Clik here to view.
What's the Word - Thunderbird! - Parser that is....
Thunderbird is a free email client by Mozilla (similar to Outlook). Â Most of the major Forensic tools support parsing this data in one way or another. Â However, I recently came across a Thunderbird...
View ArticleClik here to view.
Safari and iPhone Internet History Parser
Back in June, I had the opportunity to speak at the SANS DFIR Summit. One of the great things about this conference was the ability to meet and socialize with all the attendees and presenters. While I...
View ArticleClik here to view.
SQLite Deleted Data Parser - GUI Added
Last year I wrote a Python script to parse deleted data from SQLite Databases (original post here).Every once in a while, I get emails asking for help on how to use the SQLite Parser from users who are...
View ArticleClik here to view.
Timestomp MFT Shenanigans
I was working a case a while back and I came across some malware that had time stomping capabilities. There have been numerous posts written on how to use the MFT as a means to determine if time...
View ArticleClik here to view.
USN Journal: Where have you been all my life
One of the goals of IR engagements is to locate the initial infection vector and/or patient zero. In order to determine this, timeline analysis becomes critical, as does determining when the malware...
View ArticleClik here to view.
Dealing with compressed vmdk files
Wherever I get vmdk files, I take a deep breath and wonder what issues might pop up with them. I recently received some vmkd files and when I viewed one of these in FTK Imager (and some other...
View ArticleClik here to view.
Does it make sense?
Through all my high school and college math classes, my teachers always taught me to step back after a problem was completed and ask if the answer made sense. What did this mean? It meant don't just...
View ArticleClik here to view.
SQLite Deleted Data Parser Update - Leave no "Leaf" unturned
One of the things I love about open source is that people have the ability to update and share code. Adrian Long, aka @Cheeky4n6Monkey, did just that. Based upon some research, he located additional...
View ArticleClik here to view.
Who's your Master? : MFT Parsers Reviewed
The Master File Table (MFT) contains the information related to folders and files on an NTFS system. Brian Carrier (2005) stated “The Master File Table is the heart of NTFS because it contains the...
View ArticleClik here to view.
More on Trust Records, Macros and Security, Oh My!
There is a registry key that keeps track of which documents a user has enabled editing and macros for from untrusted locations. This happens when the user clicks the "Enable Editing" button on the...
View ArticleClik here to view.
QuickLook Python Parser - all your BLOBs belong to us
I've always mentioned in my presentations and blog posts that if anyone needs any help parsing an artifact, to hit me up - I love working on these types of projects in my spare time. Matthew Feilen...
View ArticleClik here to view.
How to image a Mac with Live Linux bootable USB
One thing I've learned when it's comes to imaging Macs is it's good to have options. When encountering Macs, its seems like there is always a challenge. No firewire ports for target disk mode, no easy...
View ArticleClik here to view.
How to image a Mac using Single User Mode
This is the second post in my series on different ways to image a Mac. My first post was on how to image a Mac with a bootable Linux distro. This post will cover another option, creating an image by...
View ArticleClik here to view.
Mounting and Reimaging an Encrypted FileVault2 Mac Image in Linux
Before I continue my series on how to image Mac systems, I wanted to cover how to mount and work with FileVault2 encrypted Mac images. By "work with", I mean decrypt it and create an image of the...
View ArticleClik here to view.
Cookie Cruncher Update, Timelines, Chrome Parser and more
I just wanted to pass on that I had a chance to update my Google Analytic Cookie Cruncher to support Firefox up to version 48. I can't believe it's been two years since I've updated the code!I know...
View ArticleClik here to view.
Mac Live Imaging: Functionality Versus Speed
My series on imaging a Mac would not be complete without covering how to do a live acquisition of a Mac. Now that FileVault2 appears to be the default during installs with Sierra, a live image may be...
View ArticleClik here to view.
Quicklook thumbnails.data parser
Earlier this year at the request of a reader I wrote a tool to parse the Quicklook thumbnails index.sqlite file. This sqlite database stores information related to thumbnails that have been generated...
View ArticleClik here to view.
When Windows Lies
Wait, What? Windows lies? I believe so...I worked a case where I checked the Windows Install date and it was a couple days before we received the system. GREAT....did the user reformat their drive and...
View ArticleClik here to view.
Onion Peeler: Batch Tor Lookup Program
Logs, Logs, Logs. I see, IPs. When reviewing log files for suspect activity it can be helpful to look up information related to IP addresses. There is a great utility for this by Nirsoft called...
View ArticleClik here to view.
Finding and Decoding Malicious PowerShell Scripts
PowerShell. It's everywhere. I've started coming across more and more malicious PowerShell scripts. Why do attackers love using PowerShell? Because it's native to many versions of Windows, provides...
View ArticleClik here to view.
How to mount Mac APFS images in Windows
APFS is the new file system for Mac OS, and so far, many forensic suites are playing catch up as far as support goes. As such, workarounds may need to be employed in order to conduct analysis on Mac OS...
View ArticleClik here to view.
Mounting an APFS image in Linux
As a follow up to my post on how to mount AFPS images on Windows, I wanted to post about how to mount an APFS image on a Linux system. If you are looking for how to mount an APFS image on a Mac, Sarah...
View ArticleClik here to view.
Malicious PowerShell in the Registry: Persistence
This is the second part in my series on Finding and Decoding Malicious PowerShell Scripts. My first blog post walked through how to find malicious PowerShell scripts in the System event log, and the...
View ArticleClik here to view.
Triage Collection and Timeline Generation with KAPE
As a follow up to my SANS webcast, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push...
View ArticleClik here to view.
Detecting Lateral Movement with WinSCP
RDP is a common way for an attacker to move laterally within an environment. Forensically, when an attacker uses RDP we can use artifacts such as shellbags, link files and jumplists on the remote...
View Article