Clik here to view.
Mac DFIR - HFS+ Date Added Timestamp
Overview Before I get into the real reason for this post, I want to quickly go over what kMDItemDateAdded is, and then I will discuss where a popular tool is missing the timestamp. kMDItemDateAdded...
View ArticleClik here to view.
Reversing Mac Alias v3 Data Objects
Overview I read a few blog posts and slide presentations discussing the forensic value of alias data within plists. They typically consisted of running strings against the Data object to pull path data...
View ArticleClik here to view.
Mac DFIR - HFS+ Volume Header
Overview Understanding the HFS+ file system is an important step to analyzing Mac systems. It tracks all of the metadata associated with files and folders on a system among things. Suggested Reading...
View ArticleClik here to view.
Mac DFIR - HFS+ VMware Fusion Volume Header Timestamp
So I was analyzing some bookmark files and noticed the volume creation time didn't make sense. The time was too old. If you're at all familiar with Bookmark files you should know there are resource...
View ArticleClik here to view.
WinZip MRU Tool Check
I was playing around with WinZIP today and noticed something and wanted to write it down before I forgot to document it. I still need to do some analysis, but wanted to make it known if it wasn't...
View ArticleClik here to view.
AWS Security Overview - Part I
Overview This is going to be a multi-part series where I will cover various AWS concepts, terminology and technology. Subsequent posts will be more information security focused. There will be a bit of...
View ArticleClik here to view.
Unpacking Pyinstaller Packed Python Malware
I do not consider these next steps complex but I still wanted to document it because I didn't really find much online except a few Stack Overflow comments here and there and I had it in my draft posts...
View ArticleYour Registry Blobs Belong to Me (RegHexDump)
So I was reading Trend's blog post Without a Trace: Fileless Malware Spotted in the Wild and although not totally new, it got me thinking a bit. I downloaded some of the MD5s they posted and started...
View ArticleIntroduction to Hardware and Embedded Forensics
Blog Series Part 1: Introduction to Hardware and Embedded Forensics Part 2: UART Intro. and Sniffing UART with a Logic Analyzer Part 3: Home Automation Hub Forensics Part 4: TBD Introduction to...
View ArticleClik here to view.
UART Intro. and Sniffing UART with a Logic Analyzer
DISCLAIMER: EVERYTHING HERE WILL VOID YOUR PRODUCT WARRANTY This is Part II in a series of blog posts I will be doing. The main tracking page is here. Before we get into the process I used for sniffing...
View ArticleClik here to view.
Home Automation Hub Forensics
In Part 1: Introduction to Hardware and Embedded Forensics I went over some tools I am using to perform hardware and embedded forensics analysis. In Part 2: UART Intro. and Sniffing UART with a Logic...
View ArticleClik here to view.
SQLite Artifact Recovery Framework (SLARF)
I got this idea awhile back when I wrote a tool called, BARFF - Browser Artifact Recovery Forensic Framework. It was more or less a glorified SQLite parser, which is again, more or less what SLARF is,...
View ArticleBack Online
I am back online after a year. My previous employer did not allow blogging or code contributions, but that's behind me now so I am free to do what I want. I actually debated whether or not to start...
View ArticleClik here to view.
Arduino Forensics
I started playing around with the Arduino Uno Rev 3 awhile back but never got around to documenting anything via a blog post (until now). I read Steve Watson's slide series here on Arduino forensics,...
View ArticleClik here to view.
JTAGing Mobile Phones
Overview I always thought JTAG was hard, then I tried it, and realized it was actually very easy (most of the time). Pretty much anyone can learn to do this in 8 hours of soldering practice. Really,...
View ArticleClik here to view.
Mac DFIR - HFS+ Date Added Timestamp
Overview Before I get into the real reason for this post, I want to quickly go over what kMDItemDateAdded is, and then I will discuss where a popular tool is missing the timestamp. kMDItemDateAdded...
View ArticleClik here to view.
Reversing Mac Alias v3 Data Objects
Overview I read a few blog posts and slide presentations discussing the forensic value of alias data within plists. They typically consisted of running strings against the Data object to pull path data...
View ArticleClik here to view.
Mac DFIR - HFS+ Volume Header
Overview Understanding the HFS+ file system is an important step to analyzing Mac systems. It tracks all of the metadata associated with files and folders on a system among things. Suggested Reading...
View ArticleClik here to view.
Mac DFIR - HFS+ VMware Fusion Volume Header Timestamp
So I was analyzing some bookmark files and noticed the volume creation time didn't make sense. The time was too old. If you're at all familiar with Bookmark files you should know there are resource...
View ArticleClik here to view.
AWS Security Overview - Part I - Networking Terminology
Overview This is going to be a multi-part series where I will cover various AWS concepts, terminology and technology. Subsequent posts will be more information security focused. There will be a bit of...
View Article