A couple weeks ago I competed in DFIR Netwars at SANS Sydney 2017. Our team did really well, leading most of the way and just losing in the last half hour. But overall, it was a great learning experience and I thought I’d share some things about it.
Documenting my work
TLDR: This is a post about how I document my examinations. I create a word document with a brain dump of my findings which includes a narrative that allows me to read through it in a way that gets me back into the mindset I was in when I completed the examination.
Playing with APFS
**update – this has been a really popular post but it’s very outdated now. Will add some information to the bottom of the post of what’s happened since**
On the 25th September Apple released OS X High Sierra which uses the Apple File System (APFS) as its default file system. Based on Steve’s video I thought it would be a good idea to do some testing.
Regripper GUI
A while back I wrote a Windows GUI for Regripper. (more…)
Google URL Parsing with GSERPENT
I noticed someone retweeted my link for this project last week so thought I’d write a short post about it. (more…)
Understanding Orphaned Files
I was sitting in an Intro to Forensics lecture recently (in my free time, I’m crazy I know) and was explaining orphaned files to a student so thought I’d just write some stuff down about it. The main point of the post was showing how to manually modify the MFT to create orphaned entries and what they look like in FTK Imager (V3.4.2.2). Nothing groundbreaking š (more…)
New blog
I started a new blog!
Why, you ask?
That’s a good question; I’ve done a bit of research and needed a good medium to share it through, so here it is. It also forces me to write stuff down. Often I’ll work through a problem and put the information in my notes, but not necessarily centralise them in an easy-to-search place.
I’m hoping to post once a month or when inspiration strikes*
DISCLAIMER: inspiration may strike less often than once a month
If anyone has anything they would likeĀ researched/compiled or wants to guest post/collaborate let me know!
