Wednesday, December 12, 2018

Daily Blog #565: Seeing Double (access dates)

Hello Reader,
         Got some medicine today so hopefully I'll be able to stop coughing tomorrow. In the meantime I'd like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here:

Maxim found that Windows is keeping two last access dates, one on the disk and one in memory for a single file if Last Access dates are enabled. In the below python script you can see he can actually see the contents of both version of the timestamp:

#!/usr/bin/env python3

import os
from time import sleep

FILE_PATH = 'ts.txt'

def get_atime_1():
 result = os.stat(FILE_PATH, follow_symlinks = False)
 return result.st_atime

def get_atime_2():
 for entry in os.scandir('.'):
  if == FILE_PATH.lower():
   return entry.stat().st_atime

#print('Starting up...')
print(get_atime_1(), get_atime_2())

That to me is fascinating, it looks like one entry is coming from the stat of the file itself while the other is coming from the directory index. This is going to become more testing material in the near future. 

Tuesday, December 11, 2018

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,
      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor.

You can check it out here:

What Silv3rHorn has done is create a dfvfs script that will extract from any support image source (which is alot) all of the artifacts specified in the logical volume and the shadow copies.

Check it out and let me know what you think! I'll be using it in future test kitchens to give a go. 

Monday, December 10, 2018

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,
         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found:

  • Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve
  • Programs executed from a temp directory made on the Desktop were being recorded in the Syscache.hve
  • There are some sysinternals programs that are not being captured at all, these may not need any shiming

You can watch the video here:

Sunday, December 9, 2018

Daily Blog #562: Sunday Funday 12/9/18

Hello Reader,
        We've had a lot of different kinds of challenges to attract different people within the community to participate. This week I'm changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Find all the projects out there that are making use of DFVFS ( with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

Saturday, December 8, 2018

Daily Blog #561: Solution Saturday 12/8/18

Hello Reader,
       Another challenge where a new victor has emerged! One of the great things about these weekly challenges is that let's people within the larger community a chance to show what they got. This week Zach Stanford has made his mark with his winning submission.

The Challenge:

Document the order that the following shims are executed/data written in Windows 10:
  • Prefetch
  • Shimcache
  • Amcache
  • Userassist
  • SRUM
List the time stamps associated with the entry creation and whatever else you can determine about the order they are called

The Winning Answer:

Come back tomorrow for the next week's challenge!

Daily Blog #560: Forensic Lunch 12/7/18

Hello Reader,
        This week we had a Forensic Lunch with Eric Zimmerman! We talked about

You can watch the video here:

Thursday, December 6, 2018

Daily Blog #559: Forensic Lunch Test Kitchen 12/6/18

Hello Reader,
  Tonight we tested the new NTFSDisableLastAccessUpdate registry key in Windows 10 1803. Here's what we learned:

  • We learned that reading double negatives can be hard, it turns out my system did have last access dates on (value of 2) as Maxim Suhanov stated as my system drive was <= 128gb in size
  • We learned that drives larger than 128gb in size (my host system) have last access dates off (value of 3)
  • We learned that changing the value from 2 to 3 will be reversed on reboot as system managed really does mean system managed. 
  • We learned that changing the value from 2 to 1 will remain 1 on reboot meaning user managed will not be overruled by the system on reboot.
  • We learned that we will have to double check every system now because as of Windows 10 1803 we may have updated last access dates again!
You can watch the video here: