AX200 – Magnet AXIOM Examinations Review

June 9, 2019 Phill Moore3 Comments

ax200

I recently had the opportunity to take the AX200 Magnet AXIOM Examinations class (On-Demand) and wanted to share my experience for those thinking about taking the class.

Full disclosure: I did get access to this course for free from Magnet in exchange for feedback, but they didn't ask me to write this post in return.

Whether On-Demand works for you or not is really personal preference; some people like that they can work through it at their own pace and repeat sections as required. My preference would have been to take the class in person as I feel like you get a better experience in the class, not to mention you can focus on the task at hand. Unfortunately I missed my opportunity as the class was run nearby when I was overseas.

2019 Forensic 4cast Awards Nominations

May 3, 2019May 5, 2019 Phill Moore1 Comment

It’s nomination time again for the Forensic 4cast Awards, held at the SANS DFIR Summit in Austin, Texas. I thought I would post up my nominations to recognise all the people and teams that have contributed to the #DFIR community over the last year.

Lee changed things up a little bit this year, meaning that you have to provide a reason for your nomination. I think this is a good change and hopefully it will flow into the voting process, encouraging people to explain what they have done in the year for you to win their vote.

Updating the KnowledgeC Parser

March 21, 2019March 21, 2019 Phill MooreLeave a comment

Knowledge-is-Power

I’ve just pushed up some changes to the amazing KnowledgeC plist extraction and parsing utility that I’ve been working on with Alexis Brignoni and wanted to describe them here.

Sunday Funday – File Access on MacOS Mojave

March 3, 2019 Phill Moore1 Comment

Had a bit of time so decided to enter this weeks Sunday Funday. I didn’t win, but figured I would share it for reference. Congrats to Amy for winning!

I didn’t do a very comprehensive test, I just accessed a picture and video with native apps and then did a keyword search, so hits were uncovered that may not all indicate file access, and nothing was done to determine ‘when’ files were accessed.

KAPE Tricks

February 23, 2019March 3, 2019 Phill Moore1 Comment

tenor

For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.

Microsoft Office Reading Locations (Part 1)

February 11, 2019February 11, 2019 Phill MooreLeave a comment

Over the weekend I was looking at the “Reading Locations” subkey in the NTUSER.dat and found something interesting. I haven’t got a complete understanding yet, so I’ve labelled this as Part 1, but I have to figure some more stuff out for there to be a part 2.

silhouette of man — Photo by Pixabay on Pexels.com

What Did I Listen To On Spotify For iOS?

January 11, 2019January 11, 2019 Phill Moore1 Comment

person holding black smartphone — Photo by rawpixel.com on Pexels.com

I had a recent examination where I was asked what music was someone listening to at a point in time on an iOS device. Here’s what I found! (TLDR at the bottom)

Quick Post: Notes on the Win10 Recycle Bin

November 23, 2018November 25, 2018 Phill Moore4 Comments

focus photo of yellow paper near trash can — Photo by Steve Johnson on Pexels.com

Just a quick post on the Windows Recycle Bin whilst it’s fresh in my mind (also because I posted some findings on Twitter, and will definitely lose them if I want to refer back another time). I figure since I did the testing I should get it down somewhere. Already spent the time to do it so may as well get it down on paper so I don’t have to redo it again another time 🙂

Sunday Funday – Cutting across NTFS Volumes

November 9, 2018December 1, 2018 Phill Moore1 Comment

Another Sunday Funday!

This time, we’re cutting and pasting across volumes. I decided to take a slightly different route than last week and just created two VHDs to cut and paste between. (I have no idea why I didn’t think of that last week, do all of the copying and pasting in one go and then be done with it. If there’s a hard way to do something, I will find it 🙂 ).

Sunday Funday – Copying across NTFS volumes

November 3, 2018November 4, 2018 Phill Moore1 Comment

Since I’m home and the baby is asleep I thought I’d spend some time on this weeks Sunday Funday challenge. I probably should sleep too, but that’s a problem for future me 🙂

ThinkDFIR

random musings on DFIR topics