Daily Blog #813: Solution Saturday 4/19/25

 

Hello Reader, 

Another week has come and gone but Chris Eng's streak continues unbroken! It's up to all of you to decide if you are ready to step up to the challenge tomorrow for this weeks challenge!

 

The Challenge:

It's becoming more common that the first thing an attacker will try to do if they get access to a user's system is extract all of the saved browser passwords. Profile a popular browser password extractor (such as WebBroweerPassView or HackBrowserData) and detail what artifacts are left behind that would reveal their usage on a Windows 11 system. Extra points if you:
a. Try multiple browser password viewing tools
b. Try MacOS as well as Windows

 

The Winning Answer:

Chris Eng / Ogmini Blog

 https://ogmini.github.io/2025/04/14/David-Cowen-Sunday-Funday-Browser-Password-Extraction.html

https://ogmini.github.io/2025/04/15/LaZagne-Artifacts.html

https://ogmini.github.io/2025/04/16/WebBrowserPassView-Artifacts.html

https://ogmini.github.io/2025/04/18/HackBrowserData-Artifacts.html

Read More

Daily Blog #806: Solution Saturday 4/12/25

 

Hello Reader, 

This week Chris Eng comes back again with some research in his own Daily Blogs about WSL. While I think we can all appreciate Chris's winning streak I'm looking for all of you to come out in force this coming week to challenge him for a win!

 

The Challenge:

What artifacts are left behind when running a docker container using Ubuntu WSL (which I believe is the default standard. Bonus points for artifacts that reflect interactions between the container and the host.

 

The winning answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/08/David-Cowen-Sunday-Funday-WSL-Docker.html

https://ogmini.github.io/2025/04/10/WSL-Docker-Part-2.html

https://ogmini.github.io/2025/04/11/WSL-Docker-Part-3.html

Read More

Daily Blog #799: Solution Saturday 4/5/25

Hello Reader, 

This week no one managed to submit a full answer as I did ask for all three major clouds. The closest with Chris Eng who did a full review of Azure and found times that were much faster than the last time I checked! It does look like I need to go back and do my own tests and write them up here.

The Challenge:

For the main cloud providers (AWS, Azure, Google Cloud) determine how long it takes from you performing the action the log being available for the following actions:

1. Logging in successfully

2. Failing to login

3. Changing a users permissions

4. Deleting a user

5. Creating a user 

The Winning Answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/02/David-Cowen-Sunday-Funday-Cloud-Log-Delays.html

Also Read:  Forensic Lunch Test Kitchen 4/4/25 - Using Replit!

Read More

Daily Blog #792: Solution Saturday 3/29/25

Hello Reader,

This week we challenged you to find out what SSH artifacts are left behind on Windows systems that now have native SSH servers and clients. It shouldn't be a surprise that the person who suggested the Windows angle was also the person who won! Congrats to Chris Eng!

 

The Challenge:

 Test what artifacts are left behind from SSHing into a Windows 11 or 10 system using the native SSH server. Bonus points for tunnels.

 

The Winning Answer:

Chris Eng at the OG mini blog:

https://ogmini.github.io/2025/03/25/David-Cowen-Sunday-Funday-SSH-Windows.html

https://ogmini.github.io/2025/03/26/Windows-SSH-Testing-Part-1.html

https://ogmini.github.io/2025/03/27/Windows-SSH-Testing-Part-2.html

https://ogmini.github.io/2025/03/28/Windows-SSH-Testing-Part-3.html

Also Read: Daily Blog #792: Solution Saturday 3/29/25

Read More

Daily Blog #785: Solution Saturday 3/22/25

 

Hello Reader,

This week's SSH challenge had several contenders. It's always interesting to see what does and does not get your attention and time! I think this should help many people looking for where to look and also opens the door for some more advanced scenarios that we can explore!

 

The Challenge:

What are all of the artifacts left behind on a Linux system (both server and client) when someone authenticates via SSH and creates a SSH Tunnel.

 

The Winning Answer:

 Chris Eng with the OG Mini blog:

https://ogmini.github.io/2025/03/21/David-Cowen-Sunday-Funday-SSH.html

 

Also Read: Validating linux systems with Yum

Read More

Daily Blog #778: Solution Saturday 3/15/25

Hello Reader,

I guess 'Vibe Coding' isn't a thing for all of you! No winners this week. I'll get tomorrow's challenge back to the blog's regular focus and look forward to seeing your contributions.

 

The Challenge:

 Pick an unsupported DFIR project of your choice and bring it back to life! Add new features and make it work on modern systems. While you are not required to 'vibe code' (AI coding) in this instance it's fully encouraged! Send me links to writeups or github repo's when your done!

 

The Winning Answer:

None

Also Read: Daily Blog #777: Forensic Lunch Test Kitchen 3/14/25

Read More

Daily Blog #771: Solution Saturday 3/8/25

Hello Reader,

 This week Phill Moore has brought us the winning answer but as his conversation on X showed it was an answer that could have had additional findings if all of the new logging sources were turned on. Let's celebrate Phill's win and know that blogs will be coming to explore his results and what log sources can be turned on to give even more information. 

The Challenge:

 

What log entries are left behind when the following scenarios occur:

 

1.  A user searches their own mailbox

 

2. A user searches their own onedrive

 

3. An administrator searches their own mailbox

 

4. An administrator searches their own one drive

 

5. An administrator searches someone else's mailbox

 

6. An administrator searches someone else's onedrive 

 

The winning answer:

https://thinkdfir.com/2025/03/08/sunday-funday-searching-for-searching/

Also Read: Daily Blog #770: Forensic Lunch Test Kitchen 3/7/25

Read More