Part of a Sunday Funday answer – Microsoft Teams

I wanted to take a quick and dive into this week’s Sunday Funday challenge but didn’t have a whole lot of time, I basically set a timer for an hour or so at the end of the day and found as much as I could, and then compiled it all today. Gotta set a time limit or else the rabbit-hole never ends 🙂

Oleg has already shared his answer and done a decent amount of work to answering the questions. I’m not going to be reinventing the wheel a whole lot, just expanding on what has already been found.

(Note: I’m not going to be answering all of the questions)


2020 Forensic 4cast Awards Nominations

It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.

There’s less than a week to go, so get your nominations in to show your appreciation!

DFIR Commercial Tool of the Year

  • Magnet AXIOM – They made some great strides with adding a variety of artefacts and features. The big thing was the Mac artefacts and the re-done timeline.
  • X-Ways Forensics – A powerful forensic suite that has some amazing features.
  • Cellebrite UFED – Mainly for adding full file system extractions based on Checkra1n into the hands of all examiners. Previously this level of access was only for LE or jailbroken devices.
  • Arsenal Image Mounter – This tool is my current go-to image mounting tool, and the instant virtualisation has been fantastic too.

DFIR Non-commercial Tool of the Year

  • KAPE – KAPE in principle is a very simple tool. It collects and parses artefacts based on a series of targets and modules. But the speed and versatility of this tool makes it really awesome. If you haven’t looked at it yet I’d highly recommend it!
  • Velociraptor – This open source agent (and server, and sometimes not agent, it does a lot) allows for network-wide host-based DFIR collection, analysis, remediation, and monitoring.
  • iLEAPP – Alexis Brignoni has done an amazing job combining all the available iOS parsers into an easy-to-use package.

DFIR Show of the Year

  • Forensic Lunch – Dave and Matt do a great job every time they run a Forensic Lunch (usually twice a month). DIdn’t really run that much so far this year
  • Digital Forensic Survival Podcast – Michael has a show every week without fail. It’s a great resource for examiners to go back to and refresh themselves on the variety of topics that are covered.
  • 13cubed by Richard Davis – well produced and informative videos
  • I’ll also throw the ‘This Month In 4n6‘ monthly podcast in the ring, although it’s not nearly as deserving as the others.

DFIR Blog of the Year

There are so many great blogs, and people who I wish had more time to post more!

  • HECFBlog – Dave is a given nomination for blog of the year, even though he only posted for half the year.
  • Initialization Vectors – Alexis Brignoni has consistently put out some great research and tools on his blog. If you do mobile forensics you should be reading this.
  • The Binary Hick – Josh Hickman puts a considerable amount of effort into every post that he does, as well as putting out well documented Android dumps for people to play with.
  • Elcomsoft – Oleg and Vladimir regularly put out some great content, primarily focusing on mobile devices, and encryption.

DFIR Book of the Year

  • Good question! I don’t actually have a nomination for this one.

DFIR Article of the Year

DFIR Social Media Contributor of the Year

DFIR Degree Program or Training Class of the Year

  • I’m biased as I’m on my way to being a FOR500 instructor. So I’ll say the FOR500 class!
  • We also saw the debut of the FOR498 class which I’ve heard great things about.

DFIR Groundbreaking Research of the Year

  • Sysdiagnose – The research conducted by Mattia Epifani, Heather Mahalik, and Cheeky4n6Monkey
  • Checkm8 – The discovery of the Checkm8 vulnerability by axi0mX has been able to allow for an amazing advance to mobile iOS forensics. Whilst previously the ability to obtain a full file system extraction was limited to jail breaking or LE-only tools, now this level of access is afforded to everyone.
  • Analysis of the Amcache – Blanche Lagny put out a very comprehensive paper about the Amcache that’s well worth a read.
  • Blackbags work on acquiring physical images from Macs with T2 chips.

DFIR Newcomer of the Year

DFIR Resource of the Year

These all go without saying. If you don’t go to any of these sites you’re missing out on valuable information

DFIR Team of the Year

  • My team! Klein and co.
  • The SANS DFIR team.

Yes I’m biased.

Digital Forensic Investigator of the Year

Usually I put multiple people here. I’m just putting one this time. Not because there aren’t others that aren’t deserving. I just know that he qualifies as an investigator, and does a ridiculous amount to help others, particularly in the mobile forensics space.

There are plenty of others in every category, and if you believe that someone should be nominated, then definitely go ahead and nominate them.


Coming soon to a town near you me!

DFRWS is expanding into APAC this year, with an inaugural event in Sydney to correspond with the IAFS conference.

I’m Workshop Co-Chair along with Matthew Simon so if you have some interesting ideas for workshops let me know soon.

If you want to submit a research paper or presentation you have until January 31, 2020 to submit an abstract or workshop.


Applocker FTW

I was recently reviewing some event logs on a Windows server and noticed a few items that I hadn’t seen before. These events related to Applocker, which was released a long time ago, but I hadn’t really seen much in the forensic analysis space. This post will cover a brief intro to setting up Applocker, some resources for configuration, and some event logs that you should probably keep an eye out for.


Photo by Quenani Leal on

TLDR: Turn on applocker on servers you own (workstations too if your users wont kill you). Also look out for applocker events during your event log analysis!

Special thanks to Troy Larson for helping me out with this research


Playing with the big chicken – (Velociraptor + AWS + Google Domains)

Did you know Velociraptors were about the size of a chicken and had feathers! Apparently the later was only discovered in 2007 according to this site, so we’ll give Jurassic Park a pass for now.

Screen Shot 2019-10-07 at 9.46.13 pm

Anyways, I wanted to have a play with Velociraptor and put together some instructions on how to spin it up in AWS and connect it to a Google Domain; so I grabbed the official documentation and worked through it.