Monday, August 20, 2018

Daily Blog #458: Object IDs

Hello Reader,
        In Hideaki Ihara's blog post on the port139 blog,  he talks about a subsystem that has been around for quite some time the Distributed Link Tracking System which allowed for lnk files and other shell item structures to survive a file being renamed or moved prior to the inclusion of the MFT Reference numbers in Windows 7. This means that there are at least two methods within a LNK file now that will allow it to point to the correct file even if it has been renamed or moved since it was last opened.

Hideaki is pointing our that when a file is opened and a shell item is created for it that an Object ID should be created for it as an attribute. While I agree this is true I would also look for the creation of the LNK file itself and then what jumplist got updated to determine what application opened the file. Especially since not every file opened will get an Object ID as stated in the limitations section of the Microsoft documentation.

In summary a Object ID won't be set even if a file is opened when:

  1. The file is being opened from a removable drive 
  2. The file is being opened from a FAT drive
  3. The file is being opened from a newly formatted NTFS volume and it the system hasn't rebooted
  4. The file is being opened from a newly attached fixed disk with NTFS and the system hasn't been rebooted
I think we should do more testing with this but in all the above scenarios the shell item system would still record these accesses and the USN journal would show the lnk files and jump lists being updated. I like where Hideaki is going I just want to make sure people are aware of whats possible. 

Sunday, August 19, 2018

Daily Blog #457: Sunday Funday 8/19/18

Hello Reader,
Microsoft is also introducing subtle changes in Windows, sometimes they were always there but we just didn't notice. Lets see what you can determine in this weeks lnk file challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 8/24/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
As of Windows 10, possibly earlier!, windows will only keep 20 lnk files for a single extension. What other limitations of the lnk file system can you find?

Saturday, August 18, 2018

Daily Blog #456: Solution Saturday 8/16/18

Hello Reader,
           This week Lodrina Cherne swooped in with some interesting research that went way beyond URL history. I think what Lodrina has submitted here is the base of some very interesting research that needs to be performed to find out more. I am happy to say I received more submissions this week but I would encourage anyone reading this to give these challenges a try and submit an answer. You can only benefit from the research and possibly the win!

The Challenge:
For Edge, Chrome and Firefox where could you find evidence of what was uploaded to a file sharing site. Please include all of the locations available, not just the url history

The Winning Answer:
Lodrina Cherne @hexplates

Here are some general methods to investigate upload activity in browsers:

RESEARCH! Besides searching your favorite forensic blogs, browsers and web applications may have developer documentation online.

In the past I’ve used Yahoo! Mail developer docs to better understand webmail artifacts. APIs and handles are sometimes documented for third party developers, use this to your advantage!

Here’s a snippet from the Yahoo Developer Network related to uploading:

This snippet is as example specifically related to advertiser data upload – so if I was interested in in this artifact, one search term might be
              “status”: “completed”

Here’s an example related to Google Drive upload:

My search term for Google Drive uploads might be

Mozilla (FireFox) has a good collection of APIs, here are some upload related ones we might see:
What the MDN web docs tell us is that bytes and file path + name are properties used in “UploadData”. There’s also browser compatibility information – so this may apply with Chrome or FireFox on Android? Pretty cool!

These events may leave some of the above keywords on disk – but even more important than the keywords, we know that there is some kind of marker that the upload has started, that it’s completed successfully, etc. We know this data is being recorded somewhere, even temporarily, so it’s worth digging for this type of data on disk!

TEST! For different web applications, what is the expected behavior? Are there keywords that appear on screen or a string in the site URL?

Here’s one example using the Dropbox browser interface with Chrome. I am dragging and dropping a file from my system into Dropbox. Note the on screen prompt “upload to the folder”.

While the file is uploading, we see “Uploading Additional Forensic Resources.docx” at the bottom of the screen.

When the upload is complete, the status changes to “Uploaded Additional Forensic Resources.docx”

Potential search terms for Dropbox upload so far are
              upload to the folder
              Uploading [filename of interest]
              Uploaded [filename of interest]

These search terms could be run in your forensic tool across browser artifacts like history and cache. Using a forensic suite for your first pass search can be useful to look across different locations and filetypes. Are you searching inside SQLite databases? Decompressing FireFox session history? Not every suite will do this for you though they will be more efficient than searching each database or cache folder by itself on your first pass!

Besides browser artifacts, you could run these keywords across other areas of the drive like unallocated space and the pagefile/hibernation file.

Another test could be uploading a file with a unique name to a filesharing site, then search your browser data for that filename. ­­­

Daily Blog #455: Perfect Score in the Defcon DFIR CTF

Hello Reader,
       This post serves to congratulate @gh0stp0p on achieving the first perfect score in the Defcon DFIR CTF! She has not only won the admiration of her peers but also a license of Forensic Email Collector. For those still wanting to play, or still playing, we will leave the CTF up for at least a month before we move onto the next project.

As a reminder the CTF is located here:

And you can download the images here:

Thanks everyone for playing and hopefully you will learn something from the experience! Next time we will up the difficulty. 

Thursday, August 16, 2018

Daily Blog #454: SQLite Write Ahead Logs and Python

Hello Reader,
           If you haven't already done so check out this blog post from Malware Maloney:

In it not only does author show how to create a new query for pulling messages from the database he also extended a SQLite python library to correctly decode the write ahead log of the SQLite database that stores the notifications. Meaning you can recover more deleted messages.

Give it a read and in a future post let's take that and write a script around it.

Wednesday, August 15, 2018

Daily Blog #453: Winners of the Unofficial Defcon DFIR CTF

Hello Reader,
        I realized that while I posted this on twitter I did not share this on the blog which is the more permanent record of things. First this years Defcon DFIR CTF was sponsored by:

SANS - Donating 1st prize access to DFIR Netwars Continuous for a year and lego minifigs
Also if you were in the blue team village at just the right time we brought out SANS tshirts, polos, keychains and posters that quickly disappeared.

 Magnet Forensics - Donating a really cool backpack that contained a license of AXIOM, a magnet water bottle, magnet external cell phone battery and a cool magnet pen.

 Blackbag Forensics - Donating a license of Blacklight and a really cool insulated drink cup (like a yeti or rtic but with a very nicely done blackbag logo)

 MetaSpike - Who donated a license of Forensic Email Collector which will go to whoever gets the first perfect score in the Defcon DFIR CTF!

  • 1st Place went to Hadar Yudovich @hadar0x

Tuesday, August 14, 2018

Daily Blog.#452 Dealing with deleted shadow copies

Hello Reader,
       For those of you who use libvshadow you may have noticed that it shows deleted shadow copies but does not differentiate between active and deleted shadow copies. This can be an issue as parts of the deleted shadow copies could be overwritten leading to strange results.

Looks like two researchers out of Japan are attempting to fix that issue with an extension to libvshadow and some really interesting catalog recreation research.

Check it out below!