Daily Blog #422 Solution Saturday 7/14/18
Hello Reader, Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was...
View ArticleDaily Blog #423: Sunday Funday 7/15/18
Hello Reader, Windows 10 keeps on changing and with it new features come along that we care about and old features we were excited about disappear. Let's see if you can solve this missing...
View ArticleClik here to view.
Daily Blog #424: The registry key so nice they named it twice, computername...
Hello Reader, I enjoy teaching forensics as students always ask questions to make you figure out things you just take for granted. A good example of this was last month while in Amsterdam...
View ArticleDaily Blog #425: How I Use It: Userassist
Hello Reader, I'm currently teaching in Abu Dhabi and hanging out with my family at night which means I'm not investing the time to do the next level of MAPI testing I need to do. Instead...
View ArticleDaily Blog #426: Directory Copy and Paste Artifacts in Windows 10
Hello Reader, I've talked about this in the Forensic Lunch and I think showed it once in a Test Kitchen but I don't think I've written about it in the blog. After reading the ongoing...
View ArticleClik here to view.
Daily Blog #427: Bitlocker Experiments Part 1
Hello Reader, In a prior Sunday Funday regarding Bitlocker drives and Windows upgrades I extended my ask a bit too far in what I put into the challenge and justifiably received no submissions....
View ArticleDaily Blog #428: Forensic Lunch 7/20/18
Hello Reader, We had a great Forensic Lunch today with our guest Arman Gungor (@armangungor) from metaspike.com, talking about his research posted on the meridian discovery blog (like this...
View ArticleDaily Blog #429: Solution Saturday 7/21/18
Hello Reader, Another week, another challenge. It came down to the wire, that I extended, but we have an answer and a winner. This week's winner Justin Boncaldo sent in the only entry, many...
View ArticleDaily Blog #430: Sunday Funday 7/22/18
Hello Reader, Another week already? Time for another challenge to keep your wheels turning and your research skills sharp. This week let's talk about time zones and Windows. With Windows 10...
View ArticleClik here to view.
Daily Blog #431: Bitlocker Experiments Part 2
Hello Reader, I'm continuing my Bitlocker experiments while here in Abu Dhabi until I return home this weekend to do more MAPI testing of OWA changes. After my last post and experiment I...
View ArticleClik here to view.
Daily Blog $432: Bitlocker Experiments Part 3
Hello Reader, I was reading the libbde specification again and noticed I was missing something in the screenshots I posted yesterday. Yesterday I stated the hostname of the computer that...
View ArticleClik here to view.
Daily Blog #433: Bitlocker Experiments Part 4
Hello Reader, I've now extracted the FVE Metadata block from a vhd encrypted with bitlocker while bitlocker is active and is protecting the VHD with a password and after I turned off...
View ArticleDaily Blog #434: Bitlocker Experiments Part 5
Hello Reader, As I was looking at the FVE metadata header and decoding the output I realized two things.1. There is more here than I previously understood, I didn't appreciate the layering...
View ArticleDaily Blog #435: Forensic Lunch 7/27/18
Hello Reader, Greetings from my flight from Abu Dhabi to Dallas, Texas. We had a Forensic Lunch today with just Matt and I talking about Bitlocker, the Defcon DFIR CTF and making future...
View ArticleDaily Blog #436: Solution Saturday 7/28/18
Hello Reader, Jet Lag got me and I fell asleep before posting this earlier, but I'll take advantage of this random wake up time to post the winning answer. This week I thought I didn't have...
View ArticleDaily Blog #437: Sunday Funday 7/29/18
Hello Reader, Another week, another challenge. If you are reading this don't feel your answer needs to perfect to submit. You never know when everyone else got to busy to try. Give the...
View ArticleDaily Blog #438: Validating the Windows 10 Copy Paste artifact
Hello Reader, If you don't read the port139 blog, you should! On the most recent post the port139 blog, translated from Japanese to English, validated the Windows 10 copy paste artifacts I...
View ArticleDaily Blog #439: Jumplist maximum storage
Hello Reader, There is some interesting testing going on with shell item storage. The quirks of lnk files naming and storage by extension is surprising and needs more testing before its...
View ArticleClik here to view.
Daily Blog #440: Windows 10 Notifications Database
Hello Reader, I had stopped thinking about the Windows 10 notifications database since I last saw Yogesh Kahtri blog post about it here. I was reviewing a file list produced by an opposing party...
View ArticleDaily Blog #441: Changes in Windows 10
Hello Reader, One of the problems we are having recently in Windows 10 forensics is that what would previously be identified with a major service pack version or a new version of Windows is...
View Article
