Daily Blog #815: I missed a day

 

Hello Reader,

It happens to everyone and yesterday it happened to me. I was traveling and lost track of the day and realized I didn't post a blog yesterday. I just want to acknowledge it so you know a couple things. 

1. It's ok to make a mistake

2. Just because I missed a day doesn't mean that I won't stop posting, just means I missed a day. 

3. I'm human just like everyone else.

So take your mistakes in stride and realize that everyone will make them. Enjoy your life and don't let minor mistakes derail you from making your goals! I'm doing this mainly to keep pushing myself to keep learning, researching and sharing. The fact that you all are here and reading this with me just makes it that much better. 

Read More

Daily Blog #814: Sunday Funday 4/20/25

 

Hello Reader, 

It's an Eng world and we are just living in it, unless of course you take the time to put in an entry this week and win! This week we are changing courses to an old file system problem with some utilities.

The Prize:

$100 Amazon Giftcard

 

The Rules:

1. You must post your answer before Friday 4/25/25 7PM CST (GMT -6)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 

The Challenge:

FAT32 does not store a time stamp for access dates, it only records the date. However many tools have or have in the past actually treated the zero time entry as a real time entry and adjusted it for time zones. Test your favorite tools such as , ftk imager, xways, axiom, encase, autopsy your choice but you must submit at least two and show if they are correctly handling FAT32 timestamps.

 

Read More

Daily Blog #813: Solution Saturday 4/19/25

 

Hello Reader, 

Another week has come and gone but Chris Eng's streak continues unbroken! It's up to all of you to decide if you are ready to step up to the challenge tomorrow for this weeks challenge!

 

The Challenge:

It's becoming more common that the first thing an attacker will try to do if they get access to a user's system is extract all of the saved browser passwords. Profile a popular browser password extractor (such as WebBroweerPassView or HackBrowserData) and detail what artifacts are left behind that would reveal their usage on a Windows 11 system. Extra points if you:
a. Try multiple browser password viewing tools
b. Try MacOS as well as Windows

 

The Winning Answer:

Chris Eng / Ogmini Blog

 https://ogmini.github.io/2025/04/14/David-Cowen-Sunday-Funday-Browser-Password-Extraction.html

https://ogmini.github.io/2025/04/15/LaZagne-Artifacts.html

https://ogmini.github.io/2025/04/16/WebBrowserPassView-Artifacts.html

https://ogmini.github.io/2025/04/18/HackBrowserData-Artifacts.html

Read More

Daily Blog #812: Testing AWS Log latency - Removing Users from Groups

 

 

Hello Reader,

Welcome back to another installment in the AWS CloudTrail speed test series. Today’s focus shifts to the opposite of yesterday’s action: RemoveUserFromGroup. This event is triggered when you revoke permissions by removing an IAM user from a group.

Fifth Test: AWS RemoveUserFromGroup Event

For this test, I removed a user from an existing IAM group, which typically results in an immediate change to their permission set. As with all IAM actions, the key question remained: how long will it take for CloudTrail to log it? And in which region?

Since IAM is a global service, the event should appear in the us-east-1 region, just like all prior IAM tests we've run. To confirm, I initiated the action and started the stopwatch.

Results

Sure enough, the RemoveUserFromGroup event appeared in us-east-1 after just 1 minute and 45 seconds.

Once again, CloudTrail continues to deliver IAM-related logs well within SLA expectations:

• Faster than AWS’s 15-minute SLA
• Close to their 5-minute goal for critical events

Coming Up

In tomorrow’s post, I’ll be testing something a little more involved: creating and attaching an inline policy to a user. Can CloudTrail keep up? We’ll find out—stay tuned!

Read More

Daily Blog #811: Testing AWS Log latency - Modifying User Permissions

 

Hello Reader,

Continuing our series on AWS CloudTrail speed tests, today’s test focuses on a new IAM-related action: AddUserToGroup. This event is generated when you modify a user’s permissions by assigning them to an IAM group which would grant additional permissions.

Fourth Test: AWS AddUserToGroup Event

Today’s scenario involved changing account permissions by adding an IAM user to a group. This is a common way to grant new permissions via group policies. Once the user was added to the group, the AddUserToGroup event was expected to show up in CloudTrail.

Just like previous IAM tests, this raised the question: which region would the event appear in? Since IAM is a global service, AWS documents that such activity will be logged in the us-east-1 region, regardless of where the API call originates.

Results

After initiating the action and starting the stopwatch, the AddUserToGroup event appeared in us-east-1 exactly 2 minutes later.

This result is consistent with our prior IAM tests, and once again demonstrates that CloudTrail logs IAM events well within the official AWS SLA:

• Faster than the 15-minute SLA
• Faster than the 5-minute “goal” for critical events but slower than the other events we've looked at

Coming Up

In tomorrow’s post, I’ll continue testing IAM activity—next up: removing a user from a group. Stay tuned to see if the performance holds!

Read More

Daily Blog #810: Testing AWS Log latency - CreateUser

 

Hello Reader,

Continuing from yesterday’s post, it's time for another AWS CloudTrail speed test. Today, I’m examining the CreateUser event, which is triggered when a new IAM user is created in an AWS account.

Third Test: AWS CreateUser Event

Going into this test, I knew that IAM events which are global are logged in us-east-1. It’s often the default region for global events and appears first in AWS region lists. To be thorough, I also checked us-east-2 just in case.

Results

After creating the user and starting a timer, the CreateUser event appeared in us-east-1 after approximately 2 minutes. That’s slightly longer than the ConsoleLogin and CreateAccessKey tests, but still well within AWS’s official timelines.

The delivery was:

• Faster than the 15-minute SLA
• Faster than the 5 minute goal

Coming Up

In tomorrow’s blog post, I’ll continue this series by testing the log delay for changing account permissions. Stay tuned for more CloudTrail timing insights!

Read More