Latest Post

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
       Tonight we had another test kitchen, tonight with Matt Seyer and Joe Sylve. We started by talking about DFVFS and logical volume parsing. Then Matt showed how to do Python hooking to override the functionality of a DFVFS function to fix the logical volume issue with source scanner.

Our talk then took a turn with Dr. Joe Sylve coming on to talk about logical acquisitions on APFS and things got funny ... to us ... quickly. So if any of these things are interesting to you then watch below:

Hello Reader,
         Tonight we had another Test Kitchen and this one was much more successful than last nights.
Tonight we went into Matt's Pancake Viewer code, followed the functions, talked about how it worked and how it used DFVFS.

We ended the night with a demonstration of Pancake Viewer opening a E01 file and what underlying calls/functions were being made.

So if you are looking to follow along and tweak the code yourself or you just want to learn DFVFS/Python you can watch the video below:

Hello Reader,
       Well it happened, we reached daily blog 666 and as you would expect ... it all went wrong. 

In order to show how to get DFVFS running I decided to do it in a Test Kitchen live stream that you can watch below, its 2 hours. Yes it took 2 hours and some whiskey to finally go from creating an Azure account, running a Windows 10 vm to getting DFVFS installed. 

Here is the TLDR:
1. Getting Azure up and starting a new Win 10 desktop was pretty painless and fairly cheap, we will find out how cheap at the end of the month
2. I used ninite to install what I needed but it installed Python 2.7 (boo) so I had to install 3.7
3. I attempted to follow the instructions on the DFVFS build page ... don't do that. 
4. Instead  install the Microsoft Visual Studio C++ Build tools:
5. Then use matthew's script:
which will install all of the msi's for the compiled libraries
6, Then install dfvfs, you can use pip for this too
pip install dfvfs

That should do it! 
If not watch the video below and skip around to find things that could help. Next post we will work out what errors exist in the current program, get it to run and then figure out what we want to extend first.

Hello Reader,
         If you watched the last Forensic Lunch (I mean why wouldn't you have) then you know that Matt and I talked about continuing development of Matt's Pancake Viewer. Specifically Matt suggested that I take over the development.  So with that in mind I thought I would make this a blog series and likely some test kitchens.

Why? Good question!

Also I've noticed my blog posts look better on the new blog template if there is in image in it, so here we go:

What is Pancake Viewer you ask? It's Mat's Open Source GUI project that allows you to open any image file or physical disk that DFVFS supports and view its contents. It was an early experiment in learning DFVFS and Wx for Matt as well as in the long term an open source replacement for FTK Imager.

I've had several people ask to continue the Automating DFVFS series and since Pancake Viewer makes use of DFVFS it makes good sense to work on this to show what you can do with DFVFS outside of a command line quick script. You can write entire applications on top of it and Matt has some good code here that we can learn together to better take advantage of it.

We can then take that knowledge back to the Automating DFVFS series to expand whats possible.

So to start with you should grab a copy of my forked version of Matt's PancakeViewer project

I'm going to be trying VSCode this time around, I typically use Komodo when I do Python but thought I would change things around.

Looking at the readme you can see there are two dependencies. Let's install them in reverse order.

  - Homepage:
  - Wiki:
  - How to build:
- WxPython (v3.0)
  - Homepage:
  - Compiled Binaries:

According to WxPython's download page you can now use pip to install it on both Mac and Windows which is very handy. I was able to install it doing

pip install -U wxPython

Next we need to install DFVFS which I haven't done on this system in quite some time and I'm not sure what the state of things are. So come back tomorrow dear reader for what I'm sure is not an foreshadow of danger ..... daily blog 666 install DFVFS again.

Hello Reader,
          I hope your ready, Sunday Funday's are back and we are going to challenge you. I'm continuing the trend from last year of making the challenges a week long and with everyone home now I hope you can find a good use of some time here. So let's see what you can do and how we can help the community with your research in this weeks windows execution artifact challenge.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 4/10/20 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
We've all heard of the BAM key by now, located in SYSTEM\\services\bam, but what are the limitations? Answer the following questions:
1. What types of programs are not logged in BAM?
2. Are there any paths excluded from BAM?
3. What can cause a program to no longer be listed in the BAM key?
4. When does the BAM get updated?
5. What can update the BAM timestamp?

Hello Reader,
      Next month I was supposed to be eating hot chicken with all of you in Nashville at the Magnet User Summit (MUS) but since it's still corona time this too has moved to a virtual format. The conference now called the Magnet Virtual Summit (MVS) is set for the whole month of may, it's Magnet in May!

What's even more interesting is that Magnet has decided to make MVS free for anyone who wants to virtually attend and will have a month of speakers ( a virtual CTF created by Champlain's DFA and Jessica Hyde and of course we will be doing a Forensic Lunch with the winner.

Speaking of the virtual CTF, since we are not running the CTF this year we will be joined by campaign manager extraordinaire Brian Moran in providing commentary on our YouTube channel so everyone can follow along at home. Expect expert insights, bad jokes and team nicknames to fly as we watch the scoreboard and cheer on the competitors.

So go here to register ( and get ready for daily content starting May 4th through the end of May. It's great to see so many vendors making the best of the current situation and bring us something that benefits everyone.

Tomorrow, come back for Sunday Funday!

Hello Reader,
   Today we had another episode of the Forensic Lunch!

On this episode:

You can watch the show below:

Author Name

Contact Form


Email *

Message *

Powered by Blogger.