Monday, January 26, 2015

Forensic Lunch schedule for January and Feburary 2015

Hello Reader,
       In what appears to be a good trend for the new year we have 3 episodes of the Forensic Lunch lined up with guests through Feburary! In our next broadcasts we will be announcing the opening of a community honeynet project for all of you join and announcing the details of our next forensic challenge! That's right a new forensic challenge with another free SANS DFIR On Demand class up for grabs!

January 30, 2015:
Join Lenny Zeltser, Kyle Maxwell and the GC gang to talk all about malware, threat intel and reverse engineering.

Google+ Page to rsvp:
Youtube watch link:

Feburary 13, 2015:
Join Anuj Soni, Jason Trost and the GC gang to talk all about attacker tools, the modern honey project and attacker techniques!

Google+ Page to rsvp:
Youtube watch link:

Feburary 27, 2015:
Join Robin Keir and the GC gang, with another guest pending, as we talk about CrowdResponse and the new research into Superfetch

Google+ Page to rsvp:
Youtuve watch link:

Forensic Lunch 1/9/15

Hello Reader,
           it's been an interesting month! This is the first of two posts I'm putting up today 1/26/15. This post serves to post up the Forensic Lunch broadcast from 1/9/15. This episode we had an open chat with all of you and Ken Pryor joined the video chat to discuss honeypots which has lead to quite a bit of work on our end and future broadcasts scheduled!

You can watch the 1/9/15 episode here:
or watch it below:

Tuesday, December 16, 2014

SANS Webcast and PFIC Slides/Labs

Hello Reader,
        If you attended my session at PFIC hopefully you already took these labs with you, if not I'll be linking them down below. For those of who attended my SANS webcast today I hope you found it useful! Now you can try it yourself.

If you didn't attend either I'll explain what's contained within. I presented on how to do USN Journal Analysis using the free version of our tool Triforce ANJP to:
  • Recover the names of wiped files
  • Prove what was uploaded and downloaded from Dropbox
  • Show what attachments were accessed from Outlook 2007 and greater
and more analysis tips. Hopefully you'll find it helpful!

Link to SANS webcast:

First here are the slides from today's webcast:!WgwhmKYb!JhwWvGLlug9T0yCU6dlR29S23fx0up2M_LL3Aml6q24

Link to download the sample evidence to do the labs from today's webcast:!3pwmDLzZ!IFUw9rBm2-0Kryu_ASBxKIcFnQSdCNQl7uRyG4DpHvQ

Download Triforce ANJP here:

Forensic Lunch 12/12/14 - Shellbags continued

Hello Reader,
     Eric Zimmerman returned this week to join us on the Forensic Lunch talking about his research into Shellbags and his tool Shellbag Explorer. Also this week Lee Whitefield joined us to talk about the Sony breach and Matthew and I previewed the tools coming out of our lab here at G-C Partners, LLC.

Give it a watch below:

Friday, November 28, 2014

Forensic Lunch 11/28/14 - Thanksgiving Hangover edition

Hello Reader,
We had a pretty great Forensic Lunch today. We only had one guest but we had enough to talk about to fill the hour and probably another hour in the future.

This week we had Eric Zimmerman, @ericrzimmerman, talking about Shellbags, his tool Shellbag explorer and our research into new things we can determine from them.

We discussed:
  • How shellbags are stored
  • How they are ordered
  • How to manually validate them
  • How to use Eric's tool to visualize them
  • How to determine what file system is being accessed
  • Recovering FTP accesses
  • and much more!

You can download Shellbag Explorer (It's Free!) here:

You can watch the lunch on Youtube here:

Or right below: 

Friday, October 3, 2014

Forensic Lunch 10/3/14

Hello Reader,

We had an amazing forensic lunch this week! I hope you spend the time listening to the entire show as I know I learned something from our guests this week.

This week we had:
Matt Bromiley, @505forensics, talking about NoSQL injection attacks and forensics to detect them. You can read more about it on his blog

Matt Harrigan, @mattharrigan, of PacketSled, @packetsled, talking about his network visualization tool that is soon to have a free version released. You can sign up for the beta and get this into your hands at

Also we have a little contest going, with a second contest to follow.

Contest: Leave a comment below to win a free ticket to PFIC, , and attend my 90 minute USN analysis class. 

Watch the show below:

Tuesday, September 30, 2014

Looks like I need more copies Registry Recon

Hello Reader,
            If you've read this blog you know that I am always looking for new tools and new uses for existing tools to solve all the cases put in front of me. One of the tools I've used for awhile now is Arsenal's Registry Recon to recover deleted registry data and temporary registry data but recently I've been relying a lot of volume shadow copies to get old registries.

Now I know there is way more there and way more ways to use the recovered registry data that I knew before. So here is the scenario, suspect has re-installed Windows on their computer before turning in the computer.    Now I did what you would normally expect, I carved for lnks, ran IEF, recovered USN data but none of that provided me what I really needed to know. Did my suspect take any data with them prior to re-installing. To figure that out, beyond LNK files and jumplists, I usually rely on registry data to determine USB devices connected and shell bags for directory accesses.

I ran registry recon against this image knowing it had support to auto-magically go through all the recovered registry keys and produce a report of previously connected USB devices from recovered registries. I will tell you that it did an amazing job, even after reinstall and slight use i was able to recover over a years worth of USB device connections. So now I knew my suspect had used USB devices... but what did they do with them?

Registry Recon does not allow you to generate a report of the recovered MRU's or Shell bags across all the hives they've recovered, I've talked to them and this is coming in the next release, but I had a directory full of carved registry files.I have other tools I use when I want to go through registry data and some of the recovered hives were quite large and looked like standard registry data, maybe I thought I could just use my normal tools across the recovered hives.

I used the -pipe feature of the TZWorks tools cafae and sbags and passed in the entire set of carved registries and what came back amazed me. Low and behold the recovered registry hives contained a subset that included almost full NTUser hives, system hives and software hives! Using sbags I was able to iterate through all of them and pull out a ton of shell bags data. Using cafae I was able to pull out a ton of MRU and other data! I'm documenting this now so I won't forget later but I do plan to do a step by step to walk through what I did here.

In short, I managed to recover almost all the registry activity I needed from a re-installed system to prove some findings thanks to registry recon. If you have registry recon, and I really do recommend that you do, you can use any third party tool to access the registry data it recovers. In the near future they are updating it again to include even more reports but let's face it just having the data is worth getting a copy today. It's also important to remember that this just doesn't work for re-installed systems. All systems have recoverable temporary registries that may expose data in MRU keys that have rolled over and many other keys.

TLDR; I'm going to get more copies of registry recon and its getting moved up on my tool priority list.