Having fun while learning about and pivoting into the world of DFIR.
OSI, OSI, OSI! Domain 4 is at its heart about the OSI Model, its ramifications, implementations, and security implications. It hurts me that we still need to discuss technologies such as WEP. I’ve always been skeptical about the usage of Honeypots/Honeynets for normal businesses.
David Cowen has posted his weekly Sunday Funday challenge at his blog and it is about the looking at the delays present between action and log availability.
Domain 3 for the CISSP is a huge chunk of information and easily the longest chapter in my study book. Again, a mixture of subjects that I’m comfortable with and some that trend to the less comfortable.
The third month of the Zeltser Challenge has been tough as I’m fully getting into my role as CIO, restructuring the department, and getting acquainted with everything involved in this new role. This new role is very taxing mentally as I’m trying to juggle so many different projects, problems, and goals. Despite all this, I’ve still somehow managed kept to my daily post cadence.
I stalled out HARD in studying for my CISSP and my timeline fell apart. I had planned on being done with all 8 domains by this weekend and that is definitely not the case. I left off having finished Domains 1 and 2.
Last week I started poking around the network traffic generated by Windows Notepad when it makes calls to Rewrite. I made a post about what I found using Wireshark and mitmproxy. Part of the purpose of this blog is to push my knowledge by forcing me to actually DO and not just read and learn theory. That last post on mitmproxy and Wireshark was a perfect example of the DO. I had known that it was possible to setup a proxy to intecept and decrypt traffic. I even knew the general steps and tools required to analyze that traffic. What I never had was the need to put this knowledge to practice. I can now say that I’ve done it.
Continuing from yesterday’s post, we are looking at how to tell if someone is connected via SSH. I did not have time to look at SSH Tunnels. Please refer back to the main post for full details as this post will only talk about the tests and results.
Continuing from yesterday’s post, we are diving deep into the Windows Event Logs. Please refer back to the main post for full details as this post will only talk about the tests and results.
Continuing from yesterday’s post, we are testing for SSH artifacts when connecting to a Debian OpenSSH Server and a Windows 11 OpenSSH Server. Please refer back to the main post for full details as this post will only talk about the tests and results.
David Cowen has posted his weekly Sunday Funday challenge at his blog and it is related to his previous challenge on SSH Artifacts in Linux systems. I had posted that looking at SSH Artifacts in Windows would be a natural extension and here we are.
After releasing the first iteration of GaslitPad, I’ve been thinking about how to add some C2 or data transfer capability. The ideal case would be for the malware to send back information about opened files and more importantly, the unsaved buffer chunks as they are typed by the individual. You could essentially have a live window into the user’s notepad session and see what they are typing as they type it. Always funny to me that MS essentially has a keylogger built into Windows Notepad.
Continuation from Part 5 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-540 Malware Analysis.
Another successful entry/win to one of David Cowen’s Sunday Funday Challenges involving SSH in Linux https://www.hecfblog.com/2025/03/daily-blog-785-solution-saturday-32225.html. This of course begs the question, what artifacts are left by SSH on Windows 11 or other Windows flavors! Windows uses OpenSSH for the client and server implementations https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-overview and this should make some of this research pretty straightforward when looking for artifacts specific to OpenSSH. Just as a quick example, the known_hosts file acts the same and is in essentially the same location as on Linux.
David Cowen has posted his weekly Sunday Funday challenge at his blog and I’m going to take a stab at it today.
In the world of Digital Forensics and Incident Response (DFIR), the line between traditional IT troubleshooting skills and forensic investigation isn’t as wide as it might seem. Both disciplines require a strong foundation in understanding system behavior, analyzing logs, and identifying the actions of users. A skilled IT professional is adept at navigating logs and system reports to identify irregularities, similar to a DFIR investigator who examines system artifacts, event logs, and network traffic to reconstruct incidents. The key similarity is the ability to trace actions across systems, understand what was done, and pinpoint where things went wrong. Whether it is identifying a user’s misstep during a hardware/software failure or determining the sequence of events leading to a security breach, both skill sets are rooted in keen investigative abilities and a methodical approach to troubleshooting.
Continuing from Part 4 on researching Windows Notepad - Rewrite. Taking a little detour and looking at the Correlation Vector. I don’t think this will be useful for anything; but I’ll doument what I’m seeing. Maybe someone will recognize this or knows more than me and can reach out with more details!
Progress has been made since Part 3 in relation to the network traffic and API calls. As we discovered earlier, Windows Notepad makes API calls to apsaiservices.microsoft.com using TLSv1.3. I’ve now successfully decrypted the calls and I’m making progress in understanding the traffic.
Continuation from Part 4 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-530 Incident Response and Network Forensics.
Short post today, continuing my research on Windows Notepad Rewrite https://ogmini.github.io/2025/03/14/Windows-Notepad-Rewrite-Part-2.html
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
Continuing my research on Windows Notepad Rewrite https://ogmini.github.io/2025/03/08/Windows-Notepad-Rewrite.html.
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
Microsoft had previously added Rewrite to Windows Notepad on their dev release channels. It is now live to the public as of Windows Notepad Version 11.2412.16.0 and requires a subscription to Microsoft 365. I’ve already partially updated some of my documentation to note the new Application Hive entries related to Rewrite.
Found out about picoCTF a few days ago and decided to give it try with a few friends as a team. I would rank all of us as newcomers to CTFs. This competition is mainly meant for High Schoolers but is open to anyone to at least experience it. It runs from 3/7/2025 to 3/17/2025 so gives us a lot of time to take on the challenges in between our normal work. This is the first time I’ve formed a team to compete in one of these. We’re mainly just bouncing ideas off each other and sharing hints while indepedently tackling flags.
Releasing Version 1.0.3 of Windows Notepad Parser https://github.com/ogmini/Notepad-State-Library/releases/tag/v1.0.3. This is a pure bug fix release. The Windowstate CSV file wasn’t outputting the coordinates correctly.
Continuation from Part 3 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-520 Operating System Analysis.
At least two solutions are possible.
This second month of the Zeltser Challenge continues to be very fruitful and motivating. It has NOT been easy to post every day; but I still haven’t missed a post since the start.
A child could solve it?!
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
NASA has a SQLite DB on your Android Phone?
That stegosaurus hid something from us!
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.
There is a smaller Operating System inside!
Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.
I’m going to flip the script for the typical writeups you see for CTFs and talk specifically about my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.
Continuing from Part 2, the existence of the History folder threw me for a bit of a loop as I use other tools such as Git or TFS to handle versioning and history. There is a setting under Workbench related to Local History that is enabled by default. You can see the options in the screenshot below.
Looks like Andrew Rathburn had already created a Target for Windows Notepad! I somehow didn’t notice it because I only checked the Apps folder and not the Windows folder. I’ve updated it to pull the Window State *.bin files and the settings.dat Application Registry file. I also added a link to my documentation on the file format and behavior.
Finally got a few minutes to start working on writing the KAPE Target for Windows Notepad. It will grab the Tab State, Window State, and settings.dat files that I’ve talked about in my research. Pretty straightforward process and I just want to do a little more testing and make sure I have everything right before I submit a Pull Request.
Releasing Version 1.0.2 of Windows Notepad Parser https://github.com/ogmini/Notepad-State-Library/releases/tag/v1.0.2. This new version includes a .NET 8.0 dependent version and a standalone version that doesn’t need .NET 8.0 installed on the system. There is also a minimal branch that doesn’t include the ability to generate a GIF from the changes. The noticeable change is some formatting of the CSV files to reorder and remove unnecessary columns.
Continuation from Part 2 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about DFS-510 Scripting for Digital Forensic.
Still banging my head with the 2025 Magnet CTF and was able to solve a few more today. Let us get back to investigating Visual Studio Code!
I’ve begun to look at Visual Studio Code in my quest to document useful digital artifacts in various text editors. In a similar fashion to Windows Notepad and Notepad++, Visual Studio Code will keep unsaved content between sessions. After documenting what I can find I will use that knowledge to see how one might attack Visual Studio Code. Another project is slowly building in my head to write a unified application to attack text editors and their data.
It is always interesting to look at two different approaches to the same problem. Both Windows Notepad and Notepad++ are at their core text editors that support tabs and have the ability to keep unsaved changes between sessions. How they approach these features differ and we’ll be talking about how these manifest themselves in the digital artifacts.
I gather during CTFs you should be operating under tight OPSEC in order to win. I’m not though! So what follows is a quick writeup of my pre-analysis of the provided images.
It is CTF time!
David Cowen recently introduced me to Cursor which is an AI Code Editor and he has a few posts on his blog about using it that you can find here. I wanted to play around with this and my recent work on researching Notepad++ gave me a good excuse as it provided a target that wasn’t too complex.
I think I’m done researching what digital artifacts can be retrieved from Notepad++. I’ve been able to confirm/validate the findings from Forensafe and I will be providing more detailed information about them below. As I stated in Part 1, there is no real complication to the digital artifacts and everything is human readable with any text editor. In a future post, I will be pointing out how Windows Notepad and Notepad++ achieve similar functionality while storing the information differently.
Stemming from my research into Windows Notepad, I think it would be fun to take a look at Notepad++ and maybe other text editors like Visual Studio Code to see what kind of digital artifacts we can uncover. Personally, I use Notepad++ and I’m sure it is a very popular text editor for many other people. I’m sure others have already looked and I’ve found information from Forensafe mainly showing how their tool can recover information. They didn’t go into many details on the page and I think it would be worthwhile to document that more fully in the open for all to see. It is also possible that changes have been made to Notepad++ since the article.
Just finished “Preventing Web and Email Server Attacks (IR205) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.
After completing the Windows Forensics with Belkasoft certification, I learned that Belkasoft has a bunch of different CTF challenges that are still available to practice and hone my skills. I also want to use this as an opportunity to improve my report writing and presentation skills. It is one thing to find evidence and another to present it to a non-technical audience. The plan is to start on the first one and just make my way through the list. You can find their CTFs at https://belkasoft.com/ctf.
Got the results back from the Belkasoft Windows Forensics course/exam and I passed. I already gave my thoughts on the actual course here.
I’ve started studying for the CISSP exam and what follows are a recap and notes on Domains 1 and 2. So far, I’m finding the material pretty straightforward and things that I’m already doing in my professional life. As everyone says, you need to think like a management for this certification and I already do.
The first month of the Zeltser Challenge issued by David Cowen has been very educational and challenging! I have not missed a day though I totally threw my posting topic “plan” out the window and it has ended up being far more organic and closer to a diary of what I’m working on. So far, I know of the following fellow participants:
Yesterday I posted about the plan to release GaslitPad next week and some of the future capabilities I wanted to implement. I ended up adding the “inverted” attack which I’m now calling the “Sleep Attack”. So that will be available in the first release. Just a reminder, this POC Malware makes no attempts at obfuscation or hiding its actions.
I’ll be releasing my POC Malware called GaslitPad sometime next week. Please see my previous post for some background. I’ll lead off with a video demonstration - https://www.youtube.com/watch?v=z-5MxRxgBxI. GaslitPad makes no attempts at obfuscation as it is purely a proof of concept.
LevelDB utilizes CRC32 for data integrity checks; but it doesn’t use the normal CRC32 algorithm. Reading the code comments it utilizes a masked representation of CRC32 because it is problematic to compute the CRC of a string that contains embedded CRCs. The code accomplishes this by rotating right by 15 bits and adding a constant of 0xa282ead8ul.
Continuing work on the binary template file for the LevelDB .ldb files. Learning a lot and pushing my knowledge boundaries. I am definitely recreating prior research; but I find this is the best way to learn and also validate previous findings. It is also possible things have changed.
Just attended Introduction to Log Management(IR210) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.
Continuing my analysis of the ChatGPT Desktop App by creating binary template files to help me understand the LevelDB and IndexedDB databases. I personally find it useful to “visually” see the binary files structured in hex editors like 010 Editor and ImHex. It helps me know if I’m on the right track and it is pretty easy to later convert that to code for a tool.
Time to get serious and study to pass the CISSP examination. Outlining my plan and giving myself a deadline will keep me motivated and on track. I picked up a copy of Destination CISSP 2nd Edition to serve as my study material since it had been updated for the revised exam.
Started on the Windows Forensics course from Belkasoft and I was happy to see that they explicitly mention that you can use other tools besides Belkasoft X. I did use Belkasoft X to work on the problems in order to get familiar and learn the software. What follows are some quick thoughts.
Belkasoft is offering a free course and certification on Windows Forensics using their software. More details can be found at this link - https://belkasoft.com/windows-forensics-training. It also provides 6 CPE credits. I just signed up and I’m hoping to complete the course this weekend. The content is obviously centered around using their tools and should be a nice introduction to them. I intend on using other free tools to get the same results. I’ve personally found it very educating to use multiple tools to retrieve and view artifacts from different lenses. After I complete the course, I’ll be posting about my impressions and thoughts.
Continuing my work on David Cowen’s Sunday Funday challenge, I leveraged ChromeCacheView and ChromeHistoryView to look both at the Edge Browser and the ChatGPT Desktop App. I want to see if we can capture the user authentication process with timestamps and any artifacts related to uploaded files.
Continuing from an earlier https://ogmini.github.io/2025/01/21/Deep-Dive-LevelDB.html, I’ve had a chance to quickly try out two different tools on LevelDB databases used by the ChatGPT Desktop App.
While investigating the ChatGPT Desktop application in yesterday’s post, I came across an Electron App leveraging LevelDB databases. That of course led me to search for tools and research to help me parse and understand the LevelDB files.
My submission to another one of David Cowen’s Sunday Funday challenges. This time related to the ChatGPT Desktop Application. https://www.hecfblog.com/2025/01/daily-blog-723-sunday-funday-11925.html
It has been a busy week with multiple big changes on the horizon. Definitely feel like I have too many irons in the fire. Hopefully by next month, I can talk about them. Still fighting that imposter syndrome. What have I been able to accomplish this week though?
Parts have started to arrive for the next iteration of my next server. I’ll be keeping the same software stack as the current server and obviously repurposing the current server for other duties. In Part 3, I’ll talk about the thought process that led me to this configuration and what other options I investigated.
I’ve had a few free moments to test out MSLab and it seems very promising. By just downloading the scripts, two ISOs, and modifying 2 lines in a configuration script I was able to spin up a virtual network with a Server 2025 Domain Controller and two Windows 11 client machines that are already joined to the domain. When I’m done with the lab, I can just run the cleanup script and it removes all the VMs from Hyper-V. Redeploying the exact same lab again just requires running the deploy script with the appropriate configuration.
Just attended Preventing DNS Infrastructure Tampering (IR206) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.
I am in the process of planning and building my next hypervisor for use in my homelab. Looking for infrastructure as code or scripting options to easily spin up test labs is proving to be an interesting journey. There are the standard options of Terraform, Ansible, Vagrant, and the various cloud vendor specific implementations.
Continuation from Part 1 looking back at my coursework in the Master’s Degree in Digital Forensic Science. In this post, I’ll be talking about my second course at Champlain College.
David Cowen has started up his Sunday Funday challenges again and his latest one is related to SRUM. You can find his challenge on his blog.
I’ve always run a few personal “servers” at home running simple services like Plex, file storage, etc. When I started my Master’s Degree, I wanted to setup a server to run Hyper-V so that I could keep all my coursework contained, backed up, and I could easily spin up VMs for exploration. Utilizing tailscale allowed me to access these VMs anytime, anywhere giving me the ability to easily work on assignments while on vacation or travelling.
What Hex Editor(s) do you prefer to use?
I’m looking for some advice on how to automate regression testing for forensics software. As I researched Windows Notepad, Microsoft continually updated and made changes to how the binary files worked. I touched upon this issue in a previous post https://ogmini.github.io/2024/11/27/Microsoft-Store-Older-Versions.html.
Today, I was talking to a few people about the PowerSchool hack and the question was posed, “Why would anyone want student data?”. I was taken aback. In this post, I want to explore that question and give reasons why a threat actor would want this data with some hypothetical scenarios.
Yesterday news hit that Powerschool was hacked resulting in a threat actor stealing student and teacher data. Powerschool provides SIS platform software to K-12 schools. Bleeping Computer has a good article on the incident - https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/.
Just attended Defend Against Ransomware Attacks Cyber Range Training (IR209) offered by CISA. I talked about these in a previous post and would encourage those eligible to register. As always, the course was full of information with the added benefit of a virtual environment to play around in. I’m always amazed at how much they can pack into so little time. I only wish it was a full day course.
January 2022, I started my first course at Champlain College to complete my Master’s Degree in Digital Forensic Science. I’ll be making a few posts related to my experience with the coursework and my takeaways. It’s important to remember that everyone entering this program came from diverse professional and personal backgrounds. This diversity was both a strength and a challenge. On one hand, it sparked valuable discussions and brought differing viewpoints. On the other hand, students had widely varying expectations and skill levels, which led to inconsistencies in the perceived difficulty and usefulness of the courses. I mention this as my background will influence my viewpoint and my experience is and will be different from others. These posts are not meant to be a review of the program; but a recap of my experience and learning.
When David Cowen posed this challenge for 2025, I knew it wouldn’t be easy. I may have underestimated how hard it would be though…
The main certification I want to complete for early 2025 is my CISSP after having already obtained my CSSLP certification in 2024. Hopefully, these weekly blog posts will help keep me on track and making forward progress towards that goal. I’ve already picked up my copy of Destination CISSP.
Gaslitpad is the name of the POC malware that I’m currently working on. It is the result of my ongoing research into Windows Notepad at https://github.com/ogmini/Notepad-State-Library. The general idea is a program that sits in wait and changes the unsaved buffer for nefarious purposes.
How do you make the time to compete in CTFs?
Happy New Year and welcome to 2025!
What follows is my submission to DFIR Review. I figured I should post this on my Blog while it is under review.
Have you ever needed a previous version of an application from the Microsoft Store?
This blog will document my exploration of Digital Forensics and Incident Response (DFIR) as I make the transition into this exciting field. More importantly, it will serve as a centralized place to store my notes, observations, and learnings.