Sunday Funday – File Access on MacOS Mojave

og

Had a bit of time so decided to enter this weeks Sunday Funday. I didn’t win, but figured I would share it for reference. Congrats to Amy for winning!

I didn’t do a very comprehensive test, I just accessed a picture and video with native apps and then did a keyword search, so hits were uncovered that may not all indicate file access, and nothing was done to determine ‘when’ files were accessed.

Read More »

KAPE Tricks

tenor

For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.

Read More »

Quick Post: Notes on the Win10 Recycle Bin

focus photo of yellow paper near trash can
Photo by Steve Johnson on Pexels.com

Just a quick post on the Windows Recycle Bin whilst it’s fresh in my mind (also because I posted some findings on Twitter, and will definitely lose them if I want to refer back another time). I figure since I did the testing I should get it down somewhere. Already spent the time to do it so may as well get it down on paper so I don’t have to redo it again another time 🙂

Read More »

WinTeNTLM Issues

 

kitten cat rush lucky cat
Mini Cats! It will make sense later…

It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.

I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)

Read More »