Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used MFT Explorer/MFTECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The MFT Explorer/MFTECmd Guide comes on the heels of the previous guides I put together recently: KAPE, Timeline Explorer, and Registry Explorer/RECmd. All guides,…
Read More

Introducing AboutDFIR’s Registry Explorer/RECmd Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Registry Explorer/RECmd before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The Registry Explorer/RECmd Guide comes on the heels of the previous guides I put together recently: KAPE and Timeline Explorer . All guides, current…
Read More

Join Devon Ackerman on Cache Up

Cache Up is a series ran by Jessica Hyde of Magnet Forensics. Our very own Devon Ackerman will be featured on the Tuesday, September 8th episode at 1100 hours EST. If you can't make it live, then watch the recording on the Magnet Forensics YouTube channel in the Cache Up playlist. See you there! EDIT: Link is now posted here.
Read More

Introducing AboutDFIR’s Timeline Explorer Guide

Greetings everyone! I’ve been working on a detailed guide geared towards LE/Private Sector examiners who’ve never used Timeline Explorer before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. This guide for Timeline Explorer comes on the heels of last month's release of the KAPE Guide. It can also be currently located in…
Read More

SANS FOR508: A Review

Introduction I recently attended the SANS DFIR Summit 2020 and took FOR508 with Chad Tilbury. I elected to take the GCFA certification which I am currently preparing for and creating my index similar to how I laid out in a previous blog post. At Kroll, FOR500 and FOR508 are our daily bread and butter so I was very excited to finally take FOR508. LiveOnline Review First things first, let's cover the new format SANS is…
Read More

Introducing AboutDFIR’s KAPE Guide

Greetings everyone! I've been working on a detailed guide geared towards LE/Private Sector examiners who've never used KAPE before as well as anyone looking to learn what the tool is all about. Learning a new tool is intimidating and can be frustrating, but hopefully this guide will make things easier. The guide can be found here. It can also be currently located in the site's recently redesigned menu via Tools & Artifacts -> Tools ->…
Read More

DFIR Without Certs – What Books Can Help You

This has been an absolute long time coming from me, I think! The reason for this is during the crazy times we currently live in here in 2020, this is probably something I should have worked on much earlier to give folks a bit of a leg up on some reading material. Coming full circle, I feel this is something that really needs to be updated within our field. One of the few places where…
Read More

A General Overview of DFIR Resources

Introduction The world of Digital Forensics and Incident Response (DFIR) is so expansive that it's impossible for one person to know it all, let alone a fraction of it. To combat this, one must first be aware of and second utilize the resource that's best catered to the issue at hand. There are multiple resources out there that digital forensic examiners and incident responders should be aware of.  Not all resources are created equal nor…
Read More

Jailbreaking – Checkra1n Configuration

In this installment, I felt that I should discuss how to use Checkra1n, and how to actually get into the device via 2 methods: localhost (tethered) and WiFi (untethered). This is not a blog to discuss how Checkra1n is doing, what it is doing, or what Checkm8 is doing prior to the device booting. Additionally, you do this at your own risk. Just because it works on one device does not mean it'll work on…
Read More

InfoSec News Nuggets 08/19/2019

1 Apple's warning: Break Safari's web-tracking rules and we'll hit back ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads. The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. The company warns it will…
Read More

Holiday Hack Sneak Peek 2019

It seems the SANS Annual Holiday Hack Challenge buzz begins earlier and earlier every year.  This year is no exception.  My first HolidayHack CheatSheet of the season is here! HUGE shout-out to our Red Team mole, Stephen Sampana for infiltrating Ed Skoudis' party in Vegas during BlackHat/DEFCON/BSides week and reporting back clues. Download v1.0 of my Kringle Con CheatSheet NOW! Enjoy! In other news, I've added some new items to our site that may interest…
Read More

Magnet User Summit 2019 Impressions

I wanted to make a quick note to start the blogging back up again (yes, I know -- don't judge me!) by discussing a recent Digital Forensics Summit that took place during the first week of April here in the United States. While there is some bias to this since both Devon and myself did present at the Summit, there is in no way, shape or form any endorsement or payment from Magnet for what…
Read More

Forensic Tools

Forensic tools, whether software or hardware, or just like traditional forensic science tools - they are designed by humans and typically meant to be used by trained users who understand both the artifacts they are processing as well as the results produced by the tool. Some tools are as simple as a USB write blocker - you plug one end into a computer, you plug a USB device into the other end, and it "just…
Read More

Episode 886: The Price Of A Hack

"The Price of a Hack" w/Chris DiIenno of Mullen Coughlin LLC law firm, experts in legal advice following or during a cyber security event, along w/Dina Temple-Raston of NPR. This piece was born out of a prior Kroll Cyber Risk digital forensics and incident response-related investigation, directed by legal counsel, to assist a client they was preyed upon via a Business Email Compromise-oriented targeting scheme. NPR Planet Money - Episode 886 "The Price Of A…
Read More

Android Nougat Image Available to the DFIR Community

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage - everything from testing tools to training to teaching. It was created using a stock Android image from Google.  Several popular applications (apps) were populated with user data utilizing the capabilities of each individual app.  The stock Android apps were also populated with user data. An LG Nexus 5x,…
Read More

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office…
Read More

Rick Kiper’s Research Project

A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal…
Read More

Yandex.ru and Intrusion Investigations

Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not…
Read More