Week 3 is over! Well, it went for a couple of weeks, and is no longer active. But it was the third challenge!
This time we went looking into the PST file format, as well as identifying manipulated emails. I found this one a little bit easier than Week 4, which is currently giving me grief
Read More »Back for week 2 of the Metaspike weekly CTF. This week we’ve been given an MSG file containing correspondence between two colleagues. I tried to do this one with entirely free tools again, but there’s a minor caveat that you do need access to Outlook to get the full MSG parsing experience.
Please let me know if there’s a way to do this without Outlook!
Read More »The Metaspike CTF has started! Lately I haven’t had a lot of time for CTFs, but this one is focusing on email forensics. Since it something I’ve taken an interest in recently I thought I’d give it a shot.
Read More »I was roaming around some Win10 images and noticed I had the RecentApps registry key to go through. I don’t see it that often and thought I should go and take a look at when Microsoft added it, and took it away.
Creating disk images and virtual hard disks can be super useful for testing, which I’ll demonstrate in a future post (that I’ve mostly written, but needed this one to go out beforehand!)
I wrote this a while back, and have finally gotten around to posting it!
Recently tested the use of Certutil to download a file and look for the artefacts. I didn’t find much in the DFIR realm about what this might look like on a system so thought best to post it up!
I wanted to take a quick and dive into this week’s Sunday Funday challenge but didn’t have a whole lot of time, I basically set a timer for an hour or so at the end of the day and found as much as I could, and then compiled it all today. Gotta set a time limit or else the rabbit-hole never ends 🙂
Oleg has already shared his answer and done a decent amount of work to answering the questions. I’m not going to be reinventing the wheel a whole lot, just expanding on what has already been found.
(Note: I’m not going to be answering all of the questions)
It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.
There’s less than a week to go, so get your nominations in to show your appreciation!
Coming soon to a town near you me!
DFRWS is expanding into APAC this year, with an inaugural event in Sydney to correspond with the IAFS conference.
I’m Workshop Co-Chair along with Matthew Simon so if you have some interesting ideas for workshops let me know soon.
If you want to submit a research paper or presentation you have until January 31, 2020 to submit an abstract or workshop.
I was recently reviewing some event logs on a Windows server and noticed a few items that I hadn’t seen before. These events related to Applocker, which was released a long time ago, but I hadn’t really seen much in the forensic analysis space. This post will cover a brief intro to setting up Applocker, some resources for configuration, and some event logs that you should probably keep an eye out for.
TLDR: Turn on applocker on servers you own (workstations too if your users wont kill you). Also look out for applocker events during your event log analysis!
Special thanks to Troy Larson for helping me out with this research
ThinkDFIR 