27/18

Hello Reader,     No winners this week, let me know what’s holding you back from entering!

Daily Blog #519: Forensic Lunch Test Kitchen 10/26/18

Hello Reader,           Well I didn’t have time today to do a forensic lunch which means tonight we had another Test Kitchen! I will have to do a forensic lunch early next week to meet the two broadcast a month goal of the forensic lunch, likely Tuesday unless we have a special Halloween edition! I’ll line up […]

Daily Blog #518: Forensic Lunch Test Kitchen 10/25/18

Hello Reader,               Tonight’s test kitchen continued last nights RDP focused testing. Tonight we went through the event logs using the TZWork’s tool evtwalk to find all event logs that referenced our host ip addresses we used in the rdp connections along with our hostnames. We also manually turned off NLA to see what it […]

Daily Blog #517: Forensic Lunch Test Kitchen 10/24/18

Hello Reader,         Another test kitchen with a lot of you tuning in live with a very short notice! Thanks to everyone who made the live broadcast, it really does make the whole thing way more fun for me when all of you get involved. Tonight we continued digging into rdp events looking to understand when and how […]

Daily Blog #516: Forensic Lunch Test Kitchen 10/23/18

Hello Reader,        We had another test kitchen tonight with a focus on rdp brute forcing windows system from Kali attempting to use ncrack, hydra and patator. We had mixed results but here is what we learned: Windows 10 RDP appears to not be compatible with Ncrack or Hydra. Neither could attempt to login Patator requires FreeRDP to […]

G-C Partners