Part of a Sunday Funday answer – Microsoft Teams

April 17, 2020 Phill Moore2 Comments

I wanted to take a quick and dive into this week’s Sunday Funday challenge but didn’t have a whole lot of time, I basically set a timer for an hour or so at the end of the day and found as much as I could, and then compiled it all today. Gotta set a time limit or else the rabbit-hole never ends 🙂

Oleg has already shared his answer and done a decent amount of work to answering the questions. I’m not going to be reinventing the wheel a whole lot, just expanding on what has already been found.

(Note: I’m not going to be answering all of the questions)

2020 Forensic 4cast Awards Nominations

March 9, 2020December 28, 2020 Phill Moore1 Comment

It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.

There’s less than a week to go, so get your nominations in to show your appreciation!

DFRWS APAC 2020!

January 16, 2020January 16, 2020 Phill MooreLeave a comment

Coming soon to a town near ~~you~~ me!

DFRWS is expanding into APAC this year, with an inaugural event in Sydney to correspond with the IAFS conference.

I’m Workshop Co-Chair along with Matthew Simon so if you have some interesting ideas for workshops let me know soon.

If you want to submit a research paper or presentation you have until January 31, 2020 to submit an abstract or workshop.

Applocker FTW

December 27, 2019January 20, 2020 Phill MooreLeave a comment

I was recently reviewing some event logs on a Windows server and noticed a few items that I hadn’t seen before. These events related to Applocker, which was released a long time ago, but I hadn’t really seen much in the forensic analysis space. This post will cover a brief intro to setting up Applocker, some resources for configuration, and some event logs that you should probably keep an eye out for.

TLDR: Turn on applocker on servers you own (workstations too if your users wont kill you). Also look out for applocker events during your event log analysis!

Special thanks to Troy Larson for helping me out with this research

Playing with the big chicken – (Velociraptor + AWS + Google Domains)

October 7, 2019 Phill Moore1 Comment

Did you know Velociraptors were about the size of a chicken and had feathers! Apparently the later was only discovered in 2007 according to this site, so we’ll give Jurassic Park a pass for now.

Screen Shot 2019-10-07 at 9.46.13 pm

Anyways, I wanted to have a play with Velociraptor and put together some instructions on how to spin it up in AWS and connect it to a Google Domain; so I grabbed the official documentation and worked through it.
Read More »

Hunting for MAC Addresses

October 5, 2019October 25, 2019 Phill MooreLeave a comment

I had a need to identify the MAC address of a computer from an image (actually a whole bunch of images) recently and went looking through the registry to try solve my problem. Who doesn’t love a bit of registry analysis, and of course Eric’s tools come to the rescue yet again for this kind of hunting. Also side note, you should support Eric’s tool-making.

Testing A USB Write Blocker

July 24, 2019July 25, 2019 Phill MooreLeave a comment

The makers of the Deepspar Disk Imager recently jumped into the write blocker scene with their Guardonix USB write blocker. They asked me for my opinion and (full disclosure) sent me out a test unit to play with.

AX200 – Magnet AXIOM Examinations Review

June 9, 2019 Phill Moore3 Comments

ax200

I recently had the opportunity to take the AX200 Magnet AXIOM Examinations class (On-Demand) and wanted to share my experience for those thinking about taking the class.

Full disclosure: I did get access to this course for free from Magnet in exchange for feedback, but they didn't ask me to write this post in return.

Whether On-Demand works for you or not is really personal preference; some people like that they can work through it at their own pace and repeat sections as required. My preference would have been to take the class in person as I feel like you get a better experience in the class, not to mention you can focus on the task at hand. Unfortunately I missed my opportunity as the class was run nearby when I was overseas.

2019 Forensic 4cast Awards Nominations

May 3, 2019May 5, 2019 Phill Moore1 Comment

Lee changed things up a little bit this year, meaning that you have to provide a reason for your nomination. I think this is a good change and hopefully it will flow into the voting process, encouraging people to explain what they have done in the year for you to win their vote.

Updating the KnowledgeC Parser

March 21, 2019March 21, 2019 Phill MooreLeave a comment

Knowledge-is-Power

I’ve just pushed up some changes to the amazing KnowledgeC plist extraction and parsing utility that I’ve been working on with Alexis Brignoni and wanted to describe them here.

ThinkDFIR

random musings on DFIR topics

Author: Phill Moore