Author: Phill Moore

I am a digital forensics analyst. I have a couple of blogs - This Week In 4n6 and Think DFIR I go by randomaccess (or variations of) on a number of DFIR social channels.

Playing with the big chicken – (Velociraptor + AWS + Google Domains)

Did you know Velociraptors were about the size of a chicken and had feathers! Apparently the later was only discovered in 2007 according to this site, so we’ll give Jurassic Park a pass for now.

Screen Shot 2019-10-07 at 9.46.13 pm

Anyways, I wanted to have a play with Velociraptor and put together some instructions on how to spin it up in AWS and connect it to a Google Domain; so I grabbed the official documentation and worked through it.
(more…)

AX200 – Magnet AXIOM Examinations Review

ax200

I recently had the opportunity to take the AX200 Magnet AXIOM Examinations class (On-Demand) and wanted to share my experience for those thinking about taking the class.

Full disclosure: I did get access to this course for free from Magnet in exchange for feedback, but they didn't ask me to write this post in return.

Whether On-Demand works for you or not is really personal preference; some people like that they can work through it at their own pace and repeat sections as required. My preference would have been to take the class in person as I feel like you get a better experience in the class, not to mention you can focus on the task at hand. Unfortunately I missed my opportunity as the class was run nearby when I was overseas.

(more…)

2019 Forensic 4cast Awards Nominations

It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.

Lee changed things up a little bit this year, meaning that you have to provide a reason for your nomination. I think this is a good change and hopefully it will flow into the voting process, encouraging people to explain what they have done in the year for you to win their vote.

(more…)

Sunday Funday – File Access on MacOS Mojave

og

Had a bit of time so decided to enter this weeks Sunday Funday. I didn’t win, but figured I would share it for reference. Congrats to Amy for winning!

I didn’t do a very comprehensive test, I just accessed a picture and video with native apps and then did a keyword search, so hits were uncovered that may not all indicate file access, and nothing was done to determine ‘when’ files were accessed.

(more…)

KAPE Tricks

tenor

For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.

(more…)