Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive

Hello Reader,             I’m writing this post to serve as a bookmark for the future for anyone out there searching for this. If it’s late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use … take a […]

Daily Blog #623: Sunday Funday 2/10/19

Hello Reader             Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let’s keep this amazing streaming going with this weeks DeepFreeze challenge. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 2/15/19 […]

Daily Blog #622: Solution Saturday 2/9/19

Hello Reader,             This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg’s testing all of his executions were caught by the Amcache, except those programs executed from external storage volumes. Very interesting! I think we will have to go back to Syscache and Amcache again in the near […]

Daily Blog #621: ADFS accounts in SAM hives

Hello Reader,            I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around […]

Daily Blog #620: Magnet User Summit 2018 CTFd site is closing

Hello Reader,              With the 2019 Magnet User Summit coming up and with it the DFIR CTF we are working on for it I think it’s time that I close down the 2018 site. You can access it for the month of February here: Why shut it dowh?Well CTFd charges me $100 a month […]

Daily Blog #619: SANS DFIR Summit 2019 CFP is open!

Hello Reader,             A quick reminder that the 2019 SANS DFIR Summit call for presentations is open! Happening in Austin, Texas on July 25-26, 2019 the SANS DFIR Summit has some of the best presentations of the year. We look forward to this event everywhere as usually there is some new tool or research shown […]

Daily Blog #618: Magnet User Summit 2019 CTF is Full

Hello Reader,          I registered today for the Magnet User Summit (  and noticed that the CTF that Matt and I are hosting with Magnet and specifically in cahoots with Jessica Hyde is now full! If you made the cut before it was full, get ready for some stiff competition and some great prizes. If you didn’t […]

Daily Blog #617: Sunday Funday 2/3/19

Hello Reader,           2019 is becoming a pretty great year for responses to these challenges. It’s always tough to weight different answers to find the one that is ‘most complete’ and I appreciate all the hard work all of you put into it. Even if you don’t submit an answer and just work on the challenge I […]

Daily Blog #616: Solution Saturday 2/2/19

Hello Reader,        I had some great submissions this week as people really got into shellbags research. This week Kevin Pagano managed to edge out a win with the extra work he did in showing the differences in how the data was recorded with different preferences in sorting and other features. The biggest thing that I took away […]

Daily Blog #615: Forensic Lunch 2/1/19 Blanche Lagney Amcache DFIR Review

Hello Reader,          We had another Forensic Lunch! This was a great episode and here are the details. This week we have: Blanche Lagny talking about her paper on Amcache The DFIR Review crew talking about .. DFIR Review! The DFIR Review crew entails: Jessica Hyde Vico Marziale Brett Shavers Tony Knutson You can watch it here:

Daily Blog #614: Forensic Lunch Test Kitchen 1/31/19 Deep Freeze Windows 10

Hello Reader,        Tonight we continued testing Deep Freeze on Windows 10 to find out what data was recoverable and how or if the data had been changed. Here is what we learned: The deleted data appears not just to be partially overwritten but moved physically on the disk When new data is written the older data from […]

Daily Blog #613: Forensic Lunch Test Kitchen 1/30/19 Deep Freeze on Windows 10

Hello Reader,         I’ve been asked quite a lot about recovering data from Windows 10 if deep freeze was installed. Now I’ve had theories and hypothesis regarding how Deepfreeze works and what should be possible but tonight I got an evaluation version of Deepfreeze and a new Windows 10 VM to find out for sure. Here is what […]

Daily Blog #612: Unified Log Parsing

Hello Reader,            Yogesh Khatri continues to push out new OSX forensic tools, if you haven’t used mac_apt you really should be Now Yogesh has given us a Unified Log Parser which will allow you to parse unified logs on any platform and since its python it should be easy to extend or reuse his code […]

Daily Blog #611: Forensic Lunch Schedule 2019

Hello Reader,           So I’ve been pretty bad at pre-scheduling forensic lunches lately so I decided to look at my calendar and commit to a schedule for the first quarter of 2019. So what follows are the scheduled dates for the first quarter of 2019. I already have guests lined up for 2/1/19 and I’ll be looking […]

Daily Blog #610: Sunday Funday 1/27/19

Hello Reader,            Last week I may have asked a bit much, so I’m reeling myself back in. This week I’ve posted a lot of links to other peoples work as I’ve been teaching SANS FOR500 during the day at the CTI Summit and doing my case work at night. However thanks to great students sharing […]

Daily Blog #609: Solution Saturday 1/26/19

Hello Reader,              Looks like my 2019 streak is now broken, this week we have no qualifying answers. When this happens I take it as a sign that the question was harder than I expected which means I really need to focus on finding a real answer myself. I’ll be working on that and the […]

Daily Blog #608: DFIR Review

Hello Reader,          A new organization within an organization has formed! The DFIR Review group within DFRWS has officially emerged from ‘stealth mode’ and is ready to give your DFIR research peer review and fast feedback. With a combination of academics and practitioners volunteering their time they are pledging to help you validate your work and look […]

Daily Blog #607: FOR498 Battlefield Forensics & Data Acquisition

Hello Reader,             SANS is announcing a new DFIR course written by Kevin Ripa and Eric Zimmerman called FOR498: Battlefield Forensics & Data Acquisition. It’s a course that focuses on dealing with all the onsite triage you will encounter when gathering evidence in a variety of environments with a big focus on preserving data from a […]

Daily Blog #606: Elcomsoft blog about Factory Access Mode

Hello Reader,           I know this came out a week ago but I don’t think I wrote about it. I found this article written by Elcomsoft employee Oleg Afonin to be fascinating! Oleg is writing all about how to get a SSD drive into factory access mode allowing an examiner to get access to all the data […]

Daily Blog #605: CTI Summit 2019

Hello Reader,             Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI […]

G-C Partners