Daily Blog #813: Solution Saturday 4/19/25

 

Hello Reader, 

Another week has come and gone but Chris Eng's streak continues unbroken! It's up to all of you to decide if you are ready to step up to the challenge tomorrow for this weeks challenge!

 

The Challenge:

It's becoming more common that the first thing an attacker will try to do if they get access to a user's system is extract all of the saved browser passwords. Profile a popular browser password extractor (such as WebBroweerPassView or HackBrowserData) and detail what artifacts are left behind that would reveal their usage on a Windows 11 system. Extra points if you:
a. Try multiple browser password viewing tools
b. Try MacOS as well as Windows

 

The Winning Answer:

Chris Eng / Ogmini Blog

 https://ogmini.github.io/2025/04/14/David-Cowen-Sunday-Funday-Browser-Password-Extraction.html

https://ogmini.github.io/2025/04/15/LaZagne-Artifacts.html

https://ogmini.github.io/2025/04/16/WebBrowserPassView-Artifacts.html

https://ogmini.github.io/2025/04/18/HackBrowserData-Artifacts.html

Read More

Daily Blog #806: Solution Saturday 4/12/25

 

Hello Reader, 

This week Chris Eng comes back again with some research in his own Daily Blogs about WSL. While I think we can all appreciate Chris's winning streak I'm looking for all of you to come out in force this coming week to challenge him for a win!

 

The Challenge:

What artifacts are left behind when running a docker container using Ubuntu WSL (which I believe is the default standard. Bonus points for artifacts that reflect interactions between the container and the host.

 

The winning answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/08/David-Cowen-Sunday-Funday-WSL-Docker.html

https://ogmini.github.io/2025/04/10/WSL-Docker-Part-2.html

https://ogmini.github.io/2025/04/11/WSL-Docker-Part-3.html

Read More

Daily Blog #799: Solution Saturday 4/5/25

Hello Reader, 

This week no one managed to submit a full answer as I did ask for all three major clouds. The closest with Chris Eng who did a full review of Azure and found times that were much faster than the last time I checked! It does look like I need to go back and do my own tests and write them up here.

The Challenge:

For the main cloud providers (AWS, Azure, Google Cloud) determine how long it takes from you performing the action the log being available for the following actions:

1. Logging in successfully

2. Failing to login

3. Changing a users permissions

4. Deleting a user

5. Creating a user 

The Winning Answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/02/David-Cowen-Sunday-Funday-Cloud-Log-Delays.html

Also Read:  Forensic Lunch Test Kitchen 4/4/25 - Using Replit!

Read More

Daily Blog #792: Solution Saturday 3/29/25

Hello Reader,

This week we challenged you to find out what SSH artifacts are left behind on Windows systems that now have native SSH servers and clients. It shouldn't be a surprise that the person who suggested the Windows angle was also the person who won! Congrats to Chris Eng!

 

The Challenge:

 Test what artifacts are left behind from SSHing into a Windows 11 or 10 system using the native SSH server. Bonus points for tunnels.

 

The Winning Answer:

Chris Eng at the OG mini blog:

https://ogmini.github.io/2025/03/25/David-Cowen-Sunday-Funday-SSH-Windows.html

https://ogmini.github.io/2025/03/26/Windows-SSH-Testing-Part-1.html

https://ogmini.github.io/2025/03/27/Windows-SSH-Testing-Part-2.html

https://ogmini.github.io/2025/03/28/Windows-SSH-Testing-Part-3.html

Also Read: Daily Blog #792: Solution Saturday 3/29/25

Read More

Daily Blog #785: Solution Saturday 3/22/25

 

Hello Reader,

This week's SSH challenge had several contenders. It's always interesting to see what does and does not get your attention and time! I think this should help many people looking for where to look and also opens the door for some more advanced scenarios that we can explore!

 

The Challenge:

What are all of the artifacts left behind on a Linux system (both server and client) when someone authenticates via SSH and creates a SSH Tunnel.

 

The Winning Answer:

 Chris Eng with the OG Mini blog:

https://ogmini.github.io/2025/03/21/David-Cowen-Sunday-Funday-SSH.html

 

Also Read: Validating linux systems with Yum

Read More

Daily Blog #778: Solution Saturday 3/15/25

Hello Reader,

I guess 'Vibe Coding' isn't a thing for all of you! No winners this week. I'll get tomorrow's challenge back to the blog's regular focus and look forward to seeing your contributions.

 

The Challenge:

 Pick an unsupported DFIR project of your choice and bring it back to life! Add new features and make it work on modern systems. While you are not required to 'vibe code' (AI coding) in this instance it's fully encouraged! Send me links to writeups or github repo's when your done!

 

The Winning Answer:

None

Also Read: Daily Blog #777: Forensic Lunch Test Kitchen 3/14/25

Read More

Daily Blog #771: Solution Saturday 3/8/25

Hello Reader,

 This week Phill Moore has brought us the winning answer but as his conversation on X showed it was an answer that could have had additional findings if all of the new logging sources were turned on. Let's celebrate Phill's win and know that blogs will be coming to explore his results and what log sources can be turned on to give even more information. 

The Challenge:

 

What log entries are left behind when the following scenarios occur:

 

1.  A user searches their own mailbox

 

2. A user searches their own onedrive

 

3. An administrator searches their own mailbox

 

4. An administrator searches their own one drive

 

5. An administrator searches someone else's mailbox

 

6. An administrator searches someone else's onedrive 

 

The winning answer:

https://thinkdfir.com/2025/03/08/sunday-funday-searching-for-searching/

Also Read: Daily Blog #770: Forensic Lunch Test Kitchen 3/7/25

Read More

Daily Blog #764: Solution Saturday 3/1/25

 

Hello Reader,

  No winner this week, I think sometimes I'm the only person who is digging into these weird topics. That's ok though I'll just do the testing myself and document it in future posts!

The Challenge:

 On a Windows 11 or Windows 10 system:

1. Make sure windows search is enabled

2. Create files with unique phrases such as "This is the smoking gun"

3. Make sure the files are indexed and present in the windows search db

4. Delete the document and determine what the trigger method is and the timing for the contents to be deleted from the search database

Bonus: Determine if the deleted records are recoverable

Also Read: Forensic Test Kitchen trying Chat GPT 4.5!

 

Read More

Daily Blog #757: Solution Saturday 2/22/25

Hello Reader,

  This week the real question is, can anyone stop Ilya Kobzar's winning streak? Here again is he back with another winning answer and some very thorough research all about what happens when credentials are taken via IMDS on AWS.

The Challenge:

 AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred. 

1. Retrieve a temporary AWS access key credential from IMDS v1

2. Retrieve a temporary AWS access key credential from IMDS v2

3. Use the temporary access key within an AWS vm

4. Use the temporary access key from outside of AWS

From all four scenarios determine what logs are created.

bonus: Try and document other scenarios of theft and use and additional sources of evidence.  

The winning answer:

https://www.ilyakobzar.com/p/ec2-iam-role-sts-credentials-compromise

Also Read: Forensic test kitchen, using the AWS CloudTrail Downloader v2!

Read More

Daily Blog #750: Solution Saturday 2/15/25

 

 

Hello Reader,

  It's always a surprise to me what gets lots of entries and what just gets a few dedicated researchers. This week we have another winning answer from Ilya Kobzar. Ilya took the time to research Windows 11 shell bags and we can test this in an upcoming test kitchen!

 The Challenge:

Test what causes a shell bag to be created or updated based on the following actions:

1. A directory created in the command line

2. A file being copy and pasted

3. A folder being copy and pasted

4. A file being cut and pasted

5. a folder being cut and pasted

6. A directory being opened from file explorer

7. A directory being opened from the desktop

8. A directory being clicked on from file explorer

9. A directory being clicked on from the desktop

 

 The Winning Answer:

Ilya's Answer

Also Read: Happy Valentines Day

Read More

Daily Blog #736: Solution Saturday 2/1/25

Hello Reader,

Another week, another new winner! Ilya Kobzar isn't new to me as we used to work together at KPMG, but he is new to the Sunday Funday winners list! Ilya isn't blogging daily but he has been blogging more recently with multiple entries for Sunday Funday's and his own research. I've always enjoyed working and learning from Ilya and I'm glad you all get a chance to as well!

The Challenge:

Test, document or if you are up for it develop/extend a solution for LevelDB databases that can:

1. Parse it's contents and display them

2. Allow you to query it

3. Optionally identify or recover deleted messages

The winning answer:

 Ilya Kobzar

https://www.ilyakobzar.com/p/leveldb-wal-log-extracting-chatgpt

Also Read: Zeltser Challenge Spotlight on Argelius Labs

Read More

Daily Blog #729: Solution Saturday 1/25/25

Hello Reader,

This week I get to welcome another new name to the list of Sunday Funday Winners! If you were thinking about 2025 goals for yourself or to put into your year end career goals, why not being a Sunday Funday Winner  yourself? This week we congratulate Garrett Jones who did some great research and write it up quite nicely. Welcome to the SF Winners Club Garrett!

The Challenge:

Determine how to extract chat history out of the Chat GPT desktop app and what other data you can extract that would useful in an investigation (user name, login times, etc..)

The winning answer:

You can read Garrett's entry here:

Garrett's Github Blog

 

Also Read: Test Kitchen with Cursor

Read More

Daily Blog #722: Solution Saturday 1/18/25

Hello Reader,

I love it when we get new people in the field participate in Sunday Fundays. Not only do we get new people interested in research, validation and testing (which we so badly need) but we get to bring new voices into the conversation. This week I’m happy to announce Chris Eng as our winner with his very first submission!

The Challenge:

With so many of us relying on SRUM for so many different uses its time to do some validation on the counters so many people cite. For this challenge you will test and validate the following SRUM collected metrics and document if they accurately capture the data or if there is a skew present. 

Use cases to test and validate on Windows 11 or Windows 10 but you must document which:

1. Copying data between two drives using copy and paste (look for disk read and write activity )

2. Uploading data to an online service of your choice (look for process network traffic)

3. Wiping files (look for disk read and write activity)

The winning answer:

You can read Chris’s entry here:

https://ogmini.github.io/2025/01/13/David-Cowen-Sunday-Funday-SRUM.

Also Read: The new hardest question to answer in an incident

Read More