KAPE Tricks

tenor

For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.

Read More »

Quick Post: Notes on the Win10 Recycle Bin

focus photo of yellow paper near trash can
Photo by Steve Johnson on Pexels.com

Just a quick post on the Windows Recycle Bin whilst it’s fresh in my mind (also because I posted some findings on Twitter, and will definitely lose them if I want to refer back another time). I figure since I did the testing I should get it down somewhere. Already spent the time to do it so may as well get it down on paper so I don’t have to redo it again another time 🙂

Read More »

WinTeNTLM Issues

 

kitten cat rush lucky cat
Mini Cats! It will make sense later…

It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.

I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)

Read More »

Playing with the iOS Powerlog

2_Man-Caraves-Arsdgdsgnold-Schwarzenegger-From-Oak.jpg

I have recently started looking at the wealth of data that can be obtained from file system iPhone extractions; a lot of which has already been explored by Sarah Edwards in her iOS of Sauron presentation, and also recently in her post on the KnowledgeC database.

Based on that I decided to take a look at the powerlog PLSQL SQLite databases on a jailbroken iPhone running iOS 10.2. I would have to double check, but I don’t think this file will get exported from a standard backup, and as a result you’ll have to jail break the device to get at this file.Read More »