Clik here to view.
Searchhs.dat and the Bing Bar
I recently worked a case where I located some relevant information in a file called "searchhs.dat". This file was located in the users directory under...
View ArticleClik here to view.
Windows Backup and Restore
A recent investigation led me to a Windows Backup file. Windows 7 as well as Windows Vista includes a utility allowing the user to backup and restore folders, files and system information. This is not...
View ArticleClik here to view.
Automated Plist Parser
Plist files in the MAC world are the equivalent to, or as close as you are going to get to registry files on Windows Systems. They contain system settings, application preferences, deleted user...
View ArticleClik here to view.
iParser: Automated Plist Parser Release
Let me preface this with saying, I.A.N.A.P.P. – I Am Not A Professional Programmer. I enjoy programming, and I hope others find this tool useful. If you find a bug, please let me know. If you have...
View ArticleClik here to view.
Google Analytics Cookie Parser
I recently watched an excellent webcast on the SANS website archive about ‘Not So Private Browsing”. In this webcast, Google Analytics cookies are covered, and the wealth of information that can be...
View ArticleClik here to view.
iParser Update: Batch Processing Added
I figured before the end of the year I should cross off at least one thing on my list I have been meaning to do. When I first released iParser, I had some feedback asking for a way to batch process...
View ArticleClik here to view.
Dude, Where's My Data?
Harlan's tweet (view picture to the right) got me thinking, and I would like to share a case example that I feel drove this particular point home for me. Many of the 'Swiss Army' forensics tools will...
View ArticleClik here to view.
Finding and Reverse Engineering Deleted SMS Messages
Recovering deleted SMS messages from Android phones is a frequent request I get. Luckily, there are several places and ways to recover these on an Android phone. After working a case that involved...
View ArticleClik here to view.
Google Analytic Values in Cache Files
A while ago I wrote about Google Analytic Cookies. These cookies can contain information such as keywords, referrer, number of visits and the first and most recent visit. This information is stored in...
View ArticleClik here to view.
MS Office Recent Docs Plist Parser
Recently a post came up at Forensic Focus regarding the timestamps in the com.microsoft.office.plist file. I had a case several months ago where I ran into the same situation - trying to determine the...
View ArticleClik here to view.
Safari Binary Cookies - Now with more parsing power!
Safari stores cookies in a file called Cookies.binarycookies under the location ~/Library/Cookies/Cookies.binarycookies. In earlier versions of Safari, cookies were stored in a plist file which could...
View ArticleClik here to view.
Python Parser to Recover Deleted SQLite Database Data
Soooo.... last week I was listening to the Forenisc Lunch and the topic of parsing deletedrecords from SQLite databases came up. These Forensic Lunches are every Friday and cover a wide range of...
View ArticleClik here to view.
Carving for Cookies: Supersize your Internet History Timeline using Google...
Google Analytics information can include values such as timestamps, page titles, keywords and page referrers which can be located on a user's computer. These values can be located in Cookie files and...
View ArticleClik here to view.
What's the Word - Thunderbird! - Parser that is....
Thunderbird is a free email client by Mozilla (similar to Outlook). Most of the major Forensic tools support parsing this data in one way or another. However, I recently came across a Thunderbird...
View ArticleClik here to view.
Safari and iPhone Internet History Parser
Back in June, I had the opportunity to speak at the SANS DFIR Summit. One of the great things about this conference was the ability to meet and socialize with all the attendees and presenters. While I...
View ArticleClik here to view.
SQLite Deleted Data Parser - GUI Added
Last year I wrote a Python script to parse deleted data from SQLite Databases (original post here).Every once in a while, I get emails asking for help on how to use the SQLite Parser from users who are...
View ArticleClik here to view.
Timestomp MFT Shenanigans
I was working a case a while back and I came across some malware that had time stomping capabilities. There have been numerous posts written on how to use the MFT as a means to determine if time...
View ArticleClik here to view.
USN Journal: Where have you been all my life
One of the goals of IR engagements is to locate the initial infection vector and/or patient zero. In order to determine this, timeline analysis becomes critical, as does determining when the malware...
View ArticleClik here to view.
Dealing with compressed vmdk files
Wherever I get vmdk files, I take a deep breath and wonder what issues might pop up with them. I recently received some vmkd files and when I viewed one of these in FTK Imager (and some other...
View ArticleClik here to view.
Does it make sense?
Through all my high school and college math classes, my teachers always taught me to step back after a problem was completed and ask if the answer made sense. What did this mean? It meant don't just...
View Article