Daily Blog #582: Solution Saturday 12/29/18

Hello Reader,         Well no winner this week, I may have pushed a bit far in a holiday week. Tomorrow is the first contest for the new year and we will all have a fresh start. The Challenge:On server 2008 r2 how would the following be seen in the syscache and what was logged:1. Powershell empire agent2. Meterpeter3. […]

Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

Hello Reader,         Tonight we booted up a server 2012 VM which is in line with Windows 8.1 looking to see if we could find a syscache hive with and without applocker configured. So far no such luck but we will keep trying. If you want to watch the video you can do so here:

Daily Blog #580: Applocker and Windows 10

Hello Reader,          Didn’t get started until very late tonight so I didn’t do a broadcast, tomorrow though we will for sure. Instead I decided to see if I could get Applocker going on Windows 10 Enterprise since I already have a VM running it. I turned Applocker into audit only mode, made default rules and executed […]

Daily Blog #579: The meaning of Syscache.hve

Hello Reader,     One of the things I’ve often repeated the last couple of test kitchens in regards to the Syscache hive is why does it exist. In earlier googling I thought based on its locations in slide presentations that it might be involved in the volume shadow copy system, something Maxim Suhanov does not agree with. This left the […]

Daily Blog #578: Merry Christmas 12/25/18

Hello Reader,        At every major holiday I post a recipe on my wife’s advice. She said you would at some point want to read something not technical. So since it’s Christmas I thought I would share one of the recipes I’ve been making for my family and friends. For a number of years I made Nigella Lawson’s […]

Daily Blog #577: Christmas Eve 12/24/18

Good evening reader,We are all tucked in and hoping that DFIR santa is bringing us new artifacts for Christmas. Tomorrow I’ll likwly be posting a recipe but I wanted to wish you good tidings and a happy new year!

Daily Blog #576: Sunday funday 12/23/18

Hello Reader,    Let’s finish the year right. The last challenge of 2018 needs to be special. The Prize:$100 Amazon GiftcardThe Rules: You must post your answer before Friday 12/28/18 7PM CST (GMT -5) The most complete answer wins You are allowed to edit your answer after posting If two answers are too similar for one to win, the one […]

Daily Blog #575: Solution Saturday 12/22/18

Hello Reader,I always love introducing new winners to the community and this week I get my wish. Please congratulate Bastien Lardy with his winning Python DFVFS submission! The Challenge: Write a python script using DFVFS that uses the source scanner function to enumerate partitions and shadow copies. It should then provide the ability to extract a file and provide its […]

Daily Blog #574: Forensic Lunch 12/21/18 Alissa Torres, Dr. Joe Sylve

Hello Reader,        Today we had another Forensic Lunch! This week we had: Alissa Torres, (@sibertor) talking all about the changes for FOR526 as a 6 day bootcamp of memory forensic goodness, with daily Netwars challenges! You can find out more and sign up here: Alissa and I also talked about the CTI Summit which is happening the […]

Daily Blog #573: Forensic Lunch Test Kitchen 12/20/18 Syscache and Server 2008 R2

Hello Reader,       Tonight after finding out from you that the Syscache.hve exists on Server 2008 R2 we switched OS’s in our testing and focused on Syscahe on Server 2008 R2 and away from Windows 7 for now. Here is what we learned: The Syscache hive exists on an unpatched Server 2008 R2 SP1 system The syscache hive exists […]

Daily Blog #572: Forensic Lunch Test Kitchen 12/19/18 Syscache and Python

Hello Reader,      Tonight we wrote some python code to recover the full path of the files referenced in the Syscache hive, added in the ProgramID and then viewed the data in Timeline Explorer to see the relation between the executables. We learned: That pytsk does not have an attribute for parent reference number, so we had to extract […]

Daily Blog #571: Forensic Lunch Test Kitchen 12/18/18 Syscache

Hello Reader,        Another evening, another test kitchen! Tonight we looked even deeper into the Syscache and we learned: Bat files are recorded in the Syscache hives when executed Bat files and other executables run from the Desktop are not recorded in the Syscache Powershell files (ps1) are not caught in the Syscache hive Deleting a file did […]

Daily Blog #570: Forensic Lunch Test Kitchen 12/17/18 Syscache.hve

Hello Reader,       Tonight in the Test Kitchen we expanded our testing of the Syscache hive by adding more data from our python script that is matching MFT entries to the Syscache entries. Here is what we learned: The syscache hive seems to record atleast exe, dll, bat and cmd files executed The syscache hive like the Amcache hive […]

Daily Blog #569: Sunday Funday 12/16/18

Hello Reader,             Last week I got you searching for DFVFS, this weeks let’s see you program in DFVFS! We’ve done a lot of different challenges for the Sunday Funday series so why not continue to mix it up and see what you’ve learned. Need some code examples? Look at yesterdays winning answer: The Prize:$100 Amazon […]

Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win! The Challenge: Find all the projects out there that are making use of DFVFS ( […]

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,         It’s the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you’ll enjoy it! You can read Eric’s Blog here: can follow Eric on twitter here: can learn more about the NW3C here: Watch the video below:

Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18

Hello Reader,         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name’s out of the file name attributes for every file referenced in the Syscache hive Object key. This isn’t done though as next week I need to add in […]

Daily Blog #565: Seeing Double (access dates)

Hello Reader,         Got some medicine today so hopefully I’ll be able to stop coughing tomorrow. In the meantime I’d like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here: Maxim found that Windows is keeping two last access dates, one on the disk and one in […]

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor. You can check it out here: What Silv3rHorn has […]

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found: Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve Programs executed from a […]

G-C Partners