tag:blogger.com,1999:blog-14669037402627649472024-03-14T06:11:20.143-05:00Hacking Exposed Computer Forensics BlogA Blog on computer and digital forensic research, DFIR programming, the forensic lunch and more wirrten by Hacking Exposed Computer Forensic author David CowenDavid Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.comBlogger804125tag:blogger.com,1999:blog-1466903740262764947.post-52438401930755978362022-01-06T17:14:00.008-06:002023-07-05T15:22:43.580-05:00Daily Blog #703: Looking back at AWS EBS Direct Block access API<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizbUK8qwpuvVhKS9aiP22w9piu9PrnJfmFBI24f_2svki5S8qjfXSRS1e7V0JDbrvQBJ1aQF75pdjmSMeuY_AMIX9ZZYIoccTxrLsVYFCJZV1mnCkwLF1WAVRTdNP6wG7tT2C9xHvvcL9a-W4cxnzTimKqgAf9i1th5HGUjvWZwK5TokjWG2kYPh6_OA/s1280/Kl.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="Looking back at AWS EBS Direct Block access API" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizbUK8qwpuvVhKS9aiP22w9piu9PrnJfmFBI24f_2svki5S8qjfXSRS1e7V0JDbrvQBJ1aQF75pdjmSMeuY_AMIX9ZZYIoccTxrLsVYFCJZV1mnCkwLF1WAVRTdNP6wG7tT2C9xHvvcL9a-W4cxnzTimKqgAf9i1th5HGUjvWZwK5TokjWG2kYPh6_OA/w640-h360/Kl.png" title="Looking back at AWS EBS Direct Block access API" width="640" /></span></a></div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP; font-size: large; text-align: left;"> </span></div><p><span style="font-family: Noto Sans JP; font-size: large;"> Hello Reader,</span></p><p><span style="font-family: Noto Sans JP; font-size: large;"> It's been awhile! I've ... been busy? It's hard to describe the last 16 months prior to his daily blog other than a series of career defining events in my 'leveling up' at KPMG along with the launch of my new SANS Class FOR509: Enterprise Cloud Incident Response and Forensics! </span></p><p><span style="font-family: Noto Sans JP; font-size: large;"> </span></p><p><span style="font-family: Noto Sans JP; font-size: large;">Oh and there was that collab with Crowdstrike (<a href="https://www.youtube.com/watch?v=7DHb1gzF5o4">https://www.youtube.com/watch?v=7DHb1gzF5o4</a>)<br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">So yeah, little busy. </span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">But! That doesn't mean I haven't wanted to go back to posting, sharing and pushing myself to learn more. It should come as no surprise that a lot of what I've been researching has been less operating system focus and more cloud focused. So today let's talk about interesting ways to access snapshots. </span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">This whole discussion came out of teaching FOR509 in DC (shout out to my CDI students!). You see in Azure when you make a snapshot you can download it/copy it/access it as a VHD without restoring it to another volume (I'll post about this tomorrow) but within AWS there is no ability to download a snapshot as an image from any of the standard EBS calls. (If you know of a way to do this in AWS other than direct block access please let me know!)<br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">In discussing this with others they brought up an interesting use case for the direct block access api I didn't think of! While I was nerding out thinking about using this API as rapid triage tool to read file systems without accessing entire snapshots, others have realized you can access every block to create an image of the snapshot! This would allow you to fully download a snapshot (either in the cloud or on prem) and store it into a dd file without having to restore it. I'll be writing a script to do this and I'll post here (would make a good blog post!) on the blog and put it into our FOR509 github (<a href="https://github.com/dlcowen/sansfor509">https://github.com/dlcowen/sansfor509</a>) which contains all the cloud provider related scripts we are creating for the class. </span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">So I hope you found this interesting, I certainly did, and find some use for this in your investigation!<br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><span>Read more about the AWS Direct Block Access API here: <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html</a></span><br /></span></p><p><a href="https://www.hecfblog.com/2020/08/daily-blog-702-sunday-funday-8920.html"><span style="font-family: Noto Sans JP; font-size: large;">Also Read: Daily Blog #702</span></a></p>David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com1tag:blogger.com,1999:blog-1466903740262764947.post-39857946886770956892020-08-10T00:37:00.010-05:002023-08-10T15:48:34.855-05:00Daily Blog #702: Sunday Funday 8/9/20 - Extensible Storage Engine (ESE) database Challenge<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCGWpeqCXGpcTeqvfDTEJNIrfPcVdhJLR9GkjJwfEb-wHzIULCsyMagYrdP08M03BZGWlGCAzr5zcATsQMboafoIGgDnTHz6CIM-LHzbpaWFxp2z8XecxWoZqt951WyBsHMjv6iZ5cXpopms_876FGupI2sMyQzrZU49RkU_uQ4hoUTo0u0CnbrRMYMQ/s1280/ad.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCGWpeqCXGpcTeqvfDTEJNIrfPcVdhJLR9GkjJwfEb-wHzIULCsyMagYrdP08M03BZGWlGCAzr5zcATsQMboafoIGgDnTHz6CIM-LHzbpaWFxp2z8XecxWoZqt951WyBsHMjv6iZ5cXpopms_876FGupI2sMyQzrZU49RkU_uQ4hoUTo0u0CnbrRMYMQ/w640-h360/ad.png" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p><p><span style="font-family: Noto Sans JP; font-size: large;">Hello Reader,</span></p><p><span style="font-family: Noto Sans JP; font-size: large;"> It's been awhile! I wish I could tell you what all I've been up too, but needless to say real investigations got so crazy between May-August that I couldn't even find time to blog without losing even more sleep. So let's pick up where we left off with a Sunday Funday! This week we address a database format we are seeing more and more as developers realize what a useful alternative it is to SQLite on a windows system. This week is all about ESE databases! </span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><br /><br /><b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Prize:</b></span></p><p><span style="font-family: Noto Sans JP; font-size: large;"><span face="arial, helvetica, sans-serif" style="color: #616161;"><b><br /></b></span><span face="arial, helvetica, sans-serif" style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">$100 Amazon Giftcard</span></span></p><p><span style="font-family: Noto Sans JP; font-size: large;">And an apperance on the following week's Forensic Lunch!<br /><br style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;" /><b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Rules:</b><br /><br /></span></p><ol style="box-sizing: border-box; line-height: 1.6em; margin: 0px; padding: 0px 0px 0px 50px; position: relative;"><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You must post your answer before Friday 8/14/20 7PM CST (GMT -5)</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">The most complete answer wins</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You are allowed to edit your answer after posting</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">If two answers are too similar for one to win, the one with the earlier posting time wins</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Be specific and be thoughtful</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.</span></li><li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post</span></li></ol><p></p><p class="MsoNormal"><b><span style="font-family: Noto Sans JP; font-size: large;"><span style="border: 1pt none windowtext; mso-border-alt: none windowtext 0in; padding: 0in;">The Challenge:</span><o:p></o:p></span></b></p><p class="MsoNormal"><b><span style="font-family: Noto Sans JP; font-size: large;"><span style="background: white; border: 1pt none windowtext; mso-border-alt: none windowtext 0in; padding: 0in;">When looking at E</span><span style="background: rgb(248, 248, 248);">xtensible Storage Engine (ESE) database artifacts
(also known as 'Jet Blue' or .edb file):</span></span></b></p><p class="MsoNormal"><b><span style="background: white; border: 1pt none windowtext; font-family: Noto Sans JP; font-size: large; mso-border-alt: none windowtext 0in; padding: 0in;">1. Recover deleted messages from an ESE database from a live database or from the transaction journal. </span></b></p><p class="MsoNormal"><b><span style="background: white; border: 1pt none windowtext; font-family: Noto Sans JP; font-size: large; mso-border-alt: none windowtext 0in; padding: 0in;">2. Determine what other applications other than IE, Search Index and SRUM make use of it</span></b></p><p class="MsoNormal"><b><span style="background: white; border: 1pt none windowtext; font-family: Noto Sans JP; font-size: large; mso-border-alt: none windowtext 0in; padding: 0in;">3. Determine how to avoid data loss when copying it from a live system</span></b></p><p class="MsoNormal"><b><span style="background: white; border: 1pt none windowtext; font-family: Noto Sans JP; font-size: large; mso-border-alt: none windowtext 0in; padding: 0in;"><a href="https://www.hecfblog.com/2020/05/daily-blog-701-magnet-virtual-summit.html">Also Read: Daily Blog #701 </a></span></b></p><p></p>David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-15629208138169216382020-05-12T20:56:00.005-05:002023-07-05T15:23:33.428-05:00Daily Blog #701: Magnet Virtual Summit CTF 2020 Results<div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivz3TB83jRecEEPmsXfv_ckANVjKNbxwH5qw62XpXQ50xUrTjVDxlVT_TweOy26S1a32ZL-Bvuk1dzxy-eo47UALAwruwY-WaMReZvEBjBp-UYEHgb6cuExpUKxQ4ZpnOLZ4CWOIoAZ3jeqBP7EFqMSz4K0Lvcj8X72hzD9kBkcKVJqeQiO_Dt1HezJQ/s1280/daw.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="Magnet Virtual Summit CTF 2020 Results" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivz3TB83jRecEEPmsXfv_ckANVjKNbxwH5qw62XpXQ50xUrTjVDxlVT_TweOy26S1a32ZL-Bvuk1dzxy-eo47UALAwruwY-WaMReZvEBjBp-UYEHgb6cuExpUKxQ4ZpnOLZ4CWOIoAZ3jeqBP7EFqMSz4K0Lvcj8X72hzD9kBkcKVJqeQiO_Dt1HezJQ/w640-h360/daw.png" title="Magnet Virtual Summit CTF 2020 Results" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">Hello Reader,</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"> If you watched the live commentary boy were you in for a treat! So much so that I deleted the video afterwords. No reason to let that hot mess live on forever. <br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">What will live on forever though is the winners of the CTF!</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3zic099HZab7N3Q8p7zIy2jBbBCW-7EF2R1ta9tnhxRGCseViPrIhInFDDwNcoKeWmzfbummipZ3AOs2u40AfEpr7Exy8fvDhju8HHDWsDjAJdIALRnoTjYTH_8I7U9tsHv8zAr_lM38/" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="Magnet Virtual Summit CTF 2020 Results" border="0" data-original-height="598" data-original-width="988" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3zic099HZab7N3Q8p7zIy2jBbBCW-7EF2R1ta9tnhxRGCseViPrIhInFDDwNcoKeWmzfbummipZ3AOs2u40AfEpr7Exy8fvDhju8HHDWsDjAJdIALRnoTjYTH_8I7U9tsHv8zAr_lM38/w640-h388/EX2-uKcXgAQ5wNU.jpg" title="Magnet Virtual Summit CTF 2020 Results" width="640" /></span></a></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">Congratulations <span style="background-color: white;"><span face="system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Ubuntu, "Helvetica Neue", sans-serif" style="-webkit-text-stroke-width: 0px; color: #14171a; display: inline; float: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;">Evangelos aka theAtropos4n6 for winning 1st place! We will hopefully see you on the Forensic Lunch friday! <br /></span></span></span></div><div><span style="background-color: white;"><span style="-webkit-text-stroke-width: 0px; color: #14171a; display: inline; float: none; font-family: Noto Sans JP; font-size: large; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;"><br /></span></span></div><div><span style="background-color: white;"><span style="-webkit-text-stroke-width: 0px; color: #14171a; display: inline; float: none; font-family: Noto Sans JP; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;"><span style="font-size: large;">In second place was Oleg Skulkin aka 0x136 with the long time CTF feud between evandrix of Singapore and Adam Harris aka harrisonamj going to evandrix this time for the 3rd place finish. </span><span style="font-size: 15px;"><br /></span></span></span></div><div><span style="background-color: white;"><span face="system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Ubuntu, "Helvetica Neue", sans-serif" style="-webkit-text-stroke-width: 0px; color: #14171a; display: inline; float: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></span></span></div><div><span style="background-color: white;"><span face="system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Ubuntu, "Helvetica Neue", sans-serif" style="-webkit-text-stroke-width: 0px; color: #14171a; display: inline; float: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;"><span style="font-family: Noto Sans JP; font-size: large;">Also Read: <a href="https://www.hecfblog.com/2020/05/daily-blog-700-new-version-of-plaso.html">Daily Blog #700</a></span></span></span></div>David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-12980911556206361312020-05-11T22:46:00.002-05:002023-06-04T18:43:16.063-05:00Daily Blog #700: New version of Plaso<div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0igNKeZb4TAqYgNaXq-t8jSPjixIHN24maX8LXi0CAoBIxPy_iaGJv-U_PHUk-gzZNguHl2day1iKi67hXwVf3S7J28basGM9HcCwqsFV2zAdeD7tiqJP_o9ei08EOGkckD9K5VGiTz8Xzjts9w1TgZ2nqWSU-PmLmLmAVOzTBl139eonzqm6F3LrtA/s1280/qw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="New version of Plaso" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0igNKeZb4TAqYgNaXq-t8jSPjixIHN24maX8LXi0CAoBIxPy_iaGJv-U_PHUk-gzZNguHl2day1iKi67hXwVf3S7J28basGM9HcCwqsFV2zAdeD7tiqJP_o9ei08EOGkckD9K5VGiTz8Xzjts9w1TgZ2nqWSU-PmLmLmAVOzTBl139eonzqm6F3LrtA/w640-h360/qw.png" title="New version of Plaso" width="640" /></a></div><br /><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">Hello Reader,</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"> Ryan Benson's #130 Daily DFIR tweet mentioned something I think is interesting:</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHFsYROKdcjOVzdPKQGtZFLsStkHgcLjn4e6s_WHuncPejoRCB0Gb5OVNYmN87bb_wfSSafchGFGN73-pQ5IYryRhaunHmeeKcDLa7MwmFLjhOcenTE9YBWRMI-hZTbZDLRuT9eJc0BryiTcAY5mWRp36Nk53Dfn7xDj0K07hGMO4L3BfEF4M8bKTj-A/s498/Tweet.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="New version of Plaso" border="0" data-original-height="270" data-original-width="498" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHFsYROKdcjOVzdPKQGtZFLsStkHgcLjn4e6s_WHuncPejoRCB0Gb5OVNYmN87bb_wfSSafchGFGN73-pQ5IYryRhaunHmeeKcDLa7MwmFLjhOcenTE9YBWRMI-hZTbZDLRuT9eJc0BryiTcAY5mWRp36Nk53Dfn7xDj0K07hGMO4L3BfEF4M8bKTj-A/w640-h346/Tweet.png" title="New version of Plaso" width="640" /></span></a></div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">He pointed out that there is a new version of Plaso out which by itself is good news but whats interesting is that they have now switched to libfsntfs for NTFS parsing. <br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">Why is that interesting?</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;">Every previous version of Plaso and DFVFS backed tools made use of the TSK's native support for NTFS. Libfsntfs is Metz's NTFS library that he wrote to handle all of the edge case NTFS conditions he found, provide faster speeds and extend what is possible with supports for things like case sensitive entries, which in NTFS is interesting all by itself. <br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><span>I think we should have a look at this library wednesday. Why not tomorrow? Tomorrow is when we do Magnet Virtual CTF commentary live on <a href="https://www.youtube.com/user/LearnForensics">Youtube</a>!</span><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/05/daily-blog-699-sunday-funday-51020.html" target="_blank">Also Read: Daily Blog #699</a></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div><span style="font-family: verdana; font-size: large;"><br /></span></div>David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-22895138885300460242020-05-10T01:11:00.007-05:002023-08-10T15:49:16.560-05:00Daily Blog: #699: Sunday Funday 5/10/20 - Auditd Challenge<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvKwflCB2hae67iDBWDkwF38Fk-QtZXj9vXnjxsz7dDBGz7Y_D3cblTHrUC900aSv-HxQy7hPsfCF29tqW4K7EN9052cOu8o2SKSgbzx5rfEtvFqGAbDtDt0_szx7wg-uZpAej4XAu4HuUeUmAfUyRooPQsvFZqtLWTxlqWLCesJ4qBKsdaxdRkNzoeA/s1244/aws.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img border="0" data-original-height="700" data-original-width="1244" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvKwflCB2hae67iDBWDkwF38Fk-QtZXj9vXnjxsz7dDBGz7Y_D3cblTHrUC900aSv-HxQy7hPsfCF29tqW4K7EN9052cOu8o2SKSgbzx5rfEtvFqGAbDtDt0_szx7wg-uZpAej4XAu4HuUeUmAfUyRooPQsvFZqtLWTxlqWLCesJ4qBKsdaxdRkNzoeA/w640-h360/aws.png" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader.<br />
<br />
We've bounced from Windows to OSX and around the cloud. What we haven't done though is venture in the deep waters of Linux forensics. Today let's help out our fellow examiners who are in the trenches with few landmarks to lead their way in the linux forensics wasteland with this weeks challenge focused on Auditd.<br /><br />
<br />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Prize:</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><span style="color: #616161;"><b><br /></b></span>
<span face=""arial" , "helvetica" , sans-serif" style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">$100 Amazon Giftcard</span><br />
</span><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><span style="font-family: Noto Sans JP; font-size: large;">An apperance on the following week's Forensic Lunch!<br />
<br style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;" />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Rules:</b><br />
<br />
</span><ol style="box-sizing: border-box; line-height: 1.6em; margin: 0px; padding: 0px 0px 0px 50px; position: relative;">
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You must post your answer before Friday 5/15/20 7PM CST (GMT -5)</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">The most complete answer wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You are allowed to edit your answer after posting</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">If two answers are too similar for one to win, the one with the earlier posting time wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Be specific and be thoughtful</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post</span></li>
</ol>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Challenge:</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">On a Linux system with Auditd enabled answer the following quesitons:</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">1. What new data sources does Auditd create</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">2. What tools support the data</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">3. What can an examiner determine from Auditd</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">4. How long is the data retained for</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b><br /></b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-size: large;"><b><a href="https://www.hecfblog.com/2020/05/daily-blog-698-solution-saturday-5920.html"><span style="font-family: Noto Sans JP;">Also Read: Daily Blog #698</span></a><br /></b></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-48315957485472811082020-05-10T01:07:00.008-05:002023-07-05T15:24:11.679-05:00Daily Blog #698: Solution Saturday 5/9/20 - Updating a Previous Challenge on KnowledgeC<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_KHiGWc8iULrzrBtqGPtVt6yaudQG2r272-OfSZqnwm-kN_WTpY0YPTe4oX8AYjBncffvN9XFQau0mWaGd-OvAnuY6gVm3OtIDL1k7GUYfYPVlHawZYVl1A7Yd-oAnMUM43WaghMWkwTT9tyHjlvvtxywwoF0KZk3ufb2KkIE4AyIKoHi6L5JllKZog/s1278/SOlution.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img border="0" data-original-height="719" data-original-width="1278" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_KHiGWc8iULrzrBtqGPtVt6yaudQG2r272-OfSZqnwm-kN_WTpY0YPTe4oX8AYjBncffvN9XFQau0mWaGd-OvAnuY6gVm3OtIDL1k7GUYfYPVlHawZYVl1A7Yd-oAnMUM43WaghMWkwTT9tyHjlvvtxywwoF0KZk3ufb2KkIE4AyIKoHi6L5JllKZog/w640-h360/SOlution.png" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
It was week of returning champs coming to see who could win and this week that was Oleg Skulkin who did some solid work on updating a previous challenge on KnowledgeC. So congrats Oleg another win for the board!<br />
<br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Challenge:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to be less used. </b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">1. What does each table in the KnowledgeC database correspond to activity wise</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">2. What data is logged in each table</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">3. What data is not logged</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">4. Is there a similar datasource that would fill in the gaps?</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Winning Answer:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">Oleg Skulkin</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><br /></b>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"></b><br />
</span><div class="MsoNormal">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">Know Your KnowledgeC<o:p></o:p></span></b></b></div>
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;">
</b><br />
</span><div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="mso-ansi-language: EN-US;">I’m using macOS
devices quite often, for example, to read blogs and general web-surfing, but
don’t look at them from a forensic perspective quite often, so Sunday Funday
gives me a good opportunity to do it.<o:p></o:p></span></b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="mso-ansi-language: EN-US;"><br /></span></b></span></div>
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">
</span><div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">KnowledgeC. This is
quite known source of forensic artifacts, many forensic tools even extract
relevant data from it automatically (e.g. Magnet AXIOM, Plaso also has a parser
for it - mac_knowledgec). <o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Regarding research,
Sarah Edwards proved that KnowledgeC is power (</span><span lang="RU"><a href="https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage"><span lang="EN-US" style="mso-ansi-language: EN-US;">https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage</span></a></span><span style="mso-ansi-language: EN-US;">), also we already had a Sunday Funday on this
topic, but focusing on macOS Mojave, and Tun Naung (</span><span lang="RU"><a href="https://twitter.com/tunnaunglin"><span lang="EN-US" style="mso-ansi-language: EN-US;">https://twitter.com/tunnaunglin</span></a></span><span style="mso-ansi-language: EN-US;">) won it (</span><span lang="RU"><a href="https://www.hecfblog.com/2019/03/daily-blog-642-solution-saturday-3919.html"><span lang="EN-US" style="mso-ansi-language: EN-US;">https://www.hecfblog.com/2019/03/daily-blog-642-solution-saturday-3919.html</span></a></span><span style="mso-ansi-language: EN-US;">).<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">But now we already
have macOS Catalina (10.15), so it’s high time to look at the data source
again.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">In fact, there are two
knowledge databases on macOS: system and user context. The first is located
under /private/var/db/CoreDuet/Knowledge, the second – under
/Users/username/Library/Application Support/Knowledge.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">Let’s start from the
first one, system context database. It was obtained from a macOS image
presented at recent Champlain CTF.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">There are 16 tables in
the database:<br /><br /><o:p></o:p></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLb5BFl56XUsp9WRiFy8lXeCmCB_EBTD4O679fiC9_og6wYftV5XG5FrN4VFQfkjsogAUugvHLPoieXuv4wHnZdgFRFNsHT4JR04_Z-IMFVNPDBmxXAMW3FSFOGBBPBzYCflea2Ove7g/s1600/1.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="413" data-original-width="341" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDLb5BFl56XUsp9WRiFy8lXeCmCB_EBTD4O679fiC9_og6wYftV5XG5FrN4VFQfkjsogAUugvHLPoieXuv4wHnZdgFRFNsHT4JR04_Z-IMFVNPDBmxXAMW3FSFOGBBPBzYCflea2Ove7g/w528-h640/1.png" title="updating a previous challenge on KnowledgeC" width="528" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;"><br /></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">System context database tables<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Most of the tables are
empty. The most interesting things start from ZOBJECT table. ZSTREAMNAME column
contains information about the data streams. In the database I’m looking at
there are several streams:<o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br />
</span><ul style="text-align: left;">
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">com.apple.spotlightviewer.events</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/safari/history</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/media/nowPlaying</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/display/isBacklit</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/app/inFocus</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/app/activity</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/activity/level/feedback</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/activity/level</span></div>
</span></b></li>
</ul><span style="font-family: Noto Sans JP; font-size: large;">
ZVALUESTRING column contains
additional information. For example, for /app/inFocus is shows the application
used, for /safari/history – URL. That’s not all, for Safari related activity
and /media/nowPlaying it contains additional metadata in ZSTRUCTUREDMETADATA
table, corresponding ID can be found in the column with the same name. For
example, for Safari history it will store webpage’s title in Z_DKSAFARIHISTORYMETADATAKEY__TITLE
column:</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-5m1AKoNuDqRCqINB_u9hM6toP67bjR7N5upRqrCPQwx-cBtx4dqs2D-gSmRJ1FAxpSrk13PS7OwoI0Ec3rCG7bKqzLn_gC6iyqIHOQeySJtkoEUSx807o9Sb2nWfVMLCMINqPYnvR5k/s1600/2.png" style="margin-left: 1em; margin-right: 1em;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="221" data-original-width="420" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-5m1AKoNuDqRCqINB_u9hM6toP67bjR7N5upRqrCPQwx-cBtx4dqs2D-gSmRJ1FAxpSrk13PS7OwoI0Ec3rCG7bKqzLn_gC6iyqIHOQeySJtkoEUSx807o9Sb2nWfVMLCMINqPYnvR5k/w640-h336/2.png" title="updating a previous challenge on KnowledgeC" width="640" /></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="margin-left: 1em; margin-right: 1em;"></a></span></div>
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;"><br /></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">Of course, we
shouldn’t forget about the timestamps: there are three columns in ZOBJECT
table: ZSTARTDATE, ZENDDATE and ZCREATIONDATE, all contain timestamps in Mac
Absolute Time format.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">It’s time for an SQL
query!<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br />
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6VN_A0-Rc9KBzIRMGFOABQK9AsrT71cl-kRqZDnFZM3kKKVjb5VLqQFuMtFrCIEsked5RFykiSmUKwX6A0imYiE9dT0o4wQS-HlvykDeKNankypTGTyBhAmhYjLJAhCVUCTRdRrVrm3M/s1600/3.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="571" data-original-width="959" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6VN_A0-Rc9KBzIRMGFOABQK9AsrT71cl-kRqZDnFZM3kKKVjb5VLqQFuMtFrCIEsked5RFykiSmUKwX6A0imYiE9dT0o4wQS-HlvykDeKNankypTGTyBhAmhYjLJAhCVUCTRdRrVrm3M/w640-h380/3.png" title="updating a previous challenge on KnowledgeC" width="640" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
<br />
<br />
<br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Let’s move on to the
user context database. I got this one from our iMac. It’s used very often, so
there should be a lot of data in the database.<o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">Tables are the same –
we have 16 of them. Let’s look inside ZOBJECT table. Here are the streams
available in ZSTREAMNAME:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<br />
</span><ul style="text-align: left;">
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/portrait/topic</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/portrait/entity</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/notification/usage</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/knowledge-sync-deletion-bookmark/</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/knowledge-sync-addition-window/</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span lang="RU">/display/isBacklit</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/app/usage</span></div>
</span></b></li>
<li><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><div class="MsoNormal">
<span style="mso-ansi-language: EN-US;">/app/intents</span></div>
</span></b></li>
</ul>
</div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">First of all, we have
some information about database synchronization. It means that it may contain
not only information about this iMac, but also synced data, for example, from
an iPhone. There’s a table called ZSYNCPEER that includes some information
about these devices:<o:p></o:p></span></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape
id="Рисунок_x0020_3" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:341.25pt;
height:141pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dave/AppData/Local/Packages/oice_16_974fa576_32c1d314_3c54/AC/Temp/msohtmlclip1/01/clip_image005.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbTATkNB68Y28CIR7LnCM8JV5s_2JDcPqM9ilT2MZxn4JhwnAKRj7qYCd6PwRg570_qT8zDjFYRQOU7xx5KfCLU5u8Sm8Wsc9jnNCW3Noimzm1T_X-Vh7e08yzvCtCavrCgGEtRkuAPs/s1600/4.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="189" data-original-width="455" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbTATkNB68Y28CIR7LnCM8JV5s_2JDcPqM9ilT2MZxn4JhwnAKRj7qYCd6PwRg570_qT8zDjFYRQOU7xx5KfCLU5u8Sm8Wsc9jnNCW3Noimzm1T_X-Vh7e08yzvCtCavrCgGEtRkuAPs/w640-h264/4.png" title="updating a previous challenge on KnowledgeC" width="640" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;">There’s another useful
table – ZSOURCE. Here we can find was it a WhatsApp message, a phone call or an
SMS. Also it can help us to understand some not common data types. For example,
we can see that /portrait/topic refers to Pinterest, /portrait/entity – to
Safari. <o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1466903740262764947" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Let’s look inside
ZSTRUCTUREDMETADATA, especially at Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION
column. Here we can see some BLOBs. Let’s export one of them, it can be done,
for example, with DB Browser for SQLite. In fact, it’s a binary plist. But
that’s not all, there is another plist inside! It’s inside NS.data. In my case
it was a WhatsApp message, and I could get not only the phone number (it’s also
available at in Z_DKINTENTMETADATAKEY__DERIVEDINTENTIDENTIFIER), but also
contact’s name. The same can be done with phone calls – we can recover the
phone number. Unfortunately, we can’t recover the message body.<o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Again, we can gather a
lot of information about the usage of applications from /app/usage stream:<o:p></o:p></span><br />
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF_a-3NbvRHbOw9KuKHJG8LlKjIya9XCpm-rj-MBFf38qPL9QwhaZh_daQpHzhJ3GujKE7OnUsG-erlUqQXezDssijC-lp1nqIL8_zKgbIxzM08kKYg_vECXjJIw2vbTRvD6TuwXoRcD4/s1600/5.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="345" data-original-width="644" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF_a-3NbvRHbOw9KuKHJG8LlKjIya9XCpm-rj-MBFf38qPL9QwhaZh_daQpHzhJ3GujKE7OnUsG-erlUqQXezDssijC-lp1nqIL8_zKgbIxzM08kKYg_vECXjJIw2vbTRvD6TuwXoRcD4/w640-h342/5.png" title="updating a previous challenge on KnowledgeC" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape
id="Рисунок_x0020_4" o:spid="_x0000_i1027" type="#_x0000_t75" style='width:372pt;
height:199.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dave/AppData/Local/Packages/oice_16_974fa576_32c1d314_3c54/AC/Temp/msohtmlclip1/01/clip_image006.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">Let’s write an SQL query
to gather this information:<o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span>
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOlzPWJhYrVhVpHG-GRg5nzGP3T5m7ZvddT_SVlj9pEsyAlS1AQjht6Xc1-V3fEkCKifB5fGSwBCGkkpad4OhtaqiGeLsA2DDIqDinkDjY0G_Rw8_0gfGebvBa78vXVRGToNUx1dnRNCQ/s1600/6.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="493" data-original-width="776" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOlzPWJhYrVhVpHG-GRg5nzGP3T5m7ZvddT_SVlj9pEsyAlS1AQjht6Xc1-V3fEkCKifB5fGSwBCGkkpad4OhtaqiGeLsA2DDIqDinkDjY0G_Rw8_0gfGebvBa78vXVRGToNUx1dnRNCQ/w640-h406/6.png" title="updating a previous challenge on KnowledgeC" width="640" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape id="Рисунок_x0020_5" o:spid="_x0000_i1026"
type="#_x0000_t75" style='width:468pt;height:297pt;visibility:visible;
mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dave/AppData/Local/Packages/oice_16_974fa576_32c1d314_3c54/AC/Temp/msohtmlclip1/01/clip_image008.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">As you can see, the
first record is April 4, 2020, today is May 3, 2020, so the database stores
data for only 30 days. <o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;">So, what other similar
data sources are available? For example, another interesting database is
located under /private/var/db/CoreDuet/People. It’s interaction.db. There are
11 tables inside:<o:p></o:p></span><br />
<span style="mso-ansi-language: EN-US;"><br /></span>
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhltYtXumRCZ29DvbZsulZnvNGjJ15dSrRLmWRs7zNqPEDG7YmryzE-3r5n4P6nXDBlBWKlrsI26apr8gWLoEyeSIpXwaYkWtXwN_7YBpaq1LIIlEX5uY5oObNzqrxgI0h-ghT1B2-RsUY/s1600/7.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="updating a previous challenge on KnowledgeC" border="0" data-original-height="292" data-original-width="270" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhltYtXumRCZ29DvbZsulZnvNGjJ15dSrRLmWRs7zNqPEDG7YmryzE-3r5n4P6nXDBlBWKlrsI26apr8gWLoEyeSIpXwaYkWtXwN_7YBpaq1LIIlEX5uY5oObNzqrxgI0h-ghT1B2-RsUY/w592-h640/7.png" title="updating a previous challenge on KnowledgeC" width="592" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large;"><span style="mso-ansi-language: EN-US;"><br /></span>
<span style="mso-ansi-language: EN-US;"><br /></span></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><!--[if gte vml 1]><v:shape
id="Рисунок_x0020_7" o:spid="_x0000_i1025" type="#_x0000_t75" style='width:202.5pt;
height:219pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/dave/AppData/Local/Packages/oice_16_974fa576_32c1d314_3c54/AC/Temp/msohtmlclip1/01/clip_image010.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><span style="mso-ansi-language: EN-US;"><o:p></o:p></span></span></div>
<div class="MsoNormal"><div class="MsoNormal"><span style="font-family: Noto Sans JP; font-size: large;">If we look inside ZINTERACTIONS and ZCONTACTS, we can gather some information about calls the user performed. Again, it seems the data is written to the database as part of synchronization process, and, of course, it’ll contain different datasets – it’ll depend on the device.</span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div></div><div class="MsoNormal"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/05/daily-blog-697-forensic-lunch-5820-jack.html">Also Read: Daily Blog #697</a></span></div>
</b></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com1tag:blogger.com,1999:blog-1466903740262764947.post-6661439812427934462020-05-08T16:52:00.005-05:002023-08-10T15:53:04.238-05:00Daily Blog #697: Forensic Lunch 5/8/20 - Jack Farley, Josh Brunty, Kevin Pagano, Tom Pace, Jim Arnold<div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd88-15sDiMQOG9sz2ZBuEwRgydLkNgPzxnjymIN2nHsSevSWjIKG9v6BfT7nU9HMtVHlf3vhKNK1yVRGwRpIPLYPdL6_qU5c6kGDIT0CZbirpOXrvqkCzQFSjqSLJB7xxzxn6t1AwlVf9whVqYl1BfHSywOhaV9AXAGA8bSxsTCJJU8hcFJWzXF9gfQ/s1280/vv.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="We talk about DFIR with experts by David Cowen - Hacking Exposed Computer Forensics Blog" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd88-15sDiMQOG9sz2ZBuEwRgydLkNgPzxnjymIN2nHsSevSWjIKG9v6BfT7nU9HMtVHlf3vhKNK1yVRGwRpIPLYPdL6_qU5c6kGDIT0CZbirpOXrvqkCzQFSjqSLJB7xxzxn6t1AwlVf9whVqYl1BfHSywOhaV9AXAGA8bSxsTCJJU8hcFJWzXF9gfQ/w640-h360/vv.png" title="We talk about DFIR with experts by David Cowen - Hacking Exposed Computer Forensics Blog" width="640" /></span></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><br /></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Another week of crisis times means another weekly Forensic Lunch!<br />
<br />
This week on the Forensic Lunch
we had:<br />
</span><ul style="text-align: left;">
<li><span style="font-family: Noto Sans JP; font-size: large;">Josh Brunty, <a href="https://twitter.com/joshbrunty">@joshbrunty</a>, talking about his DFIR program at Marshall </span></li>
<ul>
<li><span style="font-family: Noto Sans JP; font-size: large;"> <a href="https://www.marshall.edu/cyber/">https://www.marshall.edu/cyber/</a></span></li>
</ul>
<li><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://twitter.com/TommyPastry">Tom Pace</a> of Blackberry Cyclance and Jim Arnold of KPMG talking about recent ransomware trends. </span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Kevin Pagano, <a href="https://twitter.com/KevinPagano3">@kevpagano3</a>, talking about his Sunday Funday and the Magnet Virtual CTF </span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Jack Farley, <a href="https://twitter.com/JackFarley248">@jackfarley248</a>, talking about MEAT and the Magnet Virtual CTF</span></li>
<ul>
<li><span style="font-family: Noto Sans JP; font-size: large;"> <a href="https://github.com/jfarley248/MEAT">https://github.com/jfarley248/MEAT</a></span></li>
</ul>
</ul>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
<br />
You can watch it here:<br />
<a href="https://youtu.be/fPzSm-hofA0">https://youtu.be/fPzSm-hofA0</a></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/05/daily-blog-696-free-autopsy-training.html" target="_blank">Also Read: Daily Blog #696 - Free Autopsy Training</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-89319292865954588512020-05-08T00:07:00.004-05:002023-07-05T15:24:53.957-05:00Daily Blog #696: Free Autopsy Training<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJxPy2gpYVd2ApLpCLZUMm4q_nD4a1qTXUqoiT3W-UAQC4K4zaMJnAIAvT5I552wQTyu61aUbZEiBbLRDO49XuBox1Kh6rhW4RrwvBCkYF7KMbpcyxznk_1rw5qcTv6FKLg1Kya-tvGWksBKVdTX0url9Y1uu2eOJhEzo5W6wDVYZIpAVuaEe7ZiyzMA/s1280/Ok.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="Free Autopsy Training - DFIR" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJxPy2gpYVd2ApLpCLZUMm4q_nD4a1qTXUqoiT3W-UAQC4K4zaMJnAIAvT5I552wQTyu61aUbZEiBbLRDO49XuBox1Kh6rhW4RrwvBCkYF7KMbpcyxznk_1rw5qcTv6FKLg1Kya-tvGWksBKVdTX0url9Y1uu2eOJhEzo5W6wDVYZIpAVuaEe7ZiyzMA/w640-h360/Ok.png" title="Free Autopsy Training - DFIR" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
I know right now not everyone is heads down in DFIR investigations like we are. I know that we are fortunate to retain our jobs and keep doing the work we love. So for those of you who know individuals who are looking to transition into DFIR or those already in it who are looking to grow their skills but currently have 0 budge to do it, I have some good news.<br />
<br />
The fine folks over at Basis Technologies who fund things like The Sleuth Kit, Autopsy and OSDFCon have made their very successful Autopsy training class free!<br />
<br />
This is an 8 hour on demand course that normally costs $495! However, you only have one more week left to claim it as they set a date of 5/15/20 to end this amazing deal.<br />
<br />
So if you or someone you know has the time and want to get skilled up, what are you waiting for?<br />
<a href="https://www.autopsy.com/support/training/covid-19-free-autopsy-training/">https://www.autopsy.com/support/training/covid-19-free-autopsy-training/</a><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><u><a href="https://www.hecfblog.com/2020/05/daily-blog-695-magnet-virtual-summit.html">Also Read: Daily Blog #695</a></u></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-70655707038238906012020-05-06T22:48:00.003-05:002023-08-10T15:53:53.378-05:00Daily Blog #695: Magnet Virtual Summit CTF Live Commentary!<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZoS4oKm1Fl3eIgksqe06QXb84UIDNAo_KAUgcNtk07wfrvGRB-rUL96q5PJBFKc9Iv7yqoQPSiIHnXGurBYAtlwOjA12Wa3HhLqRfTiK5tV7owm9D6gKHaoYdsVDREoTOAQRjnN7dAxvqlopOiRb_f8kh2CDIkB2cc5D2V21-LIFnb3iTWbgAMoWREw/s1280/Z.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="Magnet Virtual Summit CTF Live Commentary!" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZoS4oKm1Fl3eIgksqe06QXb84UIDNAo_KAUgcNtk07wfrvGRB-rUL96q5PJBFKc9Iv7yqoQPSiIHnXGurBYAtlwOjA12Wa3HhLqRfTiK5tV7owm9D6gKHaoYdsVDREoTOAQRjnN7dAxvqlopOiRb_f8kh2CDIkB2cc5D2V21-LIFnb3iTWbgAMoWREw/w640-h360/Z.png" title="Magnet Virtual Summit CTF Live Commentary!" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /><span style="font-size: large;"><br /></span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
If your going to play the Magnet Virtual CTF or just want to watch as others do then join:<br />
<br />
</span><ul style="text-align: left;">
<li><span style="font-family: Noto Sans JP; font-size: large;">Brian Moran - Famous social media influencer and well known campaign manager </span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Matthew Seyer - Master of rabbits, maker of beards and eater of tacos</span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Myself</span></li>
</ul>
<div><span style="font-family: Noto Sans JP; font-size: large;">
As we provide live commentary digging deep into the questions, contestants and scores as we watch things heat up! Hopefully this will be a successful experiment!</span></div>
<div>
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div><span style="font-family: Noto Sans JP; font-size: large;">
So tune in if your playing to see how your competitors are doing, or just tune in to see how its going and ask questions to see how you would do!</span></div>
<div>
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div><span style="font-family: Noto Sans JP; font-size: large;">
You can watch live 5/12 at 4:30PM CDT (GMT -5) here:</span></div>
<div>
<a href="https://youtu.be/igLM_2bSAuw"><span style="font-family: Noto Sans JP; font-size: large;">https://youtu.be/igLM_2bSAuw</span></a></div><div><span style="font-family: Noto Sans JP;"><br /></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/05/daily-blog-694-azcopy-and-sas-tokens.html" target="_blank">Also Read: </a><a href="https://www.hecfblog.com/2020/05/daily-blog-694-azcopy-and-sas-tokens.html" target="_blank">Daily Blog #694 - AZCopy and SAS Tokens</a></span></div>
</div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-62927984678997644322020-05-05T23:48:00.006-05:002023-07-05T15:25:25.232-05:00Daily Blog #694: AZCopy and SAS Tokens<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGKBELFT3sjJe_3qWUxR1sO1EM4VFiltAmvW9-z4SCF_dRwN8KINV_ByFVsOTwGGg08LuFXZqwrqGzdxoqcxLdvAfdIMPuykLUDAdOFAZqAZ7pJnaZ5Jawe0qDq0dG1idCDknQMH63wo06J822kp5W3lLM28IWEiHVVumzwCN-nghdYiooCm_PKG1CeA/s1280/fds.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="security and convenience of AZCopy with SAS tokens." border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGKBELFT3sjJe_3qWUxR1sO1EM4VFiltAmvW9-z4SCF_dRwN8KINV_ByFVsOTwGGg08LuFXZqwrqGzdxoqcxLdvAfdIMPuykLUDAdOFAZqAZ7pJnaZ5Jawe0qDq0dG1idCDknQMH63wo06J822kp5W3lLM28IWEiHVVumzwCN-nghdYiooCm_PKG1CeA/w640-h360/fds.png" title="security and convenience of AZCopy with SAS tokens." width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
If you read #DFIR twitter daily, I mean who doesn't!, then you likely saw this post by <a href="https://twitter.com/jordanbarth">Jordan Barth</a><br /><br />
<br />
<br />
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQflihVl_yXz-lCir0-4ecxmb33TkTU7wTeVG4j0g3veLg1oMzkeFY_twO9fzyzFv6smyUB8SQo6bMzbXFbnjG-rJP69L9flgHQhzpK-islR_pUxnhH15v4r-Rq2AlZcUBxHO9LsQwqfk/s1600/azcopy.PNG" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="security and convenience of AZCopy with SAS tokens." border="0" data-original-height="165" data-original-width="487" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQflihVl_yXz-lCir0-4ecxmb33TkTU7wTeVG4j0g3veLg1oMzkeFY_twO9fzyzFv6smyUB8SQo6bMzbXFbnjG-rJP69L9flgHQhzpK-islR_pUxnhH15v4r-Rq2AlZcUBxHO9LsQwqfk/w640-h216/azcopy.PNG" title="security and convenience of AZCopy with SAS tokens." width="640" /></span></a></div>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
<br />
Let me explain what Jordan's talking about and why you should care if your doing DFIR in Azure.<br />
<br />
Full disclosure Jordan is a fellow KPMGer and he knows his Azure.<br />
<br />
So first, AZCopy is an utility created by Microsoft for moving data to or from Azure. You can read more about it here: <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10">https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10</a><br />
<br />
Second SAS urls or SAS tokens stand for Shared Access Signature tokens which allow you to provide access to a resource with a single URL rather than providing login credentials. This let's you take let's say a compromised VHD and provide read only access to it even if:<br />
1. You're not in the same subscription/tenant<br />
2. You're not in the same organization<br />
3. You don't have an account in that tenant<br />
<br />
Just like in Google Docs you can provide a 'edit' or 'view' link to others without adding them to your account, you can do the same with Azure resources. This allows you to quickly allow let's say a IR tenant read only access to your production tenant without typing off an attacker anything has happened or starting up new instances in the compromised environment.<br />
<br />
What Jordan is talking about though is not the security and convenience of AZCopy with SAS tokens, but rather the speed you will get when you make use of the Azure API rather than the browser. I'm sure this is even faster within Azure itself to make copies.<br />
<br />
So make sure you know your cloud environment and start getting things in place to allow you to test and simulate incidents before you need them!</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">Also Read: <a href="https://www.hecfblog.com/2020/05/daily-blog-693-patent-powered.html">Daily Blog #693</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-28188827488477635262020-05-04T23:20:00.005-05:002023-07-05T15:25:38.187-05:00Daily Blog #693: Patent Powered<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4ZQemyPaQqh4LfXJtoV-A1P5JcfYj1DMYvUtwwaM0MQ6-Wa0sVmw2ogsLeTC-jheeX-l_hjgSO9LP0Z3pKnABz6zohTW7He_nYkOxsI4zqtrohDFk2W4tQv1xFqtBwUgeVaqQuMzFk2CUP5i5QBvgRyk7CPTEVjss9jdku9Rrm9dB0ar_LLLharWrzw/s1280/fa%20.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="patent by David Cowen on on the idea behind anjp aka triforce." border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4ZQemyPaQqh4LfXJtoV-A1P5JcfYj1DMYvUtwwaM0MQ6-Wa0sVmw2ogsLeTC-jheeX-l_hjgSO9LP0Z3pKnABz6zohTW7He_nYkOxsI4zqtrohDFk2W4tQv1xFqtBwUgeVaqQuMzFk2CUP5i5QBvgRyk7CPTEVjss9jdku9Rrm9dB0ar_LLLharWrzw/w640-h360/fa%20.png" title="patent by David Cowen on on the idea behind anjp aka triforce." width="640" /></span></a></div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Many years ago, seven to be precise, I wrote all the way back in Daily Blog #53 that we filed a patent on the idea behind anjp aka triforce. You can read that here:<br />
<br /><a href="https://www.hecfblog.com/2013/08/daily-blog-53-triforce-is-now-patent.html">
https://www.hecfblog.com/2013/08/daily-blog-53-triforce-is-now-patent.html<br /></a>
<br />
Well, 7 years later in 2020 the patent got issued! You can read it here:<br />
<a href="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=cowen.INNM.&OS=IN/cowen&RS=IN/cowen">http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=cowen.INNM.&OS=IN/cowen&RS=IN/cowen</a><br />
<br />
<a href="https://pdfpiw.uspto.gov/.piw?Docid=10628263&homeurl=http%3A%2F%2Fpatft.uspto.gov%2Fnetacgi%2Fnph-Parser%3FSect1%3DPTO2%2526Sect2%3DHITOFF%2526p%3D1%2526u%3D%25252Fnetahtml%25252FPTO%25252Fsearch-bool.html%2526r%3D1%2526f%3DG%2526l%3D50%2526co1%3DAND%2526d%3DPTXT%2526s1%3Dcowen.INNM.%2526OS%3DIN%2Fcowen%2526RS%3DIN%2Fcowen&PageNum=&Rtype=&SectionNum=&idkey=NONE&Input=View+first+page">https://pdfpiw.uspto.gov/.piw?Docid=10628263&homeurl=http%3A%2F%2Fpatft.uspto.gov%2Fnetacgi%2Fnph-Parser%3FSect1%3DPTO2%2526Sect2%3DHITOFF%2526p%3D1%2526u%3D%25252Fnetahtml%25252FPTO%25252Fsearch-bool.html%2526r%3D1%2526f%3DG%2526l%3D50%2526co1%3DAND%2526d%3DPTXT%2526s1%3Dcowen.INNM.%2526OS%3DIN%2Fcowen%2526RS%3DIN%2Fcowen&PageNum=&Rtype=&SectionNum=&idkey=NONE&Input=View+first+page</a><br />
<br />
So there you go, it may have taken 7 years but its a thing now! I thought it may never happen but there you go. </span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/05/daily-blog-692.html">Also Read: Daily Blog #692</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-72919376798844856652020-05-03T00:31:00.004-05:002023-07-05T15:25:55.798-05:00Daily Blog #692: Sunday Funday 5/3/20 - KnowledgeC on iOS Challenge <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEit3aKr7738PG4T_-FrMO6c8h2YFhcHfEvggD235kIy7XB2fD706fzclWphWMwiigeuJnmNXf-8Z5oqAHR-57kCOOiej2iesDZIfLhavujr9o-OC8YGpkIgn84_sFthZEbpWauKZbLV1vfMO99Di9GPrhYiFj8Rc_8pQCa29VZDepAI80cnJQuZQJOQ/s640/SF.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="KnowledgeC on iOS Challenge" border="0" data-original-height="360" data-original-width="640" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEit3aKr7738PG4T_-FrMO6c8h2YFhcHfEvggD235kIy7XB2fD706fzclWphWMwiigeuJnmNXf-8Z5oqAHR-57kCOOiej2iesDZIfLhavujr9o-OC8YGpkIgn84_sFthZEbpWauKZbLV1vfMO99Di9GPrhYiFj8Rc_8pQCa29VZDepAI80cnJQuZQJOQ/w640-h360/SF.png" title="KnowledgeC on iOS Challenge" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><span style="font-size: large;"><br /></span></span></div>
<span style="font-family: Noto Sans JP; font-size: large;">Hello Reader,<br />
Another week of fun and challenges! I'm really enjoying seeing all of you get into this and hope I find more time this week myself to do more testing. Let's face it most of us are still at home, so why not turn some of your downtime into DFIR research time! This week we move over to MacOS aka OSX. <br />
<br />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Prize:</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><span style="color: #616161;"><b><br /></b></span>
<span face=""arial" , "helvetica" , sans-serif" style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">$100 Amazon Giftcard</span><br />
An apperance on the following week's Forensic Lunch!<br />
<br style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;" />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Rules:</b><br />
<br />
</span><ol style="box-sizing: border-box; line-height: 1.6em; margin: 0px; padding: 0px 0px 0px 50px; position: relative;">
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You must post your answer before Friday 5/9/20 7PM CST (GMT -5)</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">The most complete answer wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You are allowed to edit your answer after posting</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">If two answers are too similar for one to win, the one with the earlier posting time wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Be specific and be thoughtful</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Anonymous
entries are allowed, please email them to dlcowen@gmail.com. Please
state in your email if you would like to be anonymous or not if you win.</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post</span></li>
</ol>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Challenge:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to be less used. </b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">1. What does each table in the KnowledgeC database correspond to activity wise</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">2. What data is logged in each table</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">3. What data is not logged</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">4. Is there a similar datasource that would fill in the gaps?</b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><br /></b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><a href="https://www.hecfblog.com/2020/05/daily-blog-691-solution-saturday-5220.html">Also Read: Daily Blog #691 </a></b></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-27351600201932693542020-05-02T08:34:00.004-05:002023-07-05T15:26:19.897-05:00Daily Blog #691: Solution Saturday 5/2/20 - Magnet DFIR CTF Winner<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBSRhCoJPdiR6_VpmaGBIxe9fQM2suM4Kyt0G4J3Oio1UpAKH9yJ9uRr5CeuC2rdV4dBGKYNSNG3a28O92gNUkCQSKVswvVnX8thkc1rt2Sb2RDrCmIasjCrV80bNMqnDj5KUkcM0QM8lXws5p0VqP4S59gIsna-oa7RVL2DT2KM1dJic0kKKoRWw5w/s640/SS.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="Magnet DFIR CTF Winner" border="0" data-original-height="360" data-original-width="640" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBSRhCoJPdiR6_VpmaGBIxe9fQM2suM4Kyt0G4J3Oio1UpAKH9yJ9uRr5CeuC2rdV4dBGKYNSNG3a28O92gNUkCQSKVswvVnX8thkc1rt2Sb2RDrCmIasjCrV80bNMqnDj5KUkcM0QM8lXws5p0VqP4S59gIsna-oa7RVL2DT2KM1dJic0kKKoRWw5w/w640-h360/SS.png" title="Magnet DFIR CTF Winner" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
This week an previous winner stepped up the challenge. Not only have they won a Sunday Funday before but they are also a Magnet DFIR CTF winner! This week Kevin Pagano stepped up and brought in the win with a good bit of research!<br />
<br />
</span><div>
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Question:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">1. How long before an action is taken before it is committed to the Windows Timeline database</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">2. What process and/or service creates the events</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">3. What call do developers need to make to support it</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">4. What is excluded?</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">5. When do events get removed?</b></span></div>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
The Winning Answer:<br />
<a href="https://twitter.com/KevinPagano3">Kevin Pagano </a><br />
<br />
<br />
</span><div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;">Windows<span> </span><span class="il">Timeline</span><span> </span>is an amazing source of user data, however like all things it has limitations. Answer the following questions:</span></b></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><b><br style="box-sizing: border-box;" /></b><b style="box-sizing: border-box; line-height: 17.28px;">1. How long before an action is taken before it is committed to the Windows<span> </span><span class="il">Timeline</span><span> </span>database</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></b></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<b><span style="color: black; font-family: Noto Sans JP; font-size: large;">Almost instantly it seems, when running KAPE to test parsing the DB file, it actually wrote the kape.exe as the latest interaction.</span></b></div>
</blockquote>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><b><br style="box-sizing: border-box;" /></b><b style="box-sizing: border-box; line-height: 17.28px;">2. What process and/or service creates the events</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></b></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;">SVCHOST populates events into the ActivitiesCache database files. We can see a bunch of locks/unlocks through ProcMon:</span></b></div>
</blockquote>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></b></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="font-family: Noto Sans JP; font-size: large;"><div><br /></div>
</span></b></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><b><br style="box-sizing: border-box;" /></b><b style="box-sizing: border-box; line-height: 17.28px;">3. What call do developers need to make to support it</b></span></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<span style="color: black; font-family: Noto Sans JP; font-size: large;">Microsoft breaks this down in pretty good detail:</span></div>
</blockquote>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<span style="font-family: Noto Sans JP; font-size: large;"><a data-saferedirecturl="https://www.google.com/url?q=https://blogs.windows.com/windowsdeveloper/2017/12/19/application-engagement-windows-timeline-user-activities/&source=gmail&ust=1588512629689000&usg=AFQjCNF6AmV91mg_qech66L93vQX-IdLOg" href="https://blogs.windows.com/windowsdeveloper/2017/12/19/application-engagement-windows-timeline-user-activities/" target="_blank">https://blogs.windows.com/<wbr></wbr>windowsdeveloper/2017/12/19/<wbr></wbr>application-engagement-<wbr></wbr>windows-<span class="il">timeline</span>-user-<wbr></wbr>activities/</a> </span></div>
<div>
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div>
<span style="color: black; font-family: Noto Sans JP; font-size: large;">It uses the UserActivity API class object pulling in ActivityID, ActivationUri, and DisplayText as the minimum set. They also show all the code that is needed to add activities and adaptive cards to the<span> </span><span class="il">Timeline</span>. I am in no way a developer so this is all Greek to me.</span></div>
</blockquote>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><b><br style="box-sizing: border-box;" /></b><b style="box-sizing: border-box; line-height: 17.28px;">4. What is excluded?</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></b></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<b style="box-sizing: border-box; line-height: 17.28px;"><span style="color: black; font-family: Noto Sans JP; font-size: large;">Applications that have activities that don't support using the API above won't be included from the GUI but they are still written to the DB file. </span></b></div>
</blockquote>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><b><br style="box-sizing: border-box;" /></b><b style="box-sizing: border-box; line-height: 17.28px;">5. When do events get removed?</b> </span></div>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<span style="font-family: Noto Sans JP; font-size: large;">From Microsoft's site, items will be stored for up to 30 days (<a data-saferedirecturl="https://www.google.com/url?q=https://support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline&source=gmail&ust=1588512629689000&usg=AFQjCNFQi5LRmYbAXJHvq0L7WxoDlULi6g" href="https://support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline" target="_blank">https://support.microsoft.<wbr></wbr>com/en-us/help/4230676/<wbr></wbr>windows-10-get-help-with-<wbr></wbr><span class="il">timeline</span></a>), where after I assume they are deleted out of the database. There may be potential events you can recover from SQL slack. The user can also remove items as they see fit but they might not be purged until the Expiration Time is up for each entry.</span></div>
<div>
<span style="color: black; font-family: Noto Sans JP; font-size: large;"><br /></span></div>
</blockquote>
<blockquote style="-webkit-text-stroke-width: 0px; background-color: white; border: none; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px 0px 0px 40px; orphans: 2; padding: 0px; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div>
<span style="color: black; font-family: Noto Sans JP; font-size: large;">Parsing using Eric Zimmerman's WxTCmd, we can see this is true.</span></div></blockquote><p><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></p><p><a href="https://www.hecfblog.com/2020/05/daily-blog-690-forensic-lunch-5120-oleg.html" target="_blank"><span style="font-family: Noto Sans JP; font-size: large;">Also Read: Daily Blog #690 </span></a></p>
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Noto Sans JP; font-size: large; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><div>
<span face="arial, sans-serif" style="color: black;"><br /></span></div>
</span><div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div>
</div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-41836621335738198232020-05-01T13:56:00.002-05:002023-07-05T15:26:34.469-05:00Daily Blog #690: Forensic Lunch 5/1/20 - Oleg Skulkin (FeatureUsage), Brian Marks (Office 365) , Lee Whitfield (Forensic 4Cast Nomations)<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidouOLzDUXuiqKnYnoNTzXnpbd0e3X_KEVF7B1_YOEZwk0wEBAe_bgrI54-wwnLp2oCYTwsmXvzjG-Rb3xCGrJCY62oWWyQ4vFjKNh8TwMnHFoeoBLffGxk7_fdowmRPRvIlE6xEeO6w8r_H00Dt7OULW6zptZWHPjTINHL-5Rsoq2jrrgcsO03daeAw/s1278/Forensic%20Lunch.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img border="0" data-original-height="719" data-original-width="1278" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidouOLzDUXuiqKnYnoNTzXnpbd0e3X_KEVF7B1_YOEZwk0wEBAe_bgrI54-wwnLp2oCYTwsmXvzjG-Rb3xCGrJCY62oWWyQ4vFjKNh8TwMnHFoeoBLffGxk7_fdowmRPRvIlE6xEeO6w8r_H00Dt7OULW6zptZWHPjTINHL-5Rsoq2jrrgcsO03daeAw/w640-h360/Forensic%20Lunch.png" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /><span style="font-size: large;"><br /></span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
This week the Forensic Lunch went into Overtime! We went a full 25 minutes over the usual hour because we had so much to talk about. On this weeks show:<br />
<br />
</span><ul>
<li><span style="font-family: Noto Sans JP; font-size: large;">Matt Seyer (<a href="https://twitter.com/forensic_matt">@forensic_matt</a>) talked all about the etl parser and monitor he's working on in Rust! <a href="https://github.com/forensicmatt/RsWindowsThingies">https://github.com/forensicmatt/RsWindowsThingies</a></span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Oleg Skulkin (<a href="https://twitter.com/oskulkin">@oskulkin</a>) talked about how he approaches Sunday Funday's (he's won 3!) and about his new blog post about the Windows FeatureUsage artifact. <a href="https://www.group-ib.com/blog/featureusage">https://www.group-ib.com/blog/featureusage</a></span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Brian Marks (<a href="https://twitter.com/brianDFIR">@briandfir</a>) talked about how the Office365 UAL MailboxItemsAccessed Audit event works and what the entry details mean </span></li>
<li><span style="font-family: Noto Sans JP; font-size: large;">Lee Whitfield (<a href="https://twitter.com/lee_whitfield">@lee_whitfield</a> ) talked through the Forensic 4Cast Awards nominations that end in two weeks, and Matt and I gave who we will be nominating. <a href="https://forensic4cast.com/2020/02/2020-forensic-4cast-awards-nominations-are-open/">https://forensic4cast.com/2020/02/2020-forensic-4cast-awards-nominations-are-open/</a></span></li>
</ul>
<span style="font-family: Noto Sans JP; font-size: large;"><br /><br />
</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">You can watch the video here:<br />
<a href="https://youtu.be/g-CajSYPzYY">https://youtu.be/g-CajSYPzYY</a><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-689-feature-usage-from-oleg.html">Also Read: Daily Blog #689</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-14339459004065045582020-04-30T23:52:00.004-05:002023-08-10T15:54:54.857-05:00Daily Blog #689: Feature Usage from Oleg Skulkin <div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9jZziIQH5gy4Q73WTfVMvGbWhAm0vixwEgxMRDNG5zTPTR4mowVjxmQuo-lDx_X1PMGdgThjg9X1BF0G2O_aXYaM_pQ9WdLULCqee6JkgRm_M09mHK0kHI3JxFFlWVHqodTNO3cO0YKKUjuTL5-KLSdyU69Ig27rRX-Hj9p0t33Q1qpPGCYoGWIn2w/s1280/qw.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="Feature Usage from Oleg Skulkin" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9jZziIQH5gy4Q73WTfVMvGbWhAm0vixwEgxMRDNG5zTPTR4mowVjxmQuo-lDx_X1PMGdgThjg9X1BF0G2O_aXYaM_pQ9WdLULCqee6JkgRm_M09mHK0kHI3JxFFlWVHqodTNO3cO0YKKUjuTL5-KLSdyU69Ig27rRX-Hj9p0t33Q1qpPGCYoGWIn2w/w640-h360/qw.png" title="Feature Usage from Oleg Skulkin" width="640" /></span></a></div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><span>
Hello Reader,<br />
Tomorrow on the Forensic Lunch I've asked Oleg Skulkin to join. I mainly asked Oleg to join because he won last week's Sunday Funday contest and this is a new thing I'm trying to start, having the prior winner to come on and talk about what they did in their research. Well in the mean time Oleg went ahead and posted up some entirely new research unrelated to any Sunday Funday. Oleg found a new registry artifact called FeatureUsage which appears to track programs that you launch through the task bar.<br />
<br />
Now this is not the only source of this data conceivably, it could overlap artifacts like AmCache, UserAssist, Shimcache and Prefetch. But what's interesting about this is that its tracking a specific time of GUI execution, that being from the taskbar. Which means you could potentially get additional times of execution. Maybe I'm missing something and I'll find out tomorrow when Oleg is on the lunch at Noon CDT (UTC -5)!<br />
<br />
You can read Oleg's research here: <a href="https://www.group-ib.com/blog/featureusage">https://www.group-ib.com/blog/featureusage</a><br /></span>
<br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><span><a href="https://www.hecfblog.com/2020/04/daily-blog-688-how-to-make-aws-ebs.html">Also Read:</a><a href="https://www.hecfblog.com/2020/04/daily-blog-688-how-to-make-aws-ebs.html" target="_blank"> Daily Blog #688</a></span><a href="https://www.hecfblog.com/2020/04/daily-blog-688-how-to-make-aws-ebs.html" target="_blank"> - How to make AWS EBS Direct Block API Events appear in Cloudtrail</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-51765469720831144722020-04-29T22:59:00.004-05:002023-07-05T15:27:10.670-05:00Daily Blog #688: How to make AWS EBS Direct Block API Events appear in Cloudtrail<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDPXOrYux94fWTXsWYO9LgaxWL6_rqNjj27VNL-BiIvMrGBCO7V4Wpsn5V2sM16-fGVw5kB5_m7gffpw08YZGivo82cb0NRS0f-XZb0bhmsqfr9Oe1a0sfYRVFMXLMRC1EwM51_PhIuxKxfAbyVo-7_nX-qkRPvxACHLiJwY1ErtedmkMRaadqOKqog/s1280/SIX.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="How to make AWS EBS Direct Block API Events appear in Cloudtrail" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDPXOrYux94fWTXsWYO9LgaxWL6_rqNjj27VNL-BiIvMrGBCO7V4Wpsn5V2sM16-fGVw5kB5_m7gffpw08YZGivo82cb0NRS0f-XZb0bhmsqfr9Oe1a0sfYRVFMXLMRC1EwM51_PhIuxKxfAbyVo-7_nX-qkRPvxACHLiJwY1ErtedmkMRaadqOKqog/w640-h360/SIX.png" title="How to make AWS EBS Direct Block API Events appear in Cloudtrail" width="640" /></span></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
If you read the previous post you would know that in my testing the with the AWS EBS Direct Block API I could not find any Cloudtrail logs written. Well John Lukach has taken up the task of figuring out how to solve this by creating a role that the python script can assume that would generate the logs:<br />
<br />
<a href="https://cloud.4n6ir.com/posts/cloud-4n6ir-fun-2-detecting-api-access-to-ebs-content/index.html" target="_blank">https://cloud.4n6ir.com/posts/cloud-4n6ir-fun-2-detecting-api-access-to-ebs-content/index.html<br /></a>
<br />
While John has created the ability to log his own accesses to the API I don't believe this will now capture any events from calling the API. So this is one step closer and a pretty neat workaround to capture events that otherwise would be missed but now what I would consider a fix. </span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-687-forensic-lunch-schedule.html" target="_blank">Also Read: Daily Blog #687</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-50062506897888828172020-04-28T23:55:00.003-05:002023-07-05T15:27:23.741-05:00Daily Blog #687: Forensic Lunch schedule for the next 4 weeks<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div></div><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQoFDMwEIisapOXrr-9Ccrt1DECExKfZKhLa5ZFwlbfBqEPzdIvu9y19fin1urWXQ4apUi2WbPbRXpxM_ajyGZPN54JCgAoLiWic-PKPpyhMuanpEw1YcFUZEIm4K4PtMdqigmCjCSEGm60odJgTvshjAXI26mIvdOrm-A9zFmvC2niJMZaCOlDuP8Q/s1278/Forensic%20Lunch.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img border="0" data-original-height="719" data-original-width="1278" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQoFDMwEIisapOXrr-9Ccrt1DECExKfZKhLa5ZFwlbfBqEPzdIvu9y19fin1urWXQ4apUi2WbPbRXpxM_ajyGZPN54JCgAoLiWic-PKPpyhMuanpEw1YcFUZEIm4K4PtMdqigmCjCSEGm60odJgTvshjAXI26mIvdOrm-A9zFmvC2niJMZaCOlDuP8Q/w640-h360/Forensic%20Lunch.png" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /><span style="font-size: large;"><br /></span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Its taking some work but I'm lining up guests a month in advance now. Here is the schedule for the next four weeks so you can plan out what episodes you want to see<br />
<br />
</span><table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 635px;">
<tbody>
<tr style="height: 15pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border: 1pt solid windowtext; height: 15pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 51pt;" valign="bottom" width="68"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Date<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-left: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 83pt;" valign="bottom" width="111"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Guest 1<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-left: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Guest 2<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-left: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Guest 3<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-left: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Guest 4<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: 15pt; mso-yfti-irow: 1;">
<td nowrap="" style="border-top: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 51pt;" valign="bottom" width="68"><div align="right" class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: right;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">5/1/2020<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 83pt;" valign="bottom" width="111"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Brian Marks<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Lee Whitfield<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Oleg Skulkin<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
</td>
</tr>
<tr style="height: 15pt; mso-yfti-irow: 2;">
<td nowrap="" style="border-top: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 51pt;" valign="bottom" width="68"><div align="right" class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: right;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">5/8/2020<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 83pt;" valign="bottom" width="111"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Cylance/Jim<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Jack Farley w/ MEAT<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Josh Brunty - Marshall<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Sunday Funday Winner<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15pt; mso-yfti-irow: 3;">
<td nowrap="" style="border-top: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 51pt;" valign="bottom" width="68"><div align="right" class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: right;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">5/15/2020<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 83pt;" valign="bottom" width="111"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">MVS CTF Winner<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Magnet<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Sunday Funday Winner<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
</td>
</tr>
<tr style="height: 15pt; mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td nowrap="" style="border-top: none; border: 1pt solid windowtext; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 51pt;" valign="bottom" width="68"><div align="right" class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: right;">
<b><span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">5/22/2020<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 83pt;" valign="bottom" width="111"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Mike Cohen<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="color: black; font-family: Noto Sans JP; font-size: large; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;">Sunday Funday Winner<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
</td>
<td nowrap="" style="border-bottom: 1pt solid windowtext; border-left: none; border-right: 1pt solid windowtext; border-top: none; height: 15pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt; width: 114pt;" valign="bottom" width="152"><div class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
</td>
</tr>
</tbody></table>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
</span><div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><span style="font-family: Noto Sans JP; font-size: large;">
Notice something new there? I thought it would be fun to invite the Sunday Funday winner from the prior week to come on the Lunch to talk about what they did. Oleg Skulkin was willing to be the first and hopefully not the last!<br />
<br />
<br />
All times will be Noon CDT (UTC -5) With the exception of 5/22/2020 when we will broadcast at 5PM CDT (UTC -5) to let Mike Cohen actually get some sleep.<br />
<br />
Remember if you want notifications subscribe to the Youtube channel to never miss a live broadcast: <a href="https://www.youtube.com/user/LearnForensics">https://www.youtube.com/user/LearnForensics</a><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><a href="https://www.hecfblog.com/2020/04/daily-blog-686-want-to-be-on-forensic.html"><span style="font-family: Noto Sans JP; font-size: large;">Also Read: Daily Blog #686</span></a></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-33624791533940869662020-04-27T23:19:00.003-05:002023-07-05T15:27:48.145-05:00Daily Blog #686: Want to be on the Forensic Lunch?<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaFsIsTYwnnXpnXe4toD0h0s9arZjpqSHzdL6cvelqQhfclGsg4PVAkmPlIUOI68-u4-8lLXLbyJ2BxYaFPSr61GVTLiHs16lMuZLd989-enh5YtZxFhKNDcmwZ_FtvawHUl33r9PuGFrJ9Fk-7h1YDpcf_9x-xLF-GDa1zLennZlad_3pmGzX0Lu5lw/s1280/kk.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaFsIsTYwnnXpnXe4toD0h0s9arZjpqSHzdL6cvelqQhfclGsg4PVAkmPlIUOI68-u4-8lLXLbyJ2BxYaFPSr61GVTLiHs16lMuZLd989-enh5YtZxFhKNDcmwZ_FtvawHUl33r9PuGFrJ9Fk-7h1YDpcf_9x-xLF-GDa1zLennZlad_3pmGzX0Lu5lw/w640-h360/kk.png" width="640" /></span></a></div></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Now that the Forensic Lunch is weekly I'm trying to work extra hard to book guests in advance, which I maayyy have been lax about the last year or so. I'm now booked for the next 4 weeks but I'm looking to find new voices, new research and new cool stuff that the community at large wants to see.<br />
<br />
So this is your chance. Been watching the Lunch for years? Always thought you had something to say? Email me dlcowen@gmail.com with the subject Forensic Lunch Guest Request and let's get you scheduled and get the word out on what your up to.<br />
<br />
Commercial Software Vendors Please Note:<br />
Commercial products are something I let on the lunch when I personally feel that the value they bring is something novel and has value to the community at large. If you send me a product pitch I may need alot more information before agreeing to have you on.<br />
<br />
Examples of past vendors:<br />
Guidance software<br />
Accessdata<br />
Magnet<br />
Atola<br />
Demisto<br />
Belkasoft<br />
<br />
I have turned away many others, please know that even if you do come on the public chat will be wanting to ask questions you must be prepared to answer.</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-685-sunday-funday-42620.html" target="_blank">Also Read: Daily Blog #685</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-46455485968796915802020-04-26T00:09:00.004-05:002023-07-05T15:28:05.849-05:00Daily Blog #685: Sunday Funday 4/26/20 - Windows Timeline Challenge <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjopbnipcYzPYzg7ghm9OysVS3u4WGUq8HkySES6RYgh9_ZXADLtOY1il6hmIw0SY9ichrtEgD5v1aQfKbw8DG8RfazAS7QnjURBK8Em8uhpeooYh59ZXp1ryB5qjf7biwVDmS5ly3UUCP6w8lHi1aVJlzCJv9xPghhJG5r5Qk3r6hjpRt5z4op-OFzw/s640/SF.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="Windows Timeline Challenge by David Cowen" border="0" data-original-height="360" data-original-width="640" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjopbnipcYzPYzg7ghm9OysVS3u4WGUq8HkySES6RYgh9_ZXADLtOY1il6hmIw0SY9ichrtEgD5v1aQfKbw8DG8RfazAS7QnjURBK8Em8uhpeooYh59ZXp1ryB5qjf7biwVDmS5ly3UUCP6w8lHi1aVJlzCJv9xPghhJG5r5Qk3r6hjpRt5z4op-OFzw/w640-h360/SF.png" title="Windows Timeline Challenge by David Cowen" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /><span style="font-size: large;"><br />
<br />
Hello Reader,<br />
I hope your enjoying the return of these weekly challenges. I've enjoyed seeing more people understanding that there is so much we don't know and how we together can push things forward. This week we will continue that effort with a change in focus, let's talk about Windows Timeline before moving onto MacOS next week. <br /><br />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Prize:</b></span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;"><br /></b></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP;"><span style="font-size: large;">
<span face=""arial" , "helvetica" , sans-serif" style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">$100 Amazon </span></span><span style="background-color: white; color: #616161; font-size: x-large;">Giftcard</span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
<br style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;" />
<b style="background-color: white; box-sizing: border-box; color: #616161; line-height: 17.28px; position: relative;">The Rules:</b><br /></span><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div><span style="font-family: Noto Sans JP;"><br /></span><ol style="box-sizing: border-box; line-height: 1.6em; margin: 0px; padding: 0px 0px 0px 50px; position: relative;">
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You must post your answer before Friday 5/1/20 7PM CST (GMT -5)</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">The most complete answer wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">You are allowed to edit your answer after posting</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">If two answers are too similar for one to win, the one with the earlier posting time wins</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Be specific and be thoughtful</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">Anonymous
entries are allowed, please email them to dlcowen@gmail.com. Please
state in your email if you would like to be anonymous or not if you win.</span></li>
<li style="box-sizing: border-box; line-height: 1.6em; list-style: inherit; margin: 0px; padding: 0px 0px 0px 5px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;">In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post</span></li>
</ol>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<div style="box-sizing: border-box; position: relative;">
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><span style="font-family: Noto Sans JP; font-size: large;"><br style="box-sizing: border-box; position: relative;" /></span></b></div>
<div>
<span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;">The Challenge:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">1. How long before an action is taken before it is committed to the Windows Timeline database</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">2. What process and/or service creates the events</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">3. What call do developers need to make to support it</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">4. What is excluded?</b><br />
<b style="box-sizing: border-box; line-height: 17.28px; position: relative;">5. When do events get removed?</b></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><br /></b></span></div><div><span style="font-family: Noto Sans JP; font-size: large;"><b style="box-sizing: border-box; line-height: 17.28px; position: relative;"><a href="https://www.hecfblog.com/2020/04/daily-blog-684-solution-saturday-42520.html">Also Read: Daily Blog #684</a></b></span></div>
</div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-69165000230590838392020-04-25T15:49:00.005-05:002023-07-05T15:28:25.308-05:00Daily Blog #684: Solution Saturday 4/25/20 - ZOOM DFIR Challenge Winner<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhamnDfvDXa88vm73fs8NkJ_D-FnwF-82D6EUcuKRlnROWsHoW2lZcC0VK5vVUjjf4Hoe-JpX5b90Gt0ug8lsF9u31RISxceBT4gQTsKtkyE8h27CPmMfzAMI2azg0q5LfZsQoq5yrXBTUAQz4K3oQa-onxiGXvJG5ZxbiIdNQfsqttm2bB7mL2jvhpeA/s640/SS.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Noto Sans JP;"><img alt="ZOOM DFIR challenge." border="0" data-original-height="360" data-original-width="640" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhamnDfvDXa88vm73fs8NkJ_D-FnwF-82D6EUcuKRlnROWsHoW2lZcC0VK5vVUjjf4Hoe-JpX5b90Gt0ug8lsF9u31RISxceBT4gQTsKtkyE8h27CPmMfzAMI2azg0q5LfZsQoq5yrXBTUAQz4K3oQa-onxiGXvJG5ZxbiIdNQfsqttm2bB7mL2jvhpeA/w640-h360/SS.png" title="ZOOM DFIR challenge." width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Another week of competition is concluded and a victor has a emerged. This week we continued the video conferencing artifacts and Oleg Skulkin with his sheer persistence every week has pulled out the win!<br />
<br />
The Question:<br />
</span><div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Noto Sans JP; font-size: large;"><b>When looking at Zoom from a DFIR perspective:</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Noto Sans JP; font-size: large;"><b>1. Where are the artifacts?</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Noto Sans JP; font-size: large;"><b>2. What format are they in?</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Noto Sans JP; font-size: large;"><b>3. Can you recover chat history?</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: Noto Sans JP; font-size: large;"><b>4. Can you recover call history?</b></span></div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b><span style="font-family: Noto Sans JP; font-size: large;">5. Anything else you can determine?</span></b></div>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
The Winning Answer:<br />
Oleg Skulkin (<a href="https://twitter.com/oskulkin">@oskulkin</a>) <br />
<a href="https://cyberforensicator.com/">https://cyberforensicator.com/</a><br />
<br />
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="376">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hashtag"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Unresolved Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Link"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-ansi-language:RU;}
</style>
<![endif]-->
<br />
</span><div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">Let’s start from
artifacts locations. This time I used two devices for testing: a Windows laptop
and a macOS laptop.</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">So, on Windows the
artifacts are stored under:</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">C:\Users\%USERNAME%\AppData\Roaming\Zoom</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">You can find the
following files and folders inside:</span></div>
<div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOqZ8jFnUt6O4h0IJhSCxsLAVFvAB2c2T1_LYaX2V8y1e7ZpQnl-mFq93xL8VVt23k1YrE5eCz9mULpsXNK-Ju96OJpQZNJzja6YQQaF3FS8G0NoN75oQjaEKbgfw-G5jpbcIxT4UOA3_DWST_9dcikV-mtZygTFe6CnWlOGFozGkhcOzUxe2Oq7EI7w/s495/One.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Noto Sans JP;"><img alt="ZOOM DFIR challenge." border="0" data-original-height="245" data-original-width="495" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOqZ8jFnUt6O4h0IJhSCxsLAVFvAB2c2T1_LYaX2V8y1e7ZpQnl-mFq93xL8VVt23k1YrE5eCz9mULpsXNK-Ju96OJpQZNJzja6YQQaF3FS8G0NoN75oQjaEKbgfw-G5jpbcIxT4UOA3_DWST_9dcikV-mtZygTFe6CnWlOGFozGkhcOzUxe2Oq7EI7w/w640-h316/One.png" title="ZOOM DFIR challenge." width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span><div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><br /></span><span style="mso-ansi-language: EN-US;"></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">The most interesting
folder here is <b style="mso-bidi-font-weight: normal;">data</b>. Here are its
contents:</span></div>
<div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGr0zCmkHC4GeuKPmwskF1WeNTc0rAsSKynruAbAnnCMMiSb9kd8QEds-8u8goRFG6A7nskDWwU1Q22sp0llaYPRxtc9ypM4Osdqwv5tdDKOFRe5I_LbI_oAQJXZsCUTGauwcH4MRDqzalHbMqzCXZAzxa4iUcSwKAghqQlzbJatu8gsF77mLQ_BWZng/s624/Two.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Noto Sans JP;"><img alt="ZOOM DFIR challenge." border="0" data-original-height="246" data-original-width="624" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGr0zCmkHC4GeuKPmwskF1WeNTc0rAsSKynruAbAnnCMMiSb9kd8QEds-8u8goRFG6A7nskDWwU1Q22sp0llaYPRxtc9ypM4Osdqwv5tdDKOFRe5I_LbI_oAQJXZsCUTGauwcH4MRDqzalHbMqzCXZAzxa4iUcSwKAghqQlzbJatu8gsF77mLQ_BWZng/w640-h252/Two.png" title="ZOOM DFIR challenge." width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span><div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><span lang="RU" style="mso-fareast-language: RU; mso-no-proof: yes;"><br /></span><span lang="RU"></span></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">At first glance we can
see two DB files, which are SQLite databases, but unfortunately both databases
don’t contain much useful information.</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">The first, <b style="mso-bidi-font-weight: normal;">zoommeeting.db</b>, contains some info
about meetings, including the timestamps in Unix Epoch:</span></div><div class="MsoNormal"><span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;"><br /></span></div>
<div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNT71bbB9qWuNeBmU9shsU3opk8wsM4GtaY21jH77oLc1c1WcPCUlWLD_E80tVS993XILClDh_I6pLfYbwMRcj4ftvvotn2d6yFKRDRAFBd_n2NK0Ddnc0xLmPYsviGdvUSM3ptmMA7QJnYbkYE-YwjAM94YdhlByq58pbraQ6BdUPKaeMwO3DiK9XxA/s624/Three.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Noto Sans JP;"><img alt="ZOOM DFIR challenge." border="0" data-original-height="139" data-original-width="624" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNT71bbB9qWuNeBmU9shsU3opk8wsM4GtaY21jH77oLc1c1WcPCUlWLD_E80tVS993XILClDh_I6pLfYbwMRcj4ftvvotn2d6yFKRDRAFBd_n2NK0Ddnc0xLmPYsviGdvUSM3ptmMA7QJnYbkYE-YwjAM94YdhlByq58pbraQ6BdUPKaeMwO3DiK9XxA/w640-h142/Three.png" title="ZOOM DFIR challenge." width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /></span><div class="MsoNormal"><span style="font-family: Noto Sans JP;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">The next database, <b style="mso-bidi-font-weight: normal;">zoomus.db</b>, should contain lots of juicy
artifacts as, according to Procmon, zoom.exe interacted with it very often, but
in fact – it’s almost empty. You can collect some general configuration
information from <b style="mso-bidi-font-weight: normal;">zoom_kv</b> table. Another
table, <b style="mso-bidi-font-weight: normal;">zoom_conf_avatar_image_cache</b>,
contains paths for conference avatar images located in the same folder. One
more table, <b style="mso-bidi-font-weight: normal;">zoom_actions_logs</b>,
contains info about conference actions, for example, screen sharing, audio
muting, etc. Other tables in my testing were empty. I tried recover data using
multiple forensic tools as well as using hex viewer, but had no luck. It seems
Zoom doesn’t want to store anything due to recently uncovered security flaws. </span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">As for macOS,
artifacts are located under:</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">/Users/%USERNAME%/Library/Application
Support/zoom.us</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">There are two folders
inside: <b style="mso-bidi-font-weight: normal;">data</b> and <b style="mso-bidi-font-weight: normal;">Plugins</b>.</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">The data folder
contains the same databases as Windows version – zoommeeting.db and zoomus.db,
also almost empty.</span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;">So? I couldn’t recover
neither call, no chat history. Probably, it needs much more testing.</span></div><div class="MsoNormal"><span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;"><br /></span></div><div class="MsoNormal"><span style="font-family: Noto Sans JP; font-size: large; mso-ansi-language: EN-US;"><a href="https://www.hecfblog.com/2020/04/daily-blog-683-forensic-lunch-42420.html">Also Read: Daily Blog #683</a></span></div>
</div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com1tag:blogger.com,1999:blog-1466903740262764947.post-85337150171736672252020-04-24T11:43:00.006-05:002023-08-10T15:55:34.342-05:00Daily Blog #683: Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwvzOlZalTe0b04O81H6kCOCra4LBKeOnM4rqmh26DkYPmZQxJa9AK4nSDL6UICzTU0GUpkgXEBX4Kq2RNNs9l3uNctihpntrGaKZA3w8AvRkCfCiwyhGPCCngdWs1nxozcunUqF7A1KH1ez4DaRGZ0w6gOde1RHXNMLoVR7vmyuLhvkUVWrr5R0imBA/s1278/Forensic%20Lunch.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt=": Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)" border="0" data-original-height="719" data-original-width="1278" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwvzOlZalTe0b04O81H6kCOCra4LBKeOnM4rqmh26DkYPmZQxJa9AK4nSDL6UICzTU0GUpkgXEBX4Kq2RNNs9l3uNctihpntrGaKZA3w8AvRkCfCiwyhGPCCngdWs1nxozcunUqF7A1KH1ez4DaRGZ0w6gOde1RHXNMLoVR7vmyuLhvkUVWrr5R0imBA/w640-h360/Forensic%20Lunch.png" title=": Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)" width="640" /></span></a></div><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
We had a jam packed Forensic Lunch today with a portion of the Google IR team today talking all about the open source tools they develop, use and support in their work at Google.<br />
<br />
<span face=""roboto" , "noto" , sans-serif"><span color="rgba(0 , 0 , 0 , 0.870588235294118)"><span style="white-space: pre-wrap;">Specifically we had :
</span></span></span><br />
</span><ul style="color: rgba(0, 0, 0, 0.87); text-align: left; white-space: pre-wrap;"><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span face=""roboto" , "noto" , sans-serif"><span color="rgba(0 , 0 , 0 , 0.87)" style="font-family: Noto Sans JP; font-size: large; white-space: pre-wrap;"><span color="rgba(0 , 0 , 0 , 0.87)">Mikhail Bushkov giving a big update on GRR </span><a href="https://github.com/google/grr" target="_blank">https://github.com/google/grr</a></span></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" face=""roboto" , "noto" , sans-serif" style="white-space: pre-wrap;"><span color="rgba(0 , 0 , 0 , 0.87)">Johan Berggren (</span></span><a href="https://twitter.com/jberggren" target="_blank">https://twitter.com/jberggren</a>) and Kristinn Gudjonsson (<a href="https://twitter.com/el_killerdwarf" target="_blank">https://twitter.com/el_killerdwarf</a>) talking about Timesketch and Data science </span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://github.com/google/timesketch" target="_blank">https://github.com/google/timesketch</a></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" face=""roboto" , "noto" , sans-serif" style="white-space: pre-wrap;"><span color="rgba(0 , 0 , 0 , 0.87)">Aaron Peterson (</span></span><a href="https://twitter.com/aarontpeterson" target="_blank">https://twitter.com/aarontpeterson</a>) talking about Turbinia </span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://github.com/google/turbinia" target="_blank">https://github.com/google/turbinia</a></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" face=""roboto" , "noto" , sans-serif" style="white-space: pre-wrap;"><span color="rgba(0 , 0 , 0 , 0.87)">Thomas Chopitea (</span></span><a href="https://twitter.com/tomchop_" target="_blank">https://twitter.com/tomchop_</a>) talking about DTTimewolf </span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://github.com/log2timeline/dftimewolf" target="_blank">https://github.com/log2timeline/dftimewolf</a></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span face=""roboto" , "noto" , sans-serif"><span color="rgba(0 , 0 , 0 , 0.87)" face=""roboto" , "noto" , sans-serif" style="white-space: pre-wrap;"><span color="rgba(0 , 0 , 0 , 0.87)" style="font-family: Noto Sans JP; font-size: large;">Theo Giovanna talking about libcloudforensics aka cloudforensicutils</span></span></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://github.com/google/cloud-forensics-utils/tree/master/libcloudforensics" target="_blank">https://github.com/google/cloud-forensics-utils/tree/master/libcloudforensics</a></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span style="font-family: Noto Sans JP; font-size: large;">Joachin Metz (<a href="https://twitter.com/joachimmetz" target="_blank">https://twitter.com/joachimmetz</a>) - Talking about Plaso, libntfs and Libyal</span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><ul><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span face=""roboto" , "noto" , sans-serif"><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" style="white-space: pre-wrap;">Plaso: </span><a href="https://github.com/log2timeline/plaso" style="white-space: pre-wrap;" target="_blank">https://github.com/log2timeline/plaso </a></span></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span face=""roboto" , "noto" , sans-serif"><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" style="white-space: pre-wrap;">Libfsntfs: </span><a href="https://github.com/libyal/libfsntfs" style="white-space: pre-wrap;" target="_blank">https://github.com/libyal/libfsntfs</a></span></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span><li><span face=""roboto" , "noto" , sans-serif"><span style="font-family: Noto Sans JP; font-size: large;"><span color="rgba(0 , 0 , 0 , 0.87)" style="white-space: pre-wrap;">Libyal: </span><a href="https://github.com/libyal" style="white-space: pre-wrap;" target="_blank">https://github.com/libyal</a></span></span></li><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
</span></ul><span style="font-family: Noto Sans JP; font-size: large;">
Join them on the Open Source DFIR Slack: https://join-open-source-dfir-slack.herokuapp.com/<br />
<br />
Read more about what they are doing on the Open Source DFIR Blog: <a href="https://osdfir.blogspot.com/" target="_blank">https://osdfir.blogspot.com/</a><br />
<br />
Watch the video below</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div>
<span style="font-family: Noto Sans JP; font-size: large;"><iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/0yMGXlNTCl0" width="560"></iframe></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-682-linux-kernel-patches-for.html" target="_blank">Also Read: Daily Blog #682 - Linux Kernel Patches for Safe Forensic Imaging</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-74560706102602682232020-04-24T00:21:00.002-05:002023-07-05T15:29:01.638-05:00Daily Blog #682: Linux Kernel Patches for Safe Forensic Imaging<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMyqnH1zkX-I1hFsNhlZ3JQSxTwJPxoXPLjUH5cijlJgUFYvhA-WCz7g3qNH8HUo22MSnjC7A_0vXkpA1JznUMifqtgNUNfIc-QbkzBauu5csg70Kjtf3CtroN9KT_nw6gSkQKTrQrOh6K7hJy2PQgQhNL7rqr-miWc9xMZ9L1ZtzsFLyGfEr6IOkMtg/s1280/ol.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP;"><img alt="Linux Kernel Patches for Safe Forensic Imaging" border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMyqnH1zkX-I1hFsNhlZ3JQSxTwJPxoXPLjUH5cijlJgUFYvhA-WCz7g3qNH8HUo22MSnjC7A_0vXkpA1JznUMifqtgNUNfIc-QbkzBauu5csg70Kjtf3CtroN9KT_nw6gSkQKTrQrOh6K7hJy2PQgQhNL7rqr-miWc9xMZ9L1ZtzsFLyGfEr6IOkMtg/w640-h360/ol.png" title="Linux Kernel Patches for Safe Forensic Imaging" width="640" /></span></a></div><span style="font-family: Noto Sans JP;"><br /><span style="font-size: large;"><br /></span></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
Are you using Linux as your DFIR environment of choice? Many are and for good reason. Linux makes many things easy thanks to the wide variety of open source DFIR tools available, premade distributions (SIFT, Paladin, DEFT, etc...) and the ability to quickly turn evidence into mountable file systems.<br />
<br />
However for all the good there are some Linux internals that might be silently tripping you up. The first is something a lot of us have known for awhile. If you mount a journaled file system that Linux supports (ext3/ext4 are good examples) the underlying driver may replay the journal even if you tell it read only. <br />
<br />
In addition to this Maxim Suhanov (@errno_fail) is now showing that write blockers that make a device appear to be writeable and actively suppress errors to make the device appear to be working can lead to a different set of issues. In this case the in memory cache will replay the journal and record other changes unless you pass into dd the direct iflag value to tell to skip the write cache in memory and look at the disk itself. This was a new one to me and very interesting. In fact I initially thought this was something the write blocker was doing wrong and asked for the firmware revision only to realize when thinking about it again that the issue is with the write cache itself.<br />
<br />
The write cache is not unique to Linux, all modern operating systems do it. But I didn't think to find a way to bypass when disk imaging and I'm glad Maxim brought it up. Maxim documented this in his Github project for his Linux write blocker kernel module:<br />
<br />
</span><blockquote class="tr_bq">
<h3 style="-webkit-text-stroke-width: 0px; background-color: white; box-sizing: border-box; color: #24292e; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 600; letter-spacing: normal; line-height: 1.25; margin-bottom: 16px; margin-top: 24px; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="font-family: Noto Sans JP; font-size: large;">
In-memory modifications</span></h3>
<div style="-webkit-text-stroke-width: 0px; background-color: white; box-sizing: border-box; color: #24292e; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 16px; margin-top: 0px; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="font-family: Noto Sans JP; font-size: large;">
Some changes to a mounted file system made by a file system driver can be cached in memory, although they won't reach a physical drive (with the patch enabled and a block device marked as read-only, of course). In this situation, reading a "modified" data block with a userspace program (e.g. <em style="box-sizing: border-box;">dd</em> or <em style="box-sizing: border-box;">md5sum</em>) will result in inconsistency between data received by a userspace program and data actually stored on a drive, i.e. a userspace program will get the bytes from cache (containing modifications from a driver), not from a drive (no modifications here). Unmounting a file system will bring things back to normal.</span></div>
</blockquote>
<span style="font-family: Noto Sans JP; font-size: large;"><br />
If you want to make sure your Linux kernel is really treating a disk read only you can use Maxim's kernel model: <a href="https://github.com/msuhanov/Linux-write-blocker#in-memory-modifications" target="_blank">https://github.com/msuhanov/Linux-write-blocker#in-memory-modifications</a><br />
<br />
If you want to read the original tweets go here: <span style="background-color: white; color: black; display: inline; float: none; font-style: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: pre-wrap; word-spacing: 0px;"><a href="https://twitter.com/errno_fail/status/1253363615282991105?s=20" target="_blank">https://twitter.com/errno_fail/status/1253363615282991105?s=20</a></span><br />
<br />
</span><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrlnniOhpTSrC9y9Wb7kEQp1CUuBgFJWL15pSJbw-1RFHpIOw-b_sKyl6YCZk1sl1kcIbcezsmDLuxXvarLm9fLtQKXhkp8QRfftbjDg3jQRfUpHjYCycJBoCg_wFwgAVCiftbgMqBxs/s1600/1200px-SELinux_logo.svg.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Noto Sans JP; font-size: large;"><img border="0" data-original-height="1085" data-original-width="1200" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrlnniOhpTSrC9y9Wb7kEQp1CUuBgFJWL15pSJbw-1RFHpIOw-b_sKyl6YCZk1sl1kcIbcezsmDLuxXvarLm9fLtQKXhkp8QRfftbjDg3jQRfUpHjYCycJBoCg_wFwgAVCiftbgMqBxs/s320/1200px-SELinux_logo.svg.png" width="320" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-681-dfir-discord.html" target="_blank">Also Read: Daily Blog #681</a></span></div>
<br /></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-35650821266302407582020-04-22T23:39:00.006-05:002023-08-10T15:56:00.797-05:00Daily Blog #681: DFIR Discord by Andrew Rathbun<div dir="ltr" style="text-align: left;" trbidi="on"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFmxmqtEQZtASC386zTGa0sC5OyanJfFLOnApy7-sOtP_q7_H0WpotxblzFrNJVT3qJ6HBrXR3vcseKX5zdKxW8dJgF4Dwx2JN1XcB8Bs742d5_J93Qn2_lisCIBkkMy3kEEAk2ubIwWs/s1600/discord.PNG" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-family: Noto Sans JP; font-size: large;"><img alt="DFIR Discord by Andrew Rathbun" border="0" data-original-height="485" data-original-width="1037" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFmxmqtEQZtASC386zTGa0sC5OyanJfFLOnApy7-sOtP_q7_H0WpotxblzFrNJVT3qJ6HBrXR3vcseKX5zdKxW8dJgF4Dwx2JN1XcB8Bs742d5_J93Qn2_lisCIBkkMy3kEEAk2ubIwWs/w640-h297/discord.PNG" title="DFIR Discord by Andrew Rathbun" width="640" /></span></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hello Reader,<br />
As we are all isolated and looking for more safe social interaction without leaving a permanent public trace (I'm looking at your twitter) it's good to know there are places we can go to talk DFIR with other practitioners in a less formal environment.<br />
<br />
Andrew Rathbun has been hosting a DFIR focused Discord server for two years now and it's grown its own community of people who help each other with their DFIR related issues. On the Discord server you'll see that topics are broken into sub-channels allowing you to quickly jump into the sub-discipline of DFIR that you need to discuss while still having access to more general and open channels for discussion.<br />
<br />
If this sounds interesting to you and you are already a Discord user click here: <a href="https://discordapp.com/invite/JUqe9Ek" target="_blank">https://discordapp.com/invite/JUqe9Ek<br /></a>
<br />
Otherwise click <a href="https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/" target="_blank">here </a>to read more about how to get started.</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><a href="https://www.hecfblog.com/2020/04/daily-blog-680-apple-unified-audit.html" target="_blank">Also Read: Daily Blog #680 - Apple Unified Audit Logging<br /></a>
<br />
</span><div class="separator" style="clear: both; text-align: center;"><br /></div>
</div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-37576574175716399422020-04-21T23:41:00.002-05:002023-07-05T15:29:23.648-05:00Daily Blog #680: Apple Unified Audit Logging<div dir="ltr" style="text-align: left;" trbidi="on"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb-mpgzM30xYviQG_dIy86D7k3CwRZe72wxwwY8gCxVM5OmCUsfHEM7lxapwsTQK13LvlELBceDmEdJmUt90H9THqwRmmfdysNk6wmnB5-jHjk4xdiAK7Y4qu4KfFdm3k7_I_35wR_8co/s1600/download%252B%25281%2529.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-family: Noto Sans JP; font-size: large;"><img border="0" data-original-height="655" data-original-width="750" height="558" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb-mpgzM30xYviQG_dIy86D7k3CwRZe72wxwwY8gCxVM5OmCUsfHEM7lxapwsTQK13LvlELBceDmEdJmUt90H9THqwRmmfdysNk6wmnB5-jHjk4xdiAK7Y4qu4KfFdm3k7_I_35wR_8co/w640-h558/download%252B%25281%2529.png" width="640" /></span></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;"><br /></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Noto Sans JP; font-size: large;">
Hey Reader,<br />
Today I didn't have the time I needed to get a test kitchen done so I decided to take this opportunity to point you towards another great blog you should be reading with a different focus.<br />
<br />
Sarah Edwards over at the Mac4n6 blog has started a series on the apple unified audit logging. If you have not been diving deep in your MacOS/Osx/Whatever they call it now analysis by looking into the data that unified audit logs provide your missing out.<br />
<br />
Many examiners look at MacOS as a BSD operating system and just look at syslog, forgetting that there is a whole scaffold of another OS layered on top with its own logging. Apple's Unified Audit Logging is a moving target as they are notoriously not backwards compatible, I mean who else force upgrades file systems?<br />
<br />
So do yourself a favor and check out Sarah's blog below:<br />
<br />
<a href="https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0" target="_blank">https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0</a><br />
<br /><a href="https://www.hecfblog.com/2020/04/daily-blog-679-snapshot-4n6ir-imager.html">Also Read: Daily Blog #679<br />
</a></span><div class="separator" style="clear: both; text-align: center;"><span style="font-family: Noto Sans JP;"><br /></span></div>
<br /></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0tag:blogger.com,1999:blog-1466903740262764947.post-92182839596276272932020-04-20T16:30:00.002-05:002023-05-28T05:47:55.235-05:00Daily Blog #679: Snapshot 4n6ir Imager<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguSJb3Dqzg-xkyGxEiZjc8zytEEVivljILcl1Dlf-YZ_8H9cDVRg75xFmF-V2Gitwb2pUBztN79NX8h04bGJdOsU9lkYM5jAKhlyWRjysW6NDdemq2zvsHnOsWnunyLTHsP7nlNEIZeD4/s1600/awstool.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: times; font-size: large;"><img alt="Snapshot 4n6ir Imager" border="0" data-original-height="634" data-original-width="1023" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguSJb3Dqzg-xkyGxEiZjc8zytEEVivljILcl1Dlf-YZ_8H9cDVRg75xFmF-V2Gitwb2pUBztN79NX8h04bGJdOsU9lkYM5jAKhlyWRjysW6NDdemq2zvsHnOsWnunyLTHsP7nlNEIZeD4/w640-h396/awstool.png" title="Snapshot 4n6ir Imager" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: times; font-size: large;"><br />
<br />
Hello Reader,<br />
I've been documenting my own cloud DFIR research but i'm far from alone in this journey. Today I wanted to provide a spotlight on what could be a very useful tool if your looking to up your AWS DFIR game. John Lukach has put out a python script that makes use the AWS EBS Block API I've been testing for a different purpose. While I've been noodling over the idea of live block based triage John focused on what is a bigger real problem for most examiners and that is dealing with encrypted EBS volumes and snapshots.<br />
<br />
While I realized that the Block Token allowed for block based snapshot decryption I did not appreciate that the steps prior to deal with restoring encrypted snapshots was a bit more painful than most examiners cared for. What John's tool called Snapshot 4n6ir Imager does is utilized the AWS EBS Block API to retrieve the decrypted blocks from a snapshot and store it as a dd/raw image where you run it from.<br />
<br />
I know John is actively working on this and recently put out a Docker container that has it working as well. So if you were looking for a building block in your automation pipeline to create dd images out of snapshots rather than attaching volumes this is a good solution!<br />
<br />
You can read more here:</span></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: times; font-size: large;"><br />
<a href="https://cloud.4n6ir.com/projects/snapshot-4n6ir-imager-initial-release/index.html" target="_blank">https://cloud.4n6ir.com/projects/snapshot-4n6ir-imager-initial-release/index.html</a></span></div><div dir="ltr" style="text-align: left;" trbidi="on"><br /></div><div dir="ltr" style="text-align: left;" trbidi="on"><br /></div><div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: times; font-size: large;">Also Read: <a href="https://www.hecfblog.com/2020/04/daily-blog-678-sunday-funday-41920.html" target="_blank">Daily Blog #678</a></span></div>
David Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.com0