Available Artifacts - Indicators of Execution Updated

The "Indicators of Execution" spreadsheet I put together in 2018 has been somewhat neglected of late. So, with the release of Server 2025 I set about updating it to reflect the current state of Windows 11 and Server 2025 and completing some long overdue gap filling.. In addition

Relationship between Microsoft Server and Desktop OS Versions

Each major release of the Windows Server Operating System corresponds to a regular Windows OS version. When researching available artifacts accross different OS's it can be helpful (and sometimes interesting) to know which versions correspond to each other. Posting this as a reference, given the number of times

CyberThreat 2019 Badge Writeup

Last year I was lucky enough to attend the inaugural CyberThreat conference put on by NCSC and SANS and it was also the first time I was introduced to interactive badges at a conference. The badges formed the bases of a CTF, which was one of the highlights of the

2019 Unofficial Defcon DFIR CTF Writeup - Linux Forensics

When completing this portion of the CTF I relied upon Autopsy 4.12 heavily, using the CTF as an opportunity to practice and trial a different toolset/ approach. In general I was impressed, but I’m not an Autopsy user day to day and as such I was fumbling a

2019 Unofficial DEFCON DFIR CTF Writeups

The CTF First a shout out to the Champlain College Digital Forensics Association (@champdfa) for putting together an awesome CTF and to David Cowen for making it public. For those who aren’t aware David has authored and run a number of awesome CTFs over the last few years, including

2019 Unofficial Defcon DFIR CTF Writeup - DFA Crypto Challenge

Question "On the homepage you will notice the Champlain College Digital Forensics Association's Logo. Can you decipher the hidden message?" Full disclosure: I wasn’t a fan of this challenge and furthermore I would not have solved it without talking to the question author. It became

2019 Unofficial Defcon DFIR CTF Writeup - Memory Forensics

For the majority of this section I used Volatility 2.6 under Windows Subsystem for Linux (WSL). As an aside, I commonly use volatility in one of two ways. Most commonly I will run a number of common commands up front and as I progress I will run other less

Testing of SRUM on Windows Server 2019 (continued)

After my unsuccessful attempts to test SRUM in Windows Server 2019 earlier in the week I followed up with Dave Cowen who confirmed the name of the install media he had used, and went about installing Server 2019 from the same media. Specifically this was: en_windows_server_2019_x64_

Some testing of SRUM on Windows Server 2019

This post is a response to David Cowen’s ‘Sunday Funday' challenge as detailed over at ‘Hacking Exposed - Computer Forensics Blog’. The question posed by David was as follows: Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server

Updated feature: Exchange Online mailbox audit to add mail reads by default

Exciting news in the world of Office 365 Business Email Compromise investigations. Following on from their recent commitment to improve logging of account activity within Office365 Microsoft have announced that Exchange Online will audit mail reads/accesses by default for owners, admins and delegates under the MailItemsAccessed action. I was

Available Artifacts - Evidence of Execution Updated

Since my original post a couple of months ago there have been new discoveries, additional suggestions and some error corrections. These things combined warranted an update to the spreadsheet and original post. The I want to take the opportunity to thank the following people who have directly or indirectly contributed

A little play with the Syscache hive

UPDATED 2019-01-04 This post is a response to David Cowen’s ‘Sunday Funday' challenge as detailed over at ‘Hacking Exposed - Computer Forensics Blog’. The question posed by David was as follows: What processes update the Syscache.hve file on Windows Server 2008 R2? There are some significant caveats

Converting Sparse VMDK files to fat VMDK files

Certain tasks are performed with the kind of infrequency that ensures you have to spend 10 minutes googling how to do it, every time you need to do it. In my case the conversion of sparse, compressed VMDKs is one such task so I thought I would document it here

Available Artifacts - Evidence of Execution

UPDATED 2024-12-04 UPDATED 2019-01-04 This week I have been working a case where I was required to identify users on a Windows Server 2003 system who had knowledge of, or had run, a particular unauthorised executable. As such, I found myself wracking my brain for all the user attributable artifacts

Has RegBack been retired?

Recently while researching for my recent blog post on ‘Methods to identify historical Time Zone configuration associated with a Windows PC’, I found myself hunting for Regback data within Windows 10 systems with limited success. Specifically, across multiple system installed with Windows 10 1607, 1703 and 1803 I was finding

Windows Plug and Play Cleanup

This post is another entry to David Cowen's Sunday Funday challenge series at HECFBlog. This week he asked the following question: Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and

Methods to identify historical Time Zone configuration associated with a Windows PC

David Cowen at HECFBlog recently posed the following question: On a Windows 10 system what are the different ways you could determine what timezones a user was in prior to the whatever timezone is stored in the registry? In this post we will explore some of the ways you can

Investigating Office365 Account Compromise without the Activities API

With the recent demise of the Office 365 Activities API, David Cowen at HECFBlog has chosen to focus his recent Sunday Funday Challenge on the remaining evidence sources available when investigating instances of Office365 account compromise. David posed the following question: “Explain in a compromise of a Office365 account what

exFAT Timestamps: exFAT Primer and My Methodology

Following my quick and dirty post on exFAT timestamp behavior I wanted to follow up with a fuller post (or posts) detailing my methodology and observations. I started looking into the workings and different implementations of exFAT because it had been raised David Cowen in one of his recent ‘Sunday

exFAT Timestamp Behavior Associated with Different Operating Systems

Much like my recent post on ‘Using Extended MAPI Properties to determine email sent time’ this post is a response to David Cowen’s ‘Sunday Funday' challenge as detailed over at ‘Hacking Exposed - Computer Forensics Blog’. The question posed by David was as follows: ExFAT is documented to

Office 365 Activities API - Example Output

Yesterday CrowdStrike published details of the 'Office 365 Activities API' which is an extremely useful source of evidence for investigations, especially in cases of Business Email Compromise. The detailed post can be read here. Included was a Python module which allows one to pull the discussed data from

Sharing is Caring - The Secret O365 API

The whole field of DFIR thrives and survives on shared research. Professionals who identify novel techniques or develop tools which they share outside their organisation help to drive progress, achieve better understanding and ultimately help the community in the arms race against bad actors. A recent example which brought this

Using Extended MAPI Properties to determine email sent time

Recently, David Cowen at 'Hacking Exposed - Computer Forensics Blog' has resumed the 'Zeltser Challenge' of daily blogging. In doing so, he has highlighted (at least to me) that after a short initial flourish this blog has been somewhat neglected, taking a back seat while regular

Rebuilding Hardware Raid in EnCase 7/8

Recently I needed to rebuild a hardware RAID within EnCase from physical images of the component disks. Some years ago this was a common task which I did on a regular basis, and could achieve with my eyes closed. Back then my principal analysis tool was EnCase 6 and the

Installing SIFT Workstation under Windows Subsystem for Linux

SIFT In a recent post I alluded to the fact that I had successfully installed SIFT Workstation under Windows Subsystem for Linux (WSL). A number of people have zeroed in on that and had queries about this setup (and its limitations) so I thought I would follow up with a