ThinkDFIR

During an engagement at $lastdayjob we found a possible bug in AmCache so I wanted to dig into it a bit deeper. Mostly this is a call for help, and an explanation of how to test! TLDR Sometimes AmCache records an original filename is something when it either doesn’t exist in the original PE or […]

Earlier this year I came across a forensic artefact that I didn’t know a whole lot about, and there wasn’t a lot of research on either. I was working on a ransomware case where we picked up a standard KAPE triage collection. As part of that, I ran a keyword search in Xways over the […]

I was recently teaching the SANS FOR500 Windows Forensic Analysis class in Canberra and I was asked a question about how we track the connection times for USB devices in the registry: My answer at the time was, “they are arbitrary” but I thought I should look into it a little bit more, and I’m […]

As part of some research I’m doing into Amcache (more on that another time), I went about exploring Windows PE version information and how Windows see’s it. This came about because I thought I found a bug in the Velocidex PE module when in fact, it’s more likely “Windows does funny things sometimes”. What was […]

A while ago I wrote about how Windows would track screenshots in shell items and cache the content into a specific directory. While this blog post won’t be anything groundbreaking, I thought I’d share some fun findings about the new “Snipping Tool” on Windows 11. “Snipping Tool” was briefly deprecated and replaced with “Snip and […]

This week’s Sunday Funday challenge involves reviewing Microsoft 365 UALs so I figured what better excuse to get access to a dev tenancy. Originally I looked at how to request one of these from Microsoft, and then that fell into the “just hard enough basket” so I asked a friend who generously donated access to […]

This week’s Sunday Funday challenge by David Cowen is on SRUM forensics. The challenge states: The Challenge:With so many of us relying on SRUM for so many different uses its time to do some validation on the counters so many people cite. For this challenge you will test and validate the following SRUM collected metrics […]

Recently one of my fellow SANS instructors, Mattia Epifani, noted that in Windows 11 23H2 the WordWheelQuery value is no longer populated. Time to do some testing! Forensafe has a nice article that describes the artefact. When I do a simple search in Explorer, it should populate a dropdown box in the search box; at […]

There’s a new (newish?) database in Microsoft Edge that is worth exploring a bit further. This blogpost is partially an intro, partially a placeholder, because I saw some conversation on a listserv about the database but almost nothing else online about it. There’s limited research, so let me know what you find and I can […]

I’m teaching FOR500 Windows Forensic Analysis in Singapore this week and something that was recently added to the class relates to a new(ish) discovery into the operation of Jumplists on Windows 10. During an update to the class it was discovered that when a folder is copied, the AutomaticDestination Jumplist file associated with Windows Explorer […]

Welcome to 2023! Turns out I didn’t post on here as much as I should have last year. Logging in this morning I can see I posted twice, whoops. Let’s change that with some validation research into INDX records, particularly in relation to the timestamps that are stored in INDX entries. I’ve been putting together […]

At some point in history, Microsoft introduced Snipping Tool. The world rejoiced as a simple screenshot tool was added to Windows that allowed for screenshots of sections of the screen that was easier than pressing Print-Screen and opening Paint. Unfortunately, Microsoft decided to deprecate Snipping tool in later versions of Win10, instead pushing people onto […]

In preparation for an upcoming FOR500 class I thought I would test out one of the recent additions to the class. This post by my colleague Zach shows that Win10 1903 and later has a registry key that will store the full path of any executable that utilises the computers camera or microphone. Zach shows […]

Business email compromise is anything but awesome. According to the FBI, in 2020 cybercriminals cost US companies 2 billion through exploitation of business email systems. I started an Awesome list to try and compile all of the links that I had previously just kept in my head for reference when doing a BEC investigation. It’s […]

Recently I was given approximately 55 VMDKs after a cyber incident to try and identify the root cause. Ideally, these systems would be online so that we could deploy our distributed threat hunting and forensic analysis tool of choice, Velociraptor however this wasn’t a possibility in this scenario. This means I had an interesting problem […]

Over the halfway point! (I appreciate week 6 was a while ago, I haven’t had a chance to clean up my write up for this until now). This week we’re looking at email authentication again, trying to identify the actual date of an email. I scraped this one by with only hours to spare, and […]

I write my notes as I go along, but sometimes it takes me a bit to get it into a blogable format. This week took a little longer because I had to wait for Armans walkthrough. I got super close to the answer for part 3, but unfortunately missed out on the 100 points. We’re […]