First one
I must admit I had to think many seconds about "opening" a blog... In the past (oh my! almost ten years ago?!) I used Usenet, a really great distributed resource... now pugol has my email, my...
View ArticleWindows Security Descriptor Binary (a Perl parser)
Some days ago I was messing up with RegRipper plugins, and in particular I was using the "shares.pl" plugin on one of my cases. This plugin parses the content of the registry key...
View ArticleExif Summarizer
Exif metadata are wonderful. Just think about all the fields listed in the Exif standard: a great bunch of information is available for each image. When the picture was taken? And where? And what...
View ArticleWhatsApp Xtract
I don’t want to bore you explaining what is WhatsApp. If you have this serious gap, you can fill it here. Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone...
View ArticleRecipe: EVTX, LogParser, Perl
A long time ago... It has been a long time since last post, I must sadly admit that. I could argue with many good reasons for this silence, but it's better to avoid useless-reasonable thoughts. I'll...
View ArticleA tale on RegRipper Plugins unnoticed
Last weeks... it cames out that some RegRipper Plugins have errors and/or do not parse correctly/at all the desired keys. This fact should not be unexpected since there exist many plugins (from far...
View ArticleWhatsApp Forensics
Those who follow this blog may have noticed few months ago a post that introduced WhatsApp Xtract: this script was able to display in an HTML document all the WhatsApp messages extracted from an...
View ArticleExploring Internet Explorer with RegRipper
In the last case... I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help...
View Articlewtmp timeline efforts
In DFIR activities timelines are often determinant to understand what happened (lot of refs here). Luckily Kristinn Gudjonsson provided the community with the great log2timeline tool (here, from now...
View Article3minutesOf: a bit of X-Ways and RAID
Some days ago I was working on four images coming from a QNAP storage: so, four disk whose partitions were used to build up RAID volumes. "No problem" I said to myself, knowing that QNAP are *nix...
View Articleet voilà le mimikatz offline
In one of my recent cases, I needed to recover the windows user password: I had different OSes with various levels of cryptography, mainly at file level. Usually I think it's a good approach to...
View Articlemimikatz offline addendum
I must admit I did not expect so many acknowledgments by writing the volatility mimikatz plugin. I want to say thanks to all people that tweeted, emailed - and so on - me: it is just a piece of the...
View ArticleDigital Forensics Tools Bookmarks
We want to share with you a list of bookmarks related to hardware and software tools for Digital Forensics acquisition and analysis. The bookmark file is in Mozilla Firefox, so it can be directly...
View ArticleHappy DPAPI!
Last October, I participated as speaker at the SANS DFIR Summit in Prague. It was a great meeting and I am very happy to have been able to participate. My speech was focused on DPAPI, the Windows Data...
View ArticleUnDesXing
In my own vocabulary, undesxing is the action of decrypting something encrypted with the Microsoft version of the DESX algorithm: a bit obfuscated title but I liked to make a scenographic use of it....
View ArticleiOS 8.3: the end of iOS Forensics?
The latest iOS update (iOS 8.3) is a real nightmare for digital forensics specialists. This article will try to clarify what can you really obtain from an iOS device with iOS 8.3. As we already know...
View ArticleA first look at Windows 10 prefetch files
Windows 10 prefetch files (*.pf) show a different file format compared to previous ones. At first glance you'll spot no textual strings inside, and this was the initial reason that make me try to...
View ArticleWindows Phone PIN cracking
Windows Phone 8 and greater allows the user to lock/unlock the phone by using a numeric PIN code: it's even possible to use a complex alphanumeric password. This post addresses how to obtain the...
View ArticleRekalling Mimikatz
I'm not really sure that everybody knows that Rekall memory forensics framework contains a Mimikatz plugin: with this post I want to address this shortcoming, since the plugin has many good features...
View ArticleWindows ReVaulting
Windows Vaults and Credentials allow the user to store sensitive information such as user names and passwords , that can be later used to log on web site, services and computers. In this post it will...
View Article
