Uncategorized

Sunday Funday – File Access on MacOS Mojave

og

Had a bit of time so decided to enter this weeks Sunday Funday. I didn’t win, but figured I would share it for reference. Congrats to Amy for winning!

I didn’t do a very comprehensive test, I just accessed a picture and video with native apps and then did a keyword search, so hits were uncovered that may not all indicate file access, and nothing was done to determine ‘when’ files were accessed.

(more…)

KAPE Tricks

tenor

For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.

(more…)

Quick Post: Notes on the Win10 Recycle Bin

focus photo of yellow paper near trash can

Photo by Steve Johnson on Pexels.com

Just a quick post on the Windows Recycle Bin whilst it’s fresh in my mind (also because I posted some findings on Twitter, and will definitely lose them if I want to refer back another time). I figure since I did the testing I should get it down somewhere. Already spent the time to do it so may as well get it down on paper so I don’t have to redo it again another time 🙂

(more…)

Sunday Funday – Cutting across NTFS Volumes

cut-up-book2

Another Sunday Funday!

This time, we’re cutting and pasting across volumes. I decided to take a slightly different route than last week and just created two VHDs to cut and paste between. (I have no idea why I didn’t think of that last week, do all of the copying and pasting in one go and then be done with it. If there’s a hard way to do something, I will find it 🙂 ).

(more…)

WinTeNTLM Issues

 

kitten cat rush lucky cat

Mini Cats! It will make sense later…

It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.

I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)

(more…)