App Timeline Provider – SRUM Database

The System Resource Usage Monitor (SRUM) is a currently parsed artifact available on Windows 8+ systems. On a basic level, SRUM appears to be the backend database supporting the Task Manager. These tables are stored in an Extensible Storage Engine (ESE) database saved as SRUDB.dat. Generally, there are 30 to 60 days of data saved in this database. The data is written to the database approximately every hour and around shutdowns. Some the tables within…
Read More

SOF-ELK and Integration with KAPE

Archer: FX  Amazing how fast time flies when you're juggling so much during the trying times we all have since 2020! At at the time of publishing this article, we are all still facing a lot of uncertainties. I hope time has been gracious to you all...and continues to be!  Why this post?  As we push through some very trying times in the Digital Forensic and Incident Response world, there are two things I've experienced…
Read More

Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used MFT Explorer/MFTECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The MFT Explorer/MFTECmd Guide comes on the heels of the previous guides I put together recently: KAPE, Timeline Explorer, and Registry Explorer/RECmd. All guides,…
Read More

Introducing AboutDFIR’s Registry Explorer/RECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Registry Explorer/RECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The Registry Explorer/RECmd Guide comes on the heels of the previous guides I put together recently: KAPE and Timeline Explorer . All guides, current…
Read More

Introducing AboutDFIR’s Timeline Explorer Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Timeline Explorer before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. This guide for Timeline Explorer comes on the heels of last month's release of the KAPE Guide. It can also be currently located in…
Read More

Introducing AboutDFIR’s KAPE Guide

Greetings everyone! I've been working on a detailed guide geared towards LE/Private Sector examiners who've never used KAPE before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The guide can be found here. It can also be currently located in the site's recently redesigned menu via Tools & Artifacts -> Tools ->…
Read More

DFIR Without Certs – What Books Can Help You

This has been an absolute long time coming from me, I think! The reason for this is during the crazy times we currently live in here in 2020, this is probably something I should have worked on much earlier to give folks a bit of a leg up on some reading material. Coming full circle, I feel this is something that really needs to be updated within our field. One of the few places where…
Read More

Jailbreaking – Checkra1n Configuration

In this installment, I felt that I should discuss how to use Checkra1n, and how to actually get into the device via 2 methods: localhost (tethered) and WiFi (untethered). This is not a blog to discuss how Checkra1n is doing, what it is doing, or what Checkm8 is doing prior to the device booting. Additionally, you do this at your own risk. Just because it works on one device does not mean it'll work on…
Read More

Pattern of Life – Tracking Through Mobile Applications

So getting back into blogging finally! Thanks for hanging in there with me.  Unlike my last posts, time to roll up the sleeves and try to make this community better from a technical perspective. To do that, I've decided to look at individual applications from iOS (first) so I can see what we are looking at. This is most important to me, because as we all know, our tools will lie to us if we…
Read More