A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.
Finally decided to do a little bit more digging!
For background on Zone Identifiers, you can see the paper by Paul Sanderson here.
I got a question from a colleague a few weeks ago about a potential bug in ExifTool, a fantastic tool and library by Phil Harvey for parsing EXIF data. I had a few minutes this evening, so thought I’d share the digging
We made a couple of word documents, and ran them through ExifTool, to take a look at the ‘Word Count’ field, and later I recreated them at home.
A couple weeks ago I competed in DFIR Netwars at SANS Sydney 2017. Our team did really well, leading most of the way and just losing in the last half hour. But overall, it was a great learning experience and I thought I’d share some things about it.
TLDR: This is a post about how I document my examinations. I create a word document with a brain dump of my findings which includes a narrative that allows me to read through it in a way that gets me back into the mindset I was in when I completed the examination.
On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Based on Steve’s video I thought it would be a good idea to do some testing.(more…)