Author: Phill Moore

I am a digital forensics analyst. I have a couple of blogs - This Week In 4n6 and Think DFIR I go by randomaccess (or variations of) on a number of DFIR social channels.

Speaking to Google Home’s

I just presented my research on investigations including Google Home devices at the SANS DFIR Summit and with that am releasing the Python script that I wrote for part of it. (more…)

My DFIR Conference Tour

I shared this page last month for my upcoming travels but as it’s getting closer to take off I thought I’d expand a bit on what I’m looking forward to over my time away.

(more…)

Word Document Metadata Bugs and Verification

I got a question from a colleague a few weeks ago about a potential bug in ExifTool, a fantastic tool and library by Phil Harvey for parsing EXIF data. I had a few minutes this evening, so thought I’d share the digging

We made a couple of word documents, and ran them through ExifTool, to take a look at the ‘Word Count’ field, and later I recreated them at home.

(more…)

4Cast Award Nominations

It’s that time of year again!

The nominations for the annual Forensic 4Cast Awards, held at the SANS DFIR Summit in Austin, Texas are open. It’s a great conference and I’m hoping to present there this year.

You can submit your nominations for the awards here.

(more…)

Documenting a week of DFIR cookups

untitled

A few weeks ago Dave Cowen did four nights in a row of Windows 10 testing and I finally got to watching through it all. (more…)

Things I Wish I Knew Before DFIR Netwars

A couple weeks ago I competed in DFIR Netwars at SANS Sydney 2017. Our team did really well, leading most of the way and just losing in the last half hour. But overall, it was a great learning experience and I thought I’d share some things about it.

(more…)

Documenting my work

TLDR: This is a post about how I document my examinations. I create a word document with a brain dump of my findings which includes a narrative that allows me to read through it in a way that gets me back into the mindset I was in when I completed the examination.

(more…)

Playing with APFS

**update – this has been a really popular post but it’s very outdated now. Will add some information to the bottom of the post of what’s happened since**

On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Based on Steve’s video I thought it would be a good idea to do some testing.

(more…)

Regripper GUI

A while back I wrote a Windows GUI for Regripper. (more…)

Google URL Parsing with GSERPENT

gserpent

I noticed someone retweeted my link for this project last week so thought I’d write a short post about it. (more…)

ThinkDFIR

random musings on DFIR topics

Author: Phill Moore

Speaking to Google Home’s

My DFIR Conference Tour

Word Document Metadata Bugs and Verification

4Cast Award Nominations

Documenting a week of DFIR cookups

Things I Wish I Knew Before DFIR Netwars

Documenting my work

Playing with APFS

Regripper GUI

Google URL Parsing with GSERPENT