No, this isn’t a post about Clippy, sorry everyone, especially Lee 🙂 Clippy’s gone forever.Read More »
WinTeNTLM Issues
It’s not uncommon to be asked whether a user had a login password or to need it to login to a virtualised copy of a suspects computer. In the case of the later, you can usually just clear the password and proceed, but sometimes knowing the password may be important.
I played with a few tools that I had on hand to get a local user’s NTLM hash during Dave and Matt’s DFIR CTF at DEF CON and documented my findings (and finally got around to finishing this up)
Playing with the iOS Powerlog
I have recently started looking at the wealth of data that can be obtained from file system iPhone extractions; a lot of which has already been explored by Sarah Edwards in her iOS of Sauron presentation, and also recently in her post on the KnowledgeC database.
Based on that I decided to take a look at the powerlog PLSQL SQLite databases on a jailbroken iPhone running iOS 10.2. I would have to double check, but I don’t think this file will get exported from a standard backup, and as a result you’ll have to jail break the device to get at this file.Read More »
Copying v Dragging a file to an OS X Disk Image
Had a need to do some quick testing on different operations on OS X 10.10.5 (Yosemite) and thought I’d share (plus ask for some assistance).
Should I Start A Blog? Yes, the answer is Yes
We’ve been seeing a lot of new blogs popping up recently, and I wanted to share parts of my recent Enfuse presentation on personal branding in the hopes of encouraging more people to follow suit (that and I’m still trying to post up once a month)
Zone Identifier == kMDItemWhereFroms?
A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.
Finally decided to do a little bit more digging!
For background on Zone Identifiers, you can see the paper by Paul Sanderson here.
Speaking to Google Home’s
I just presented my research on investigations including Google Home devices at the SANS DFIR Summit and with that am releasing the Python script that I wrote for part of it.Read More »
My DFIR Conference Tour
I shared this page last month for my upcoming travels but as it’s getting closer to take off I thought I’d expand a bit on what I’m looking forward to over my time away.
Word Document Metadata Bugs and Verification
I got a question from a colleague a few weeks ago about a potential bug in ExifTool, a fantastic tool and library by Phil Harvey for parsing EXIF data. I had a few minutes this evening, so thought I’d share the digging
We made a couple of word documents, and ran them through ExifTool, to take a look at the ‘Word Count’ field, and later I recreated them at home.
4Cast Award Nominations
It’s that time of year again!
The nominations for the annual Forensic 4Cast Awards, held at the SANS DFIR Summit in Austin, Texas are open. It’s a great conference and I’m hoping to present there this year.
You can submit your nominations for the awards here.
ThinkDFIR 