Daily Blog #621: ADFS accounts in SAM hives
Hello Reader, I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against...
View ArticleDaily Blog #622: Solution Saturday 2/9/19
Hello Reader, This week Oleg Skulkin has come in with another win! Oleg found some interesting results. In Oleg's testing all of his executions were caught by the Amcache, except those...
View ArticleDaily Blog #623: Sunday Funday 2/10/19
Hello Reader Keeping up with all of the materials that the community makes based on the work you the reader does in Sunday Funday challenges really makes it all worth it. Let's keep this...
View ArticleDaily Blog #624: Microsoft Defender ATA Golden Ticket False Positive
Hello Reader, I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network...
View ArticleDaily Blog #625: Solution Saturday 2/16/19
Hello Reader, I was wondering 6 months ago what would make miss a day of blogging, it turns out the answer is moving! So now that things are settling down I should be back on schedule....
View ArticleDaily Blog #626: Sunday Funday 2/17/19
Hello Reader, Let's reevaluate challenges again. Last week I either asked for too much or went to Niche so let's open it up again. The point of these challenges is to get you the larger DFIR...
View ArticleDaily Blog #627: Deep Freeze and DFIR
Hello Reader, While I didn't have any winners for last week's Sunday Funday I did want to draw your attention to the answers that were already present, from 8 years ago. Lance Mueller who...
View ArticleDaily Blog #628: DFIR in 120 Seconds
Hello Reader, I know many of you are looking to get a better understanding of many of the fundamentals of DFIR. In most of my daily writing I focus on new things that I'm researching or find...
View ArticleDaily Blog #629: Coreanalytics Update
Hello Reader, Back in July of 2018 Crowdstrike wrote a very interesting post all about Core Analytics a service that runs by default on OSX that tracks aggregate daily data about executables...
View ArticleDaily Blog #630: Sunday Funday 2/24/19
Hello Reader, Last weeks challenge went unanswered, but I know there is a movement towards Mac forensics slowly building in the world. Though most of us are still focused on Windows or...
View ArticleDaily Blog #631: Elcomsoft IOS Toolkit and IOS 12
Hello Reader, If you haven't already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested...
View ArticleClik here to view.
Daily Blog #632: Using Elcomsoft IOS Toolkit on an iPhone with IOS 12.1
Hello Reader, Kevin Stokes is the mobile forensics champion in our offices at G-C Partners. When we get a copy of the new Elcomsoft IOS toolkit it was Kevin who went to work to test it out...
View ArticleDaily Blog #633: Things you can't find in Gsuite logs for $100
Hello Reader, I was working a case recently where an ex-employee was believed to have retained a companies data. They informed me that they found evidence the ex-employee had downloaded...
View ArticleDaily Blog #634: AWS GuardDuty false positives
Hello Reader, This another post that I'm making in the hopes that someone who is searching for this will find it and get their answer.Do you have VMs running in AWS?Do you have Amazon...
View ArticleDaily Blog #635: Solution Saturday 3/2/19
Hello Reader,This week we have a new winner entering the challenge! Please congratulate Amy Francis for her winning answer!The Challenge:On OSX Mojave list all of the Plists that would record a file...
View ArticleDaily Blog #636: Sunday Funday 3/3/19
Hello Reader, Let's see if we can keep your OSX skills sharp. This time with an artifact that spans iOS and OSX, get your sqlite database skills ready for this weeks challenge. The Prize:$100...
View ArticleDaily Blog #637: Forensic 4cast Award Nomination 2019
Hello Reader, It's that time of year again, time for you to submit your nominations for the Forensic 4Cast awards!If you are not familiar with the awards or the process let me break it down...
View ArticleDaily Blog #638: Kape and Forensic Lunch
Hello Reader, If you haven't already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface KAPE is what I assume is the first...
View ArticleDaily Blog #639: DFRWS CFP and CFT
Hello Reader, Want an excuse to escape your summer weather for the wonders of the pacific northwest? Well DFRWS the academic / practitioner conference where new and interesting ideas are always...
View ArticleDaily Blog #640: Regipy - A new python windows registry forensics library
Hello Reader, As I was talking about in #638 I believe automation in DFIR is a big part of our future. With the idea of automating the extraction and basic correlation of data so that a human...
View Article
