Saturday, December 15, 2018

Daily Blog #568: Solution Saturday 12/15/18

Hello Reader,
This week I changed up the challenge and you stepped up to the task. This week the master of DFIR knowledge summarization used his skills to pull of a win by one project. Congratulations to Phill Moore (and his baby) for this weeks win!

The Challenge:
Find all the projects out there that are making use of DFVFS ( with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!

The Winning Answer:

dfVFS, or Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system
objects, for which it uses several back-ends that provide the actual
implementation of the various storage media types, volume systems and file

Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso documentation
A DFVFS backed viewer project with a WxPython GUI for viewing file systems and file system metadata. Forensic Lunch about it

Allows you to extract a file from forensic images, virtual disks, raw images and live disks, including from volume shadows. Blog posts:
An open source tool set built on dfVFS. Blog post about it

Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files thanks to dfVFS.
Blog post about it

A tool for when you have a bunch of documents to figure out of. Gransk is an open source tool that aims to be a Swiss army knife of document processing and analysis. Its primary objective is to quikly provide users with insight to their documents during investigations. It includes a processing engine written in Python and a web interface. Under the hood it uses Apache Tika for content extraction, Elasticsearch for data indexing, and dfVFS to unpack disk images.

A Python implementation of VMPOP (Virtual Machine POPulation) framework. dfVFS is used to enable for Data Extraction features

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs.

This program automatically finds provenance related to a file on an image
I’m not exactly sure what that means.

Technically doesn’t use DFVFS, but a long time ago Dave put out a Sunday Funday challenge to automate the installation so I wrote this script. It may not work any more, it worked at the time.

Friday, December 14, 2018

Daily Blog #567: Forensic Lunch 12/14/18

Hello Reader,
         It's the forensic lunch! This broadcast we had Eric Huber talking about his work at the NW3C (National White Collar Crime Center) and his investigations into Cryptocurrencies. I think you'll enjoy it!

You can read Eric's Blog here:
You can follow Eric on twitter here:
You can learn more about the NW3C here:

Watch the video below:

Thursday, December 13, 2018

Daily Blog #566: Forensic Lunch Test Kitchen 12/13/18

Hello Reader,
         This was another test kitchen were we mainly got some python code to work and in the end were able to print all of the file name's out of the file name attributes for every file referenced in the Syscache hive Object key. This isn't done though as next week I need to add in the sequence numbers to the checks to make sure I'm looking at the right file.

So next week we will be able to start making some observations about what exactly Syscache is actually tracking.

You can watch me use Eric Zimmerman's new Syscache plugin and write python code to parse the filename attribute here:

Wednesday, December 12, 2018

Daily Blog #565: Seeing Double (access dates)

Hello Reader,
         Got some medicine today so hopefully I'll be able to stop coughing tomorrow. In the meantime I'd like to point you to some very interesting work Maxim Suhanov is doing. You can read the tweet thread here:

Maxim found that Windows is keeping two last access dates, one on the disk and one in memory for a single file if Last Access dates are enabled. In the below python script you can see he can actually see the contents of both version of the timestamp:

#!/usr/bin/env python3

import os
from time import sleep

FILE_PATH = 'ts.txt'

def get_atime_1():
 result = os.stat(FILE_PATH, follow_symlinks = False)
 return result.st_atime

def get_atime_2():
 for entry in os.scandir('.'):
  if == FILE_PATH.lower():
   return entry.stat().st_atime

#print('Starting up...')
print(get_atime_1(), get_atime_2())

That to me is fascinating, it looks like one entry is coming from the stat of the file itself while the other is coming from the directory index. This is going to become more testing material in the near future. 

Tuesday, December 11, 2018

Daily Blog #564: Tool spotlight Artifact Extractor

Hello Reader,
      Well my cough has gotten worse so no test kitchen tonight or else you would mainly hear my coughing. So tonight I thought I would take the time to spotlight one of the tools you could be including in your Sunday Funday submission this week, Artifact Extractor.

You can check it out here:

What Silv3rHorn has done is create a dfvfs script that will extract from any support image source (which is alot) all of the artifacts specified in the logical volume and the shadow copies.

Check it out and let me know what you think! I'll be using it in future test kitchens to give a go. 

Monday, December 10, 2018

Daily Blog #563: Forensic Lunch Test Kitchen 12/10/18

Hello Reader,
         Another test kitchen down! This time we went back to the Syscache.hve in Windows 7 trying to understand its limitations and its purpose in the operating system. Here is what we found:

  • Programs executed from the Desktop whether from the command line or GUI were not being inserted into the Syscache.hve
  • Programs executed from a temp directory made on the Desktop were being recorded in the Syscache.hve
  • There are some sysinternals programs that are not being captured at all, these may not need any shiming

You can watch the video here:

Sunday, December 9, 2018

Daily Blog #562: Sunday Funday 12/9/18

Hello Reader,
        We've had a lot of different kinds of challenges to attract different people within the community to participate. This week I'm changing the challenge up again to open up who can participate this week in a test of your google and basic code reading skills.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 12/14/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Find all the projects out there that are making use of DFVFS ( with a description of what the code does with it. Let's see if we can find all the possible exemplar code bases out there to help others adopt this framework!