ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.


About Blog Research CTF/Challenge GitHub RSS

CISSP - Domain 3

April 1, 2025

Domain 3 for the CISSP is a huge chunk of information and easily the longest chapter in my study book. Again, a mixture of subjects that I’m comfortable with and some that trend to the less comfortable.

Read More

Zeltser Challenge - Third Month Accomplishments

March 31, 2025

The third month of the Zeltser Challenge has been tough as I’m fully getting into my role as CIO, restructuring the department, and getting acquainted with everything involved in this new role. This new role is very taxing mentally as I’m trying to juggle so many different projects, problems, and goals. Despite all this, I’ve still somehow managed kept to my daily post cadence.

Read More

CISSP - Stalled

March 30, 2025

I stalled out HARD in studying for my CISSP and my timeline fell apart. I had planned on being done with all 8 domains by this weekend and that is definitely not the case. I left off having finished Domains 1 and 2.

Read More

Reverse Engineering Rewrite API

March 29, 2025

Last week I started poking around the network traffic generated by Windows Notepad when it makes calls to Rewrite. I made a post about what I found using Wireshark and mitmproxy. Part of the purpose of this blog is to push my knowledge by forcing me to actually DO and not just read and learn theory. That last post on mitmproxy and Wireshark was a perfect example of the DO. I had known that it was possible to setup a proxy to intecept and decrypt traffic. I even knew the general steps and tools required to analyze that traffic. What I never had was the need to put this knowledge to practice. I can now say that I’ve done it.

Read More

SSH Artifacts in Windows 11 - Part 3

March 28, 2025

Continuing from yesterday’s post, we are looking at how to tell if someone is connected via SSH. I did not have time to look at SSH Tunnels. Please refer back to the main post for full details as this post will only talk about the tests and results.

Read More

SSH Artifacts in Windows 11 - Part 1

March 26, 2025

Continuing from yesterday’s post, we are testing for SSH artifacts when connecting to a Debian OpenSSH Server and a Windows 11 OpenSSH Server. Please refer back to the main post for full details as this post will only talk about the tests and results.

Read More

GaslitPad - DNS Communication

March 24, 2025

After releasing the first iteration of GaslitPad, I’ve been thinking about how to add some C2 or data transfer capability. The ideal case would be for the malware to send back information about opened files and more importantly, the unsaved buffer chunks as they are typed by the individual. You could essentially have a live window into the user’s notepad session and see what they are typing as they type it. Always funny to me that MS essentially has a keylogger built into Windows Notepad.

Read More

Beyond Sunday Funday - SSH Artifacts in Windows 11

March 22, 2025

Another successful entry/win to one of David Cowen’s Sunday Funday Challenges involving SSH in Linux https://www.hecfblog.com/2025/03/daily-blog-785-solution-saturday-32225.html. This of course begs the question, what artifacts are left by SSH on Windows 11 or other Windows flavors! Windows uses OpenSSH for the client and server implementations https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-overview and this should make some of this research pretty straightforward when looking for artifacts specific to OpenSSH. Just as a quick example, the known_hosts file acts the same and is in essentially the same location as on Linux.

Read More

The Intersection of DFIR and IT Troubleshooting

March 20, 2025

In the world of Digital Forensics and Incident Response (DFIR), the line between traditional IT troubleshooting skills and forensic investigation isn’t as wide as it might seem. Both disciplines require a strong foundation in understanding system behavior, analyzing logs, and identifying the actions of users. A skilled IT professional is adept at navigating logs and system reports to identify irregularities, similar to a DFIR investigator who examines system artifacts, event logs, and network traffic to reconstruct incidents. The key similarity is the ability to trace actions across systems, understand what was done, and pinpoint where things went wrong. Whether it is identifying a user’s misstep during a hardware/software failure or determining the sequence of events leading to a security breach, both skill sets are rooted in keen investigative abilities and a methodical approach to troubleshooting.

Read More

Windows Notepad - Rewrite / AI Part 5

March 19, 2025

Continuing from Part 4 on researching Windows Notepad - Rewrite. Taking a little detour and looking at the Correlation Vector. I don’t think this will be useful for anything; but I’ll doument what I’m seeing. Maybe someone will recognize this or knows more than me and can reach out with more details!

Read More

Windows Notepad - Rewrite / AI Part 4

March 18, 2025

Progress has been made since Part 3 in relation to the network traffic and API calls. As we discovered earlier, Windows Notepad makes API calls to apsaiservices.microsoft.com using TLSv1.3. I’ve now successfully decrypted the calls and I’m making progress in understanding the traffic.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits"

March 15, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "100X Scale"

March 13, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Capital Offense"

March 12, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices"

March 11, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket"

March 10, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Windows Notepad - Rewrite / AI

March 8, 2025

Microsoft had previously added Rewrite to Windows Notepad on their dev release channels. It is now live to the public as of Windows Notepad Version 11.2412.16.0 and requires a subscription to Microsoft 365. I’ve already partially updated some of my documentation to note the new Application Hive entries related to Rewrite.

Read More

picoCTF

March 7, 2025

Found out about picoCTF a few days ago and decided to give it try with a few friends as a team. I would rank all of us as newcomers to CTFs. This competition is mainly meant for High Schoolers but is open to anyone to at least experience it. It runs from 3/7/2025 to 3/17/2025 so gives us a lot of time to take on the challenges in between our normal work. This is the first time I’ve formed a team to compete in one of these. We’re mainly just bouncing ideas off each other and sharing hints while indepedently tackling flags.

Read More

Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles"

March 1, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society"

February 26, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups here.

Read More

Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing"

February 24, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.

Read More

Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us"

February 23, 2025

I’m going to flip the script for the typical writeups you see for CTFs and talk specifically about my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.

Read More

Investigating Visual Studio Code - Part 3

February 22, 2025

Continuing from Part 2, the existence of the History folder threw me for a bit of a loop as I use other tools such as Git or TFS to handle versioning and history. There is a setting under Workbench related to Local History that is enabled by default. You can see the options in the screenshot below.

Read More

KAPE Target - Windows Notepad WOOPS

February 21, 2025

Looks like Andrew Rathburn had already created a Target for Windows Notepad! I somehow didn’t notice it because I only checked the Apps folder and not the Windows folder. I’ve updated it to pull the Window State *.bin files and the settings.dat Application Registry file. I also added a link to my documentation on the file format and behavior.

Read More

KAPE Target - Windows Notepad

February 20, 2025

Finally got a few minutes to start working on writing the KAPE Target for Windows Notepad. It will grab the Tab State, Window State, and settings.dat files that I’ve talked about in my research. Pretty straightforward process and I just want to do a little more testing and make sure I have everything right before I submit a Pull Request.

Read More

Release - Windows Notepad Parser v1.0.2

February 19, 2025

Releasing Version 1.0.2 of Windows Notepad Parser https://github.com/ogmini/Notepad-State-Library/releases/tag/v1.0.2. This new version includes a .NET 8.0 dependent version and a standalone version that doesn’t need .NET 8.0 installed on the system. There is also a minimal branch that doesn’t include the ability to generate a GIF from the changes. The noticeable change is some formatting of the CSV files to reorder and remove unnecessary columns.

Read More

Investigating Visual Studio Code

February 15, 2025

I’ve begun to look at Visual Studio Code in my quest to document useful digital artifacts in various text editors. In a similar fashion to Windows Notepad and Notepad++, Visual Studio Code will keep unsaved content between sessions. After documenting what I can find I will use that knowledge to see how one might attack Visual Studio Code. Another project is slowly building in my head to write a unified application to attack text editors and their data.

Read More

Windows Notepad vs Notepad++ - Artifact Comparison

February 14, 2025

It is always interesting to look at two different approaches to the same problem. Both Windows Notepad and Notepad++ are at their core text editors that support tabs and have the ability to keep unsaved changes between sessions. How they approach these features differ and we’ll be talking about how these manifest themselves in the digital artifacts.

Read More

Playing with Cursor AI - Notepad++ Digital Artifacts

February 10, 2025

David Cowen recently introduced me to Cursor which is an AI Code Editor and he has a few posts on his blog about using it that you can find here. I wanted to play around with this and my recent work on researching Notepad++ gave me a good excuse as it provided a target that wasn’t too complex.

Read More

Notepad++ - Documenting Digital Artifacts Part 2

February 9, 2025

I think I’m done researching what digital artifacts can be retrieved from Notepad++. I’ve been able to confirm/validate the findings from Forensafe and I will be providing more detailed information about them below. As I stated in Part 1, there is no real complication to the digital artifacts and everything is human readable with any text editor. In a future post, I will be pointing out how Windows Notepad and Notepad++ achieve similar functionality while storing the information differently.

Read More

Notepad++ - Documenting Digital Artifacts

February 8, 2025

Stemming from my research into Windows Notepad, I think it would be fun to take a look at Notepad++ and maybe other text editors like Visual Studio Code to see what kind of digital artifacts we can uncover. Personally, I use Notepad++ and I’m sure it is a very popular text editor for many other people. I’m sure others have already looked and I’ve found information from Forensafe mainly showing how their tool can recover information. They didn’t go into many details on the page and I think it would be worthwhile to document that more fully in the open for all to see. It is also possible that changes have been made to Notepad++ since the article.

Read More

Starting Belkasoft CTFs

February 5, 2025

After completing the Windows Forensics with Belkasoft certification, I learned that Belkasoft has a bunch of different CTF challenges that are still available to practice and hone my skills. I also want to use this as an opportunity to improve my report writing and presentation skills. It is one thing to find evidence and another to present it to a non-technical audience. The plan is to start on the first one and just make my way through the list. You can find their CTFs at https://belkasoft.com/ctf.

Read More

CISSP - Domain 1 and 2

February 3, 2025

I’ve started studying for the CISSP exam and what follows are a recap and notes on Domains 1 and 2. So far, I’m finding the material pretty straightforward and things that I’m already doing in my professional life. As everyone says, you need to think like a management for this certification and I already do.

Read More

Zeltser Challenge - First Month Accomplishments

February 2, 2025

The first month of the Zeltser Challenge issued by David Cowen has been very educational and challenging! I have not missed a day though I totally threw my posting topic “plan” out the window and it has ended up being far more organic and closer to a diary of what I’m working on. So far, I know of the following fellow participants:

Read More

POC Malware - Part 3

February 1, 2025

Yesterday I posted about the plan to release GaslitPad next week and some of the future capabilities I wanted to implement. I ended up adding the “inverted” attack which I’m now calling the “Sleep Attack”. So that will be available in the first release. Just a reminder, this POC Malware makes no attempts at obfuscation or hiding its actions.

Read More

Diving Deep - LevelDB Part 5

January 30, 2025

LevelDB utilizes CRC32 for data integrity checks; but it doesn’t use the normal CRC32 algorithm. Reading the code comments it utilizes a masked representation of CRC32 because it is problematic to compute the CRC of a string that contains embedded CRCs. The code accomplishes this by rotating right by 15 bits and adding a constant of 0xa282ead8ul.

Read More

Diving Deep - LevelDB Part 4

January 29, 2025

Continuing work on the binary template file for the LevelDB .ldb files. Learning a lot and pushing my knowledge boundaries. I am definitely recreating prior research; but I find this is the best way to learn and also validate previous findings. It is also possible things have changed.

Read More

Diving Deep - LevelDB Part 3

January 27, 2025

Continuing my analysis of the ChatGPT Desktop App by creating binary template files to help me understand the LevelDB and IndexedDB databases. I personally find it useful to “visually” see the binary files structured in hex editors like 010 Editor and ImHex. It helps me know if I’m on the right track and it is pretty easy to later convert that to code for a tool.

Read More

CISSP - Study Plan

January 26, 2025

Time to get serious and study to pass the CISSP examination. Outlining my plan and giving myself a deadline will keep me motivated and on track. I picked up a copy of Destination CISSP 2nd Edition to serve as my study material since it had been updated for the revised exam.

Read More

Belkasoft - Windows Forensics with Belkasoft Part 2

January 25, 2025

Started on the Windows Forensics course from Belkasoft and I was happy to see that they explicitly mention that you can use other tools besides Belkasoft X. I did use Belkasoft X to work on the problems in order to get familiar and learn the software. What follows are some quick thoughts.

Read More

Belkasoft - Windows Forensics with Belkasoft

January 24, 2025

Belkasoft is offering a free course and certification on Windows Forensics using their software. More details can be found at this link - https://belkasoft.com/windows-forensics-training. It also provides 6 CPE credits. I just signed up and I’m hoping to complete the course this weekend. The content is obviously centered around using their tools and should be a nice introduction to them. I intend on using other free tools to get the same results. I’ve personally found it very educating to use multiple tools to retrieve and view artifacts from different lenses. After I complete the course, I’ll be posting about my impressions and thoughts.

Read More

ChromeCacheView / ChromeHistoryView

January 23, 2025

Continuing my work on David Cowen’s Sunday Funday challenge, I leveraged ChromeCacheView and ChromeHistoryView to look both at the Edge Browser and the ChatGPT Desktop App. I want to see if we can capture the user authentication process with timestamps and any artifacts related to uploaded files.

Read More

Diving Deep - LevelDB

January 21, 2025

While investigating the ChatGPT Desktop application in yesterday’s post, I came across an Electron App leveraging LevelDB databases. That of course led me to search for tools and research to help me parse and understand the LevelDB files.

Read More

Second Week Musings

January 19, 2025

It has been a busy week with multiple big changes on the horizon. Definitely feel like I have too many irons in the fire. Hopefully by next month, I can talk about them. Still fighting that imposter syndrome. What have I been able to accomplish this week though?

Read More

Homelab Part 2 - The Next Iteration

January 18, 2025

Parts have started to arrive for the next iteration of my next server. I’ll be keeping the same software stack as the current server and obviously repurposing the current server for other duties. In Part 3, I’ll talk about the thought process that led me to this configuration and what other options I investigated.

Read More

MSLab - Part 1

January 17, 2025

I’ve had a few free moments to test out MSLab and it seems very promising. By just downloading the scripts, two ISOs, and modifying 2 lines in a configuration script I was able to spin up a virtual network with a Server 2025 Domain Controller and two Windows 11 client machines that are already joined to the domain. When I’m done with the lab, I can just run the cleanup script and it removes all the VMs from Hyper-V. Redeploying the exact same lab again just requires running the deploy script with the appropriate configuration.

Read More

Investigating Lab Automation - MSLab

January 15, 2025

I am in the process of planning and building my next hypervisor for use in my homelab. Looking for infrastructure as code or scripting options to easily spin up test labs is proving to be an interesting journey. There are the standard options of Terraform, Ansible, Vagrant, and the various cloud vendor specific implementations.

Read More

Homelab Part 1 - The Current Setup

January 12, 2025

I’ve always run a few personal “servers” at home running simple services like Plex, file storage, etc. When I started my Master’s Degree, I wanted to setup a server to run Hyper-V so that I could keep all my coursework contained, backed up, and I could easily spin up VMs for exploration. Utilizing tailscale allowed me to access these VMs anytime, anywhere giving me the ability to easily work on assignments while on vacation or travelling.

Read More

K-12 Student Data - Why would anyone steal that?

January 9, 2025

Today, I was talking to a few people about the PowerSchool hack and the question was posed, “Why would anyone want student data?”. I was taken aback. In this post, I want to explore that question and give reasons why a threat actor would want this data with some hypothetical scenarios.

Read More

CISA IR Training - Defend Against Ransomware Attacks Cyber Range Training (IR209)

January 7, 2025

Just attended Defend Against Ransomware Attacks Cyber Range Training (IR209) offered by CISA. I talked about these in a previous post and would encourage those eligible to register. As always, the course was full of information with the added benefit of a virtual environment to play around in. I’m always amazed at how much they can pack into so little time. I only wish it was a full day course.

Read More

Expectations vs Reality - Digital Forensic Science Master's Degree

January 6, 2025

January 2022, I started my first course at Champlain College to complete my Master’s Degree in Digital Forensic Science. I’ll be making a few posts related to my experience with the coursework and my takeaways. It’s important to remember that everyone entering this program came from diverse professional and personal backgrounds. This diversity was both a strength and a challenge. On one hand, it sparked valuable discussions and brought differing viewpoints. On the other hand, students had widely varying expectations and skill levels, which led to inconsistencies in the perceived difficulty and usefulness of the courses. I mention this as my background will influence my viewpoint and my experience is and will be different from others. These posts are not meant to be a review of the program; but a recap of my experience and learning.

Read More

First Week Musings

January 5, 2025

When David Cowen posed this challenge for 2025, I knew it wouldn’t be easy. I may have underestimated how hard it would be though…

Read More

Certification and Training Plans for 2025

January 4, 2025

The main certification I want to complete for early 2025 is my CISSP after having already obtained my CSSLP certification in 2024. Hopefully, these weekly blog posts will help keep me on track and making forward progress towards that goal. I’ve already picked up my copy of Destination CISSP.

Read More

New Beginnings

November 14, 2024

This blog will document my exploration of Digital Forensics and Incident Response (DFIR) as I make the transition into this exciting field. More importantly, it will serve as a centralized place to store my notes, observations, and learnings.

Read More