Daily Blog #685: Sunday Funday 4/26/20 - Windows Timeline Challenge

Hello Reader,
       I hope your enjoying the return of these weekly challenges. I've enjoyed seeing more people understanding that there is so much we don't know and how we together can push things forward. This week we will continue that effort with a change in focus, let's talk about Windows Timeline before moving onto MacOS next week.

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 5/1/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:
1. How long before an action is taken before it is committed to the Windows Timeline database
2. What process and/or service creates the events
3. What call do developers need to make to support it
4. What is excluded?
5. When do events get removed?

Also Read: Daily Blog #684

Read More

Daily Blog #678: Sunday Funday 4/19/20 - Zoom from a DFIR Perspective Challenge

Hello Reader,
         We had some strong contenders for last weeks contest and I think most of you understood the expedited need to understand more about these virtual conferencing technologies in this work from home world we are in. Let's then continue our journey by looking into an application that has been much in the news of late, Zoom. It's time to put your skills to use by letting the community know what they can recover from the Zoom video conference app.

Please note as with last weeks challenge I'm not specifying an operating system. You are allowed to test/research/document any zoom client you have access to. If you do more than one that could be how your submission comes over the line to a win.




The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 4/24/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

When looking at Zoom from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Anything else you can determine?

Also Read: Daily Blog #677

Read More

Daily Blog #671: Sunday Funday 4/12/20 - Microsoft Teams from a DFIR Perspective Challenge

Hello Reader,
          We had quite the strong showing last week from Maxim Suhanov. Who else is ready to stand up to the challenge? This week and next week we are focusing on what I think is unexplored territory that is rapidly expanding during the crisis, remote work and conferencing tools. I'm sure all of us will be investigating things that originated from interactions in these tools. Let's start with something I couldn't google and find quickly, Microsoft Teams.

The Prize:
$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 4/17/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

When looking at Microsoft Teams from a DFIR perspective:
1. Where are the artifacts?
2. What format are they in?
3. Can you recover chat history?
4. Can you recover call history?
5. Can you recover file transfer?
6. Can you recover meeting history?
7. Anything else you can determine?

Also Read: Daily Blog #670

Read More

Daily Blog #664: Sunday Funday 4/5/20 - BAM Challenge by David Cowen

Hello Reader,
          I hope your ready, Sunday Funday's are back and we are going to challenge you. I'm continuing the trend from last year of making the challenges a week long and with everyone home now I hope you can find a good use of some time here. So let's see what you can do and how we can help the community with your research in this weeks windows execution artifact challenge.



The Prize:

$100 Amazon Giftcard


The Rules:

1. You must post your answer before Friday 4/10/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

We've all heard of the BAM key by now, located in SYSTEM\\services\bam, but what are the limitations? Answer the following questions:

1. What types of programs are not logged in BAM?

2. Are there any paths excluded from BAM?

3. What can cause a program to no longer be listed in the BAM key?

4. When does the BAM get updated?

5. What can update the BAM timestamp?

Also Read: Daily Blog #663 

Read More

Daily Blog #659: Sunday Funday 4/7/19 - Dropbox Audit Logs Challenge

Hello Reader,
           Sounds like Google Compute DFIR knowledge must be sparse based on the responses I've gotten .. namely none! So let's change platforms to see how well you know PaaS, Platform as a Service specifically Dropbox.

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 4/12/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
For Dropbox Audit logs what all data can you determine about someone who was logged in?
What allows you to unique identify a file?

Also Read: Daily Blog #658

Read More

Daily Blog #658: MUS 2019 DFIR CTF Perfect Score Achieved

Hello Reader,
           Just a note that we already have a perfect score winner!

Congratulations to Plop aka Bastien Lardy who I will be contacting about their prize!

The CTF will remain up for quite some time to allow all of you a chance to learn and get ready for the big DFIR CTF of the year, the Defcon Unofficial DFIR CTF!

Also Read: Daily Blog #657

Read More

Daily Blog #654: Sunday Funday 3/31/19 - Google Cloud Challenge

Hello Reader,
           No April Fools this week I didn't post an answer for last weeks challenge because ... I didn't receive any qualifying answers. So let's try this again shall we? A second week to show the world your expertise with the google cloud.


The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 4/5/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Name and describe all of the available forensic data sources provided by Google Cloud Platform

Also Read: Daily Blog #653

Read More

Daily Blog #651: Sunday Funday 3/24/19 - FRS Google Cloud Platform Challenge

Hello Reader,
   Let's finish this trifecta of the major three cloud compute vendors. I think that getting more of this knowledge out there will many random internet searches just trying to understand whats possible, when someone else made a decision to move their assets to the cloud. We have a streak of new winners and you, yes you, reading this now. I want you to be my next winner so take the time to do some research and I look forward to hearing from you!



The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 3/29/19 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Name and describe all of the available forensic data sources provided by Google Cloud Platform

Also Read: Daily Blog #650

Read More