Open Source Tools Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab The folks at Magnet Forensics had a digital forensics-themed Capture the Flag competition and I wanted to take a crack at it using the open source tools we use/build here at Google: Plaso, Timesketch, and Colab/Python.
Web Browsers A First Look at Chromium-Based Edge A quick (forensic) look at the new Chromium-based Edge web browser. TL;DR: it looks a lot like Chrome.
Open Source Tools Hindsight v2.3 Finds and Parses Multiple Chrome Profiles Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes. The short version is:Supports Chrome versions 1 - 73The --input (-i) parameter now searches for
Web Browsers Chrome Values Lookup Tables I've fielded a few questions recently about what some value buried in a Chrome artifact means. I find myself going to the Hindsight source on GitHub and drilling down into the code because
Chrome Capturing Chrome's Evolution When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there that could parse
Tools Chrome Evolution Chrome has evolved in many aspects since its release: the browser's appearance, capabilities, and how it stores data have all changed greatly since 2008. This page lets you explore how the files and
Digital Forensics New Year, New dfir.blog 2019 is here and the new year brings something with it I've wanted to do for a while: re-launch my blog! It has a new look and a new home at dfir.blog.
Presentations & Interviews Video of "Efficiently Summarizing Web Browsing Activity" at SANS DFIR Summit 2018 I spoke at the SANS DFIR Summit 2018 on "Efficiently Summarizing Web Browsing Activity" in Austin, TX. My abstract was: Reviewing web browsing activity is relevant in a wide variety of DFIR cases.
Presentations & Interviews Ryan Benson Interviewed by BBC Click about Web Browsers I was interviewed by BBC Click for their "What is GDPR?" episode. I'm not really sure what the personal information web browsers are storing on your computer has to do with the GDPR,
Open Source Tools Hindsight v2.2 Parses More Chrome Preference Items Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is:Support for Chrome versions 1 - 66Preference items with timestamps now are
Presentations & Interviews Deciphering Browser Hieroglyphics I spoke about "Deciphering Browser Hieroglyphics" at the SANS DFIR Summit 2017 in Austin, TX. I talked about how to "decipher" different kinds of information stored in web browsers, using a variety of
Visualizations Visualizing Activity from Metadata Encrypted iPhone backup? That means it's useless to an investigator (or attacker), right? Not so fast. We can still get an incredible amount of insight into the actions on the devices from the
Open Source Tools Hindsight v2 Adds a Web UI and Cache Parsing Hindsight v2 is here! The new release brings new features, many of which are focused on ease-of-use, along with a refactoring of the code into a Python package pyhindsight. The highlights are:Cross-platform
Web Browsers Investigating Universal Analytics Two common questions when investigating web browsing are: (1) how long did a user spend on a website, and (2) what actions did they take while on it?We have a number of
Web Browsers Load Balancer Cookie Decoder I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing his process of
Open Source Tools Alexa, Tell Me Your Secrets The Amazon Echo is a nifty little device that you communicate with via speech - you can ask it to do various tasks and it verbally replies. You preface each command with the
Web Browsers It's a "Brave" New World... or is it? Brave is a new browser from some experienced people that aims to be faster and safer than other browsers by blocking ads and trackers. Brave also wants to disrupt the current online model
Presentations & Interviews Video of "Customized Google Chrome Forensics with Python" at SANS DFIR Summit 2015 I spoke at the SANS DFIR Summit 2015 on "Customized Google Chrome Forensics with Python" in Austin, TX. My presentation introduced Hindsight, an open source tool (written in Python) for extracting, interpreting, and
Visualizations Finding the First Thread with a Visualization Finding the first thread to pull to get an investigation started can sometimes be difficult. Having a checklist and a structured approach to your investigation can help quite a bit. Experience also can
Open Source Tools Upgrading Python's SQLite SQLite and Python in DFIRSQLite databases are being used in more and more applications, and thus forensic examiners are increasingly running across them in investigations. Python seems to be one of the languages
Open Source Tools Hindsight v1.5.0 released + GUI! I am very excited to announce that Hindsight v1.5.0 is here!Graphical User InterfaceThe core Hindsight functionality continues to see incremental improvements, along with quite a few internal changes to support
Presentations & Interviews Featured on Autopsy Blog I will be speaking at the Open Source Digital Forensics Conference (OSDFCon) next month about a new tool I'm releasing. It's called SQUID, or SQLite Unknown Identifier, and it finds exact and near
Visualizations Visualizing USN Journal Activity Since learning about the USN journal, my investigative process has never been the same. It is a powerful artifact that can tell us much about what has transpired on a system. However, the
Web Browsers The Chrome history was cleared! Now what? (part 1) Settings and BookmarksOk, so for the sake of this post, let's assume that the answer to the question posed in the previous part ("Was the history cleared?") was yes, it was. That totally
Web Browsers The Chrome history was cleared! Now what? (part 0) First, let's take a step back. Why do you think that the Chrome history had been cleared? Is it because there are no browsing records at all? Gaps in the entries? Records that
