ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.

About Blog Posts by Tags Research Talks/Presentations GitHub Search RSS

Examining Tailscale Artifacts - Part 6

June 23, 2026

This will sort of be a two for one post today as I’m still at training until the end of the week. Always fun how these sorts of things can get the mind churning and give you the motivation to start looking at stuff again. Today was mainly about Log Analytics workspaces and KQL. I had prior experience with what I would call doing “easy” queries. I’ve not had much need to play with functions like summarize, bin, or even search/find. I was very reliant on using the traditional where clause. So it was nice to be “forced” to use them.

Read More

Examining Tailscale Artifacts - Part 5

June 22, 2026

It has been awhile since I’ve posted, currently attending IRC234 put on by Cybervance for CISA. Had a little time after the first day and decided to poke around Tailscale logs on MacOS. Just a warning, this post will be very light on details.

Read More

Velociraptor - Tailscale Artifact

May 6, 2026

Submitted a Tailscale artifact to the Velociraptor Artifact Exchange that decodes and parses the configuration file, shows the logs, and grabs/uploads any partial file transfers to the machine. Tailscale has been used in the past in various attacks by threat actors such as:

Read More

Examining Tailscale Artifacts - Part 3

April 23, 2026

Real short post today. I was able to verify that the LocalUserID is the SID on the computer for the user account Tailscale is being run under. This shows up in a few spots in the server-state.conf.

Read More

Examining Tailscale Artifacts - Part 2

April 22, 2026

You can have multiple accounts associated with Tailscale and be able to switch between them. I logged in with a Google and Microsoft account. More testing is required for the other account types and options.

Read More

Examining Tailscale Artifacts

April 21, 2026

I started looking at Tailscale to see what sort of digital artifacts are left behind. It has clients for Windows/Linux/Android/iOS/macOS and I’m hoping to take a look at all of them except iOS. Tailscale is a networking tool that lets you securely connect your devices (laptop, phone, servers, cloud VMs, etc.) as if they were all on the same private network, no matter where they are. A very popular tool with Homelab people and I use it myself.

Read More

BSides South Jersey 2026

April 19, 2026

I was a speaker at BSides South Jersey 2026 and it was a great event hosted at Rowan University. I’m already looking forward to next years event. I want to thank the Founders, Organizers, Sponsors, and Volunteers for all the time they put in and being so welcoming. I apologize for not getting everyone’s names as you were all so busy and I talked to so many people. Feel free to connect with me on LinkedIn https://www.linkedin.com/in/christophereng/.

Read More

Credential Phishing

March 26, 2026

Came across this credential harvesting site located at hxxps://login[.]thehead-agency[.]com. I believe it has been taken down already. It was setup to mimic the standard Microsoft login page. Just fair warning, I am no expert at this sort of thing. Any feedback/critiques would be greatly appreciated on how you would investigate this. I also did this with very little time (~30 minutes) for setup and very spur of the moment.

Read More

2025 Zeltser Challenge Recap

February 7, 2026

Forgive the late recap! To say that the last 2 months have been busy and full of change would be an understatement. Back at the start of 2025, David Cowen put forth the Zeltser Challenge. I jumped in and this post will provide a little recap of highlights and what I got out of the challenge. Not everything went according to plan.

Read More

Examining Mobile Hotspots - Orbic Speed RC400L - Part 4

November 17, 2025

Came across an interesting SQLite database called cpe.db on the mobile hotsport as I was starting to examine all the files under the /usrdata/data/usr folder. It contained old SMS messages! In my case, these were spam SMS messages that I had ignored and never bothered to read/delete when I was still using this hotspot actively.

Read More

Examining Mobile Hotspots - Orbic Speed RC400L - Part 2

November 10, 2025

Continuing to examine the Orbic Speed RC400L for any interesting digital artifacts from last post. I’m interested in finding digital artifacts that can help place the hotspot in a place and time and also devices that connect to the hotspot. Possibly seeing if/how it logs connections to cell towers.

Read More

Examining Mobile Hotspots - Orbic Speed RC400L

November 8, 2025

I’ve been following the Rayhunter project from EFF over at https://github.com/EFForg/rayhunter. I’ve had and used an Orbic Speed RC400L as a mobile hotspot for many years. I recently replaced it with a 5G compatible hotspot for the speeeeeeeeeeeeeed. I actually hate the newer one as it boots up way slower. Either way, I have an unused Orbic Speed RC400L hotspot now that is ripe for playing around with. While researching Rayhunter, I was interested in what digital artifacts could be recovered from a stock device. The project to install Rayhunter was put on hold for this.

Read More

SANS Holiday Hack Challenge 2025 - Progress

November 7, 2025

Been enjoying the SANS Holiday Hack Challenge 2025! Got past Act 1 and I’ve finished 2/7 of Act 2. We can’t do any write ups yet so I’ll talk in general terms about my impressions so far.

Read More

BelkaGPT - Effective Artificial Intelligence in DFIR

November 4, 2025

Belkasoft recently launched some new training related to effectively using AI in DFIR. https://www.linkedin.com/posts/belkasoft_dfir-digitalforensics-ai-activity-7390772730951839744-fZum?. When I signed up the course was free for a short time. I’m intrigued to see how the course presents using AI. I continue to be very cautious about AI and its use. Both from an environmental and human impact viewpoint. After I complete the course I will be sure to post my thoughts.

Read More

Zeltser Challenge - Tenth Month Accomplishments

November 1, 2025

Looking back on October had me diving heavily into Android Forensics. I also of course gave my talk at BSides NYC 0x05. Wasn’t the best talk as I had some mic issues,talked way too fast, and missed some of my keypoints; but I learned a lot and it was an enjoyable experience. Hopefully this won’t be my last. The volunteers and organizers do an amazing job at running the event.

Read More

Homelab - Windows Answer files (unattend.xml/autounattend.xml)

October 30, 2025

Recently stumbled upon something to make my life easier as I find myself spinning up VMs on Hyper-V constantly to perform testing and validation. I prefer to have completely clean installs and tend to not reuse a VM for later testing. This can result in a sort of “blindspot” to finding artifacts on an actually “used” computer. This post isn’t about that though. When creating my VMs I have always made use of Answer files to automate the installation and configuration to reduce human error and increase repeatability. You can use https://schneegans.de/windows/unattend-generator/ to generate different Answer files.

Read More

Packaged App - Registry Hives

October 25, 2025

Over the last few months, I’ve been doing collaborative research with reece394 over on GitHub. They made a recent feature request on the Registry Hunter repo https://github.com/Velocidex/registry_hunter/issues/21#issuecomment-3427299524 which encapsulates everything we’ve both researched so far very well. Mari Degrazia also has a very good write up over at https://www.zerofox.com/blog/the-registry-hives-you-may-be-msix-ing-registry-redirection-with-ms-msix/ about the growing importance of these artifacts. Chris Ray over at Cyber Triage has also mentioned it previously at https://www.cybertriage.com/blog/ntuser-dat-forensics-analysis-2025/.

Read More

BSides NYC 0x05 - CTFd Contribution

October 21, 2025

BSides NYC 0x05 hosted a few different CTFs and CTFd put a call out for volunteers to submit a few CTF Challenges. I decided to give it a shot and submitted three forensic type challenges. It was a fun experience as I have never written a CTF challenge. The CTFd people were a great bunch to work with!

Read More

Forensic ADB Scripts - adb-pull-tar.py

October 20, 2025

Coming off yesterday’s post, I wrote up a quick Python script to generate and pull a tar file from a rooted Android phone. Nothing fancy, but it helps speed up my research/testing process. You can pass it a path on the Android phone and it will tar up the folder. Example would be passing it /data/data/dji.go.v5. You can also pass it an output path to save the tar file on to secondary storage or somewhere on internal storage. This adds a second script to my “collection” on https://github.com/ogmini/Forensic-ADB-Scripts.

Read More

Android Forensics - DJI Fly

October 19, 2025

Recently picked up a cheap DJI Neo to play around. I have to say they’re pretty cheap and easy to use. I installed the DJI Fly software on my “research” Pixel 7 because there is no way I’m installing that app on my real phone. Might as well dig into its artifacts! I imagine this has already been done and written up. I haven’t looked heavily yet for prior research. Either way, it is good practice to go artifact hunting with minimal prior information. What follows are just some quick notes as I poke around.

Read More

Forensic ADB Scripts - adb-pull-stat.py

October 13, 2025

Finally got around to finishing up a Python script that I am creatively calling “adb-pull-stat.py” that I talked about in a previous post. It is nothing fancy and was written to fill a need I had. The script has been published to a GitHub repo - https://github.com/ogmini/Forensic-ADB-Scripts. I have a sneaky feeling that I might be writing more “utility” scripts as I continue looking and Android devices and they’ll be finding their way into that repo.

Read More

Gmail App - IMAP Account Artifacts (Message Logging) - Part 2

October 12, 2025

This post will show why focused, repeatable testing is so important. Yesterday’s post hinted at some possible message logging tables in one of the sqlite databases. I had come across entries while testing for attachments that I had not seen previously. Initially, I had chalked that up to not having sent any emails to the Trash folder until I wanted to test what happened to cached attachments. Well…

Read More

Gmail App - IMAP Account Artifacts (Attachments) - Part 3

October 7, 2025

I somehow missed this in yesterday’s post and it popped into my head on my commute to work this morning. We learned that a sent email that has attachments is stored differently in the Attachment table with a reference to a “cachedFile” which is a content link. In our test example we had:

Read More

Gmail App - IMAP Account Artifacts (Attachments) - Part 2

October 6, 2025

Continuing to look at IMAP Account attachments from a previous post. Shifting gears for a moment away from looking the the lifecycle of digital photos. I wanted to verify my understanding of the folder structure for how attachments were stored. I had made a “informed” assumption that the attachment files are located at \data\com.google.android.gm\databases\{Account#}.db_att\{Attachment#}. Where the Account# and Attachment# come from the various database tables.

Read More

Android Forensics - Filesystem Timestamps ADB Script

October 3, 2025

In my last few posts, I’ve been looking at the lifecycle of digital photos taken on an Android phone - https://ogmini.github.io/tags.html#Google-Photos. When researching and doing testing, it can be very useful to script as many steps as possible so that you can recreate testing quickly and consistently in different scenarios. I need to be able to easily pull the filesystem timestamps and MD5/SHA256 hashes along with the digital phones from an Android Phone. Spent a little time today throwing together a Python script to leverage various Android Debug Bridge (adb) commands.

Read More

Lifecycle of a Digital Photo on a Android Pixel 7 - Part 2

September 30, 2025

Continuing from the previous post, I took some photos while the phone was in Airplane Mode to control when the photos were uploaded to Google Photos. I waited some time and disabled Airplane Mode and let the photos upload. I also wanted to see what happened if I just placed an image in the /storage/self/primary/DCIM/Camera location. Is there any sort of differentiation by Google Photos of images taken by the camera versus images just placed in the folder.

Read More

Lifecycle of a Digital Photo on a Android Pixel 7 - Part 1

September 27, 2025

Recent events have resulted in my interest and examination of photos taken by an Android phone. What is the lifecycle of a typical photo taken by an Android phone with the Google Photos applilcation setup to backup photos to the owner’s Google account? What timestamps can we find? What are some potential indicators of timestomping or manipulation?

Read More

Gmail App - IMAP Account Artifacts (Attachments)

September 24, 2025

Now that I have a test Pixel 7 that has been rooted, I’m starting to dig into some Android forensics. Following from a previous post, I’m still looking at how third party IMAP Accounts are handled in the default Gmail application on Android 16. The below post is very in the moment so take everything with a grain of salt. My PR to ALEAPP was merged and I intend on improving it a bit as it resulted from artifacts from a CTF. There are plently more avenues to explore and document.

Read More

Pixel 7 - Timestamps / EXT4

September 20, 2025

As I was poking around the filesystem of my Pixel 7 using adb shell, I was interested in examining the timestamps associated with the various files. In particular, I was looking at the image files taken by the built in camera and I wanted to see if I could correlate the filesystem timestamps with the EXIF timestamps. It appears that Android 16 uses some flavor of EXT4 and I set about researching EXT4 timestamps and came across this handy article - https://righteousit.com/2024/09/04/more-on-ext4-timestamps-and-timestomping/. The next question is if this translates over to Android 16.

Read More

Pixel 7 - Data Acquisition

September 11, 2025

Currently on a train heading somewhere fun and I will be disconnected from everything. It is important in this day and age to decompress and go touch grass. There will be no posts after this one until I get back.

Read More

Pixel 7 - Unlocking the Bootloader

September 9, 2025

Making progress in rooting the Pixel 7 phone that I picked up. I spent some time today just unlocking the bootloader. Pretty straightfordward process at least for a Pixel device. What follows are some of my notes on the process to unlock the bootloader.

Read More

Pixel 7 - Researching Rooting Options

September 7, 2025

A few weeks back, I picked up a used Pixel 7 to use as a testbed to learn Android forensics. The intention is to root the phone, start poking around, and see where it leads me. Larger goal is to start contributing to ALEAPP. I specifically picked the Pixel 7 as it is a popular phone with a bootloader that is easily unlocked.

Read More

Memory Forensics - Windows Notepad Part 6

September 6, 2025

Following from Part 5, I wanted to test what happens if the TabState file is too large to natively fit into the MFT Entry. I opened Windows Notepad and typed some test text and repeatedly copy/pasted it back until it was sufficiently large. Took a memory dump and proceeded to analyze it using the same steps as outlined in Part 5.

Read More

Zeltser Challenge - Eighth Month Accomplishments

September 3, 2025

August started strong and ended with chaos. Being in the ER for family is not fun; but all is well now. Minus some missed posts. We’re at the eighth month of the Zeltser Challenge from David Cowen and I’m still enjoying everything and it has really pushed me to go outside of my comfort area.

Read More

Memory Forensics - Windows Notepad Part 5

August 29, 2025

Let us recap what we’ve learned already and the process to manually recover Windows Notepad artifacts from memory. I am starting with a fresh memory dump for the scenario where we’ve opened a text file and made no changes. There are no other tabs. I had someone else create the scenario and memory dump so that I would not know anything about the text file that was opened.

Read More

Volatility 3 - Learning to Write a Plugin Part 1

August 23, 2025

In between prepping for my upcoming talk at BSides NYC, I’ve been slowly starting to learn how to write plugins for Volatility 3. I started with reading as much documentation and other writeups as possible on the process. These included:

Read More

ALEAPP Plugin - Gmail App - IMAP Accounts

August 20, 2025

I noticed during BelkaCTF 7 that ALEAPP didn’t extract all the emails as Belkasoft. This of course led me down the path of seeing how I could go about writing one and contributing it to the project. I actually wrote about this in yesterday’s post and how to recover the information manually.

Read More

Conference talk prep

August 17, 2025

Taking a break from Volatlity 3 and MemProcFS by doing some more preparation for my upcoming talk at BSides NYC. My rough draft consists of 8 slides including title, intro, and Q&A for a 25 minute talk. Should be a nice, succinct and informative talk. I need to make them look nicer and more engaging with color/pictures as they’re just currently textual talking points. I’m also incredibly nervous as this will be a day of many firsts:

Read More

Memory Forensics - Windows Notepad Part 4

August 16, 2025

I spent a little time today attempting to recreate my work in Volatlity 3 using MemProcFS. Helpful to see gaps/differences or possibly to see if I’m using a tool incorrectly. Initially, I found the absence of the settings.dat and Helium registry files in Volatility 3 to be a little odd. I figured that they would show up in the handles or filescan plugin. It is possible that filescan would find them; but I was getting an error about charmap and haven’t had the chance to troubleshoot.

Read More

Memory Forensics - Windows Notepad Part 3

August 15, 2025

Making more progress while reinforcing what I’ve learned in the past. What we saw yesterday was an MFT entry as evidenced by the “FILE0” at the start. Just to recap my goal for this research:

Read More

Memory Forensics - Windows Notepad Part 2

August 14, 2025

Yesterday I left off with the mystery of the missing TabState file and today I had a little time to dump the physical memory pages that are mapped to the notepad.exe process. To reduce the number of variables in the memory capture, I cleared out all the state and *.dat files associated with Windows Notepad and opened a test text file. The text file had the following contents:

Read More

Memory Forensics - Windows Notepad Part 1

August 13, 2025

A few months back, I had a post on using Volatility 3 to look at Windows Notepad. I had encountered issues with the symbol table and one thing that I had neglected/ignored was that the memory dump was acquired from a Hyper-V machine. I finally found some time to do some testing on a physical machine running Windows 11 23H2 and everything works as expected. I’m hoping to get a moment to test on a Windows 11 24H2 computer.

Read More

Windows Snipping Tool - Part 1

August 9, 2025

Let us get into more detail about my previous post about poking around Windows Snipping Tool. Today, I’ll be focusing on two specific values being stored in the LocalState key in the settings.dat file which is located at %localappdata%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings. The Windows Snipping tool has the option to automatically save any screenshots or recordings to a default location. This default location can be changed by the user. In the screenshot below, we can see that the screenshot location has been set to C:\Users\User\Desktop\SnipFolderTest\30 and the recording location has been set to C:\Users\User\Desktop\examine.

Read More

Application Settings Container - Subkeys!

August 8, 2025

Yesterday, as I was diving into the Photos application in Windows with my registry plugin I noticed that there were subkeys to the LocalState key. I had not expected to see subkeys as nothing in the Microsoft documentation had led me to believe this was possible. I just ASSUMED it wasn’t possible. In the screenshot below, you can see an “Exp” subkey and subkeys to that subkey.

Read More

Poking Windows Snipping Tool aka Screen Sketch

August 7, 2025

While working on the registry plugin to read the settings.dat files associated with various Windows packaged apps https://ogmini.github.io/2025/08/06/Registry-Plugin-Application-Settings-Container-(RECmd-and-Registry-Explorer).html, I did some testing against some other applications such as Snipping Tool and Photos. Much like Windows Notepad, these are default software on Windows 11. To put it bluntly, the plugin has already proved useful to me in looking for the various digital artifacts that these might leave behind.

Read More

Registry Plugin (RECmd and Registry Explorer) - Application Settings Container

August 6, 2025

I’ve been researching the settings.dat file that you will often find associated with various Windows packaged apps that might be distributed via the Windows Store or .msix files. You can see prior posts at https://ogmini.github.io/tags.html#Registryhive. Andrew Rathbun had suggested adding support to RECmd/Registry Plugins to be able to read these values. I’ve finally carved out some time to figure it out and I have a working Registry Plugin. Still need to finish handling some of the lesser used Value Types before I submit the PR.

Read More

Conference talk and other updates

July 31, 2025

My talk proposal was accepted a few days back! Excited and nervous at the same time. I’m not sure how much is appropriate to talk about yet; but I’m now focused on polishing my slides and material. I’ll definitely be practicing with some friends as an audience.

Read More

Velociraptor - Artifact Windows Notepad

July 30, 2025

Just submitted an Artifact to the Velociraptor Artifact Exchange for Windows Notepad that leverages my WindowsNotepadParser. I’m pretty sure the YAML can be significantly improved. I’m hoping for some feedback and suggestions. It works fine; but requires creating a folder on the client to save the csv files. There should be a way to save them to the temp directory. I wasn’t able to get that to work though.

Read More

BelkaCTF 7 - Volatility 3 vs MemProcFS

July 27, 2025

I encountered an interesting situation during BelkaCTF 7. This is not a writeup for one of the challenges but will give the solution as part of examining the oddity I experienced. I’m hoping that someone might be able to shed some light on the reason for the difference or if I did something incorrectly. One of the challenges required dumping a process from memory for further analysis. What is baffling is that I’m pretty sure that Belkasoft X uses Volatility 3 for processing memory images. But using Volatility 3 manually did not work for me. I ended up getting the right answer with MemProcFS.

Read More

BelkaCTF 7 - Stranger Dfings Closing Out

July 26, 2025

I think I’m done with the challenges. I have theories on how to attack some of them; but they aren’t working out. I’m currently sitting at 25 and the top individual from the USA on the scoreboard. I’m sure that will change as I sleep tonight. Looking forward to seeing the solutions and I will be posting my own writeups in the future. As always, there are multiple ways to solve a challenge.

Read More

BelkaCTF 7 - Stranger Dfings Live

July 25, 2025

Short post today as I’m in the middle of the BelkaCTF 7. Making slow progress in the challenges. I’m currently working on #7 which is listed as Hard. It definitely is… A little bit stumped on how to attack this one. Is it OSINT? Memory Analysis? API? I might have to skip this one. Looks like I’m in good company as 6 other people are at the same exact stage as me at the moment and a bunch of people have already skipped it.

Read More

BelkaCTF 6 - Bogus Bill Tasks 1-5

July 24, 2025

Did a few of the tasks from a previous BelkaCTF as a warmup for this weekend. Solutions are written using Open Source or Free tools. I like to validate the findings from tools whenever possible. I’ve always appreciated that iLEAPP provides the location of where it found artifacts so that an analyst can manually parse if needed.

Read More

BelkaCTF 7 - Stranger Dfings Prep

July 23, 2025

Running out of time to register at https://belkasoft.com/belkactf7/ for the BelkaCTF #7: Stranger Dfings on July 25th! As of writing this post, there are just under 1000 participants. I’ve prepped my workstation and I’m as ready as I’m ever going to be. On their LinkedIn page, they’ve dropped a few “warm up” tasks/hints from previous CTFs:

Read More

CFP Submission - Finalizing Submission

July 17, 2025

Deadline for submission is July 19th, 2025. Just putting some last minute polish and reading over the description and outline. Imposter syndrome is kicking into high gear. I just need to remember that I’m just talking about MY experiences and MY thoughts on the subject. I am not trying to sell anything or convince anyone of anything.

Read More

Hackers N' Hops CTF - Part 2

July 16, 2025

So, our team has already finished the 6 challenges for the Hackers N’ Hops CTF. I stole sometime during vacation to participate as we collaboratively solved a few of them on Discord. When I get back, I’ll be attempting to solve the ones I didn’t do with them.

Read More

Hackers N' Hops CTF

July 15, 2025

A few of us are participating in the Hackers N’ Hops CTF. A nice laid back CTF as they describe it. I like that there is plenty of time to participate. Ends on July 26th, so gives me time to give it a shot AFTER vacation. I might be tempted to poke at it though before I get back… One of my friends has already solved 2.

Read More

All the Things I’m Working On (a.k.a. Too Many Pokers in the Fire)

July 11, 2025

I’ve got a lot of pokers in the fire right now. Some are personal challenges, some professional, some pure curiosity — but all of them are active. At any given moment, I’m juggling half a dozen tasks that feel urgent or important, or just too interesting to let go. So I figured I’d step back for a moment and write them all out — to share what I’m working on, and maybe to get a better handle on it myself.

Read More

Registry Hive - Data Types Part 8

July 10, 2025

A good reminder that we always, always need to test/verify. Looks like my assumption from a previous post about the identifier for each CompositeValue types was wrong! They do not ascend in order.

Read More

Cleanup / Linting / Updating

July 9, 2025

Spent today cleaning up the blog and fixing some Markdown syntax via Linting. All the tags should be fixed and working now. Also worked on updating the documentation on https://github.com/ogmini/Notepad-State-Library to be inline with all the research I’ve posted on this blog. One thing that I really need to finish is the Changelog for Windows Notepad that I left off with this post.

Read More

Registry Hive - Data Types Part 6

July 6, 2025

OK, feeling more confident after today’s session. What I previously was calling a ValueLength seems to actually be the part that is telling me the data type. Below is this current work in progress. It still isn’t fully complete/right. Namely, I’m unsure how to correctly calculate the DataLength.

Read More

Registry Hive - Data Types Part 5

July 5, 2025

Unsure, if I’m making progress on the CompositeValues. I’m really stuck trying to figure out the structure. Last I left off I had the following theory:

Read More

Windows Notepad - Markdown Support Limitations

July 4, 2025

Markdown Support is pretty limited in Windows Notepad. You have a toolbar at the top that lets you choose your formatting options. Most helpfully at the bottom is a toggle between “Formatted” and “Markdown Syntax”. This lets you see and manually write the Markdown syntax.

Read More

Windows Notepad - Forced Save on Detecting Manipulation?

July 2, 2025

Came across an interesting behavior while doing some testing. Initially, I wasn’t able to replicate it. Early on in I would sometimes see the creation of a guid.bin.tmp file in the TabState folder. At the time I had brushed it off as it would “resolve” by deleting itself and nothing seemed to break. I theorized that it might be related to file locks and Windows Notepad trying to protect the integrity of the TabState files.

Read More

Zeltser Challenge - Sixth Month Accomplishments

July 1, 2025

Big milestone today, I’ve hit 6 months with no missed posts on the Zeltser Challenge. It is getting harder to find the free time to do research and write up posts as it is summer and the time for longer family vacations. July is going to be exceptionally challenging for this reason.

Read More

Thinking about that Windows Notepad

June 29, 2025

Driving, especially on long road trips, is when I do some of my best thinking. The 6 hour trip home gave me a lot of time to think about that Windows Notepad. My mind wandered and contemplated about a few topics:

Read More

RDP Timelining Tool

June 27, 2025

Came across a very succinct post about the “chain of RDP-related Event IDs” from Sujay Adkesar at https://thelocalh0st.github.io/posts/rdp/. They point out the importance of creating a narrative from logs and being able to visualize the timeline of events. I think this might be a fun standalone tool to write. I’m sure this ability probably already exists within various SIEMs and so forth.

Read More

Windows Notepad - Modifying TabState or WindowState Files

June 23, 2025

Had an issue submitted to the Notepad State Library repo asking how to reopen tabs that still exist as TabState files but are no longer present in the WindowState file. I had wondered if this was possible as there is a maximum number of supported tabs that you can have open in Windows Notepad. I have not actually tested this but it would make sense since the number of tabs is stored in the WindowState file as a LEB128.

Read More

Registry Hive - Data Types Part 4

June 22, 2025

Still stuck on the CompositeValue and this is a reminder that most of my posts are daily updates on what I’m working on. This is where I currently stand and I have a feeling the fix is easy and I’m just unsure on how to account for it within 010 Editor’s Binary Templates.

Read More

My Methodology for Reverse Engineering Binary Files

June 21, 2025

I realized today that I was pretty vague in my previous post about HOW I personally go about reverse engineering binary files such as settings.dat and the previous tab/window state files for Windows Notepad. I would love to hear from others about their methodology or any tips/tricks they have. I feel like this is somewhat of an inexact science with many different paths to get the same result. Some people may try to decompile or reverse engineer the executable that is writing to the binary file. Others may perform various tests and note what changes are seen in the binary files. What follows below is my methodology:

Read More

Registry Hive - Data Types Part 3

June 20, 2025

And we’re back online! I have a really simple program to help test and reverse engineer the settings.dat file. Helps me narrow down changes as I’m able to control the inputs by altering values and such. Quick snippet below for those interested. It isn’t anything fancy.

Read More

Registry Hive - Data Types Part 2

June 19, 2025

Currently, writing this with no power and internet. Luckily, I made progress earlier in the day with writing a testing/validation UWP application. The 36 data types lines up with what I’m seeing and testing. I’m still working on reverse engineering the Composite Value key.

Read More

Registry Hive - Data Types

June 18, 2025

While continuing to research the settings.dat file, I came across a Github repo specifically for editting settings.dat files related to UWP applications. Perusing the code revealed something interesting related the the Data Types I had spoken about yesterday. Previously, I had known of 4 from looking at Windows Notepad. The code actually outlines 36! https://github.com/ADeltaX/UWPSettingsEditor/blob/master/src/UWPSettingsEditor/Enums/DataTypeEnum.cs.

Read More

Registry Hive - Revisiting Documentation

June 17, 2025

After yesterday’s post, I went back to reread what I consider the bible on the regf file format written by Joachim Metz. You can find it at https://github.com/libyal/libregf/blob/main/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc. I find it is very useful to go back and reread documentation AFTER getting hands-on with the subject matter. You often can connect dots that you hadn’t previously and previously innocuous data will leap out at you as being very important.

Read More

010 Editor - RegistryHive Binary Template

June 16, 2025

Spent a few minutes today making an update to the RegistryHive.bt for 010 Editor. I had previously updated it to handle the application hive types described in this post. I had noticed that when using it to examine the settings.dat files for Windows Notepad it would sometimes throw an error on one test system but not another. It was attempting to read bytes at an address that did not exist. I’m unsure why the inconsistency and I want to dig into it a little more. It is possible the Binary Template isn’t completely handling the file correctly.

Read More

Microsoft Paint - Application Hive

June 14, 2025

Microsoft has been updating Paint, Snipping Tool, and Notepad at a pretty good pace recently. Mainly pushing AI… You can read more about some recent future updates at https://blogs.windows.com/windows-insider/2025/05/22/paint-snipping-tool-and-notepad-updates-with-new-features-begin-rolling-out-to-windows-insiders/. All three of them are very similar in how they might store settings and other digital artifacts. This shouldn’t be a surprise as I believe they are all Windows App SDK or UWP based. Yesterday’s post, gave me a good reason to actually go take a quick look at Paint.

Read More

Windows Notepad - Revisiting Application Hive

June 12, 2025

Let’s keep this ball rolling! Two different things I’m still looking at in more detail to understand them as much as possible. The first was a reminder by @M4shl3 to look at the User.dat who recently left a comment on yesterday’s post. The second is more keys in the settings.dat that I had somehow missed previously or are new and a datapoint that isn’t so obvious depending on how you look at the file.

Read More

Windows Notepad - Find/Replace/Bing

June 11, 2025

As is often the case, investigating something new leads to finding more new stuff that I hadn’t noticed before. The settings.dat application hive stores a few more digital artifacts that I had not documented previously. There are four more keys and a network/browser history artifact.

Read More

Windows Notepad - Recent Files (New Option)

June 10, 2025

I need to get back to documenting the changes in Windows Notepad. I left off on version 11.2410.20.0 with my last post back on 4/27/2025. I’m going to skip ahead as Microsoft added a new “Recent Files” option. I have not yet identified which specific version introduced the change. I’ll go back to that project at some point.

Read More

SSD Forensics - Flex Capacity

June 8, 2025

I saw a recent post by Oleg Afonin about the implications of how TRIM works on various SSDs. I would suggest reading his article as it dives into some very important distinctions when potentially imaging SSDs. It reminded me of a research article I came across during my classes at Champlain.

Read More

The DFIR Report - Public CTF - Part 2

June 7, 2025

First and foremost, the June 2025 Public CTF from The DFIR Report was a very enlightening experience. It really highlighted a need to gain a deeper understanding of how to efficiently query Splunk or other SIEMs. I came into this with 0 prep and no experience beyond the theoretical and some classwork. The CTF centered around using your chosen SIEM which in my case was Splunk to investigate a cybersecurity incident. The DFIR Report classifies all their material as TLP:RED so I will only be speaking in generalities. I highly encourage anyone even remotely interested to try their Labs/CTFs. I had been on the fence about paying for their labs because it actually seemed to cheap. I was worried that it would provide no value or learning. If this CTF was any indication of the quality of their other labs. The value is immense.

Read More

The DFIR Report - Public CTF

June 6, 2025

Saw a post on LinkedIn from Kostas Tsialemis about their upcoming public CTF. I have read their site and contemplated entering one of their public CTFs in the past. Just never got the nerve to actually try it. Kostas was giving away 2 free entries and I ended up getting one. Thanks for the opportunity.

Read More

Windows Notepad Parser - Documentation Update

June 5, 2025

No major changes to Windows Notepad Parser. Yogesh Khatri helpfully pointed out that I had not actually documented the command line arguments and it appeared that the program would only work on a live machine. I thank him for opening an issue to point this out.

Read More

RDCMan - Cracking DPAPI w/mimikatz

June 4, 2025

This is nothing new and has been around for years. But it is good practice to validate and try it yourself. You can retrieve the password(s) from *.rdg files using tools such as mimikatz and its various derivatives. I specifically tested with mimikatz against a test *.rdg file. As usual, I had to disable Windows Defender. The following command will reveal all:

Read More

Remote Desktop Manager - Artifacts Part 7

June 3, 2025

The 2025 NYS Cybersecurity Conference has been great so far and there is still one more day of presentations. I’m going to digest everything a little bit before posting my thoughts and experiences. Instead, I’m going back to Remote Desktop Manager and the ability to store attachments or files to a connection. Again, maybe useful for storing a script or some other file. The Connections.db stores the information related to this artifact in the Attachment table.

Read More

2025 New York State Cybersecurity Conference

June 2, 2025

Short post, just spent a few hours driving up to Albany, NY and I just checked into my hotel. All ready to attend the 2025 New York State Cybersecurity Conference. A lot of interesting talks and presentation.

Read More

Zeltser Challenge - Fifth Month Accomplishments

June 1, 2025

Another month and I’ve been at the Zeltser Challenge for five months so far and still have not missed a post. The absence of David Cowen’s Sunday Funday challenges has made this a little more difficult. Though, it has forced me to channel my energy into other pursuits. Previously, I generally had a guaranteed topic or area to look at every week. I could choose to ignore it or attack it. So what happened in May?

Read More

Remote Desktop Manager - LOLRMM

May 31, 2025

As I continue to explore various tools such as Remote Desktop Manager. I feel it is very important to add to the existing knowledge base with open documentation and contributing to open source projects.

Read More

SANS - Ransomware Summit 2025

May 30, 2025

Had the pleasure of listening to some great talks at the online SANS - Ransomware Summit 2025. I particularly enjoyed the Hands-On Workshop put on by Mari DeGrazia titled “Forensic AI, Your Way: A Local LLM Installation”. The workshop we participated in is part of the SANS FOR563 course as a lab and you can find more information at https://for563.com/. My main takeaway is that a local LLM can be powerful when used appropriately.

Read More

RDCMan - Verifying DPAPI Activity

May 27, 2025

Followup to a previous post about logging DPAPI activity and verifying that RDCMan does leverage DPAPI/CryptProtectData to protect passwords. I’m happy to report that everything checks out and behaves as expected!

Read More

Random Thoughts - System Naming

May 26, 2025

Had a lot of time to think during the Memorial Weekend holiday. My mind wandered to the naming scheme I have for system at home/work. It has changed over time from just leaving it at the default to funny names to role based names. How do you name your systems? Are your servers named after their roles? Are your computers named after their serial numbers? Are they completely randomized?

Read More

Remote Desktop Manager - Artifacts Part 6

May 25, 2025

Another quick post as its Memorial Day weekend! I took a few minutes today to continue looking at what the master key actually encrypts. Yesterday we looked specifically at the tables related to Connections. Today, I’m looking at the tables related to documentation which I documented in Part 4.

Read More

Remote Desktop Manager - Artifacts Part 4

May 23, 2025

Quick post today as it is the start of the Memorial Day weekend! Remote Desktop Manager has the ability to add documentation to a connection. Useful for keeping notes, processes, and documentation in a place specifically related to that system. It is similar to a OneNote Notebook. The Connections.db stores the information related to this artifact in the following tables:

Read More

Remote Desktop Manager - Working on SQLECmd Map

May 22, 2025

In the middle of finishing up a SQLMap for SQLECmd. Handy tool that can pull out targetted information from mapped SQLite databases and export them to CSV/JSON for ingestion by other tools such as Timeline Explorer. Pretty straightforward process and if you can write a SQL query, you can make a SQLMap for SQLECmd.

Read More

Remote Desktop Manager - Artifacts Part 3

May 21, 2025

Busy day at work today. Didn’t have much bandwidth to poke around Remote Desktop Manager. I’ve always found it useful to utilize Database Diagrams to both understand and explain a database’s data structure. For SQLite databases, I use a tool called Dbeaver to easily auto-generate the Database Diagram for me and give me a good base to start better documentation. Oddly, I still prefer using SQLite Browser to examine the data. I’ve attached the generated image below.

Read More

Remote Desktop Manager - Artifacts Part 2

May 20, 2025

I submitted a Kape Target for Remote Desktop Manager. I fully expect that I’ll be making changes to the Target even if it is to just update the documentation. Since yesterday’s post, I’ve found a few things that I missed/glossed over initially.

Read More

Remote Desktop Manager - Artifacts

May 19, 2025

Remote Desktop Manager from Devolutions is an alternative to RDCMan that offers more features and centralized capabilities. You can read more about the them on their website - https://devolutions.net/remote-desktop-manager/. Today, I’ll be looking at version 2025.1.38.0 of the “Free edition” on Windows 11 24H2 to see what digital artifacts it leaves behind. For now, I’ll be using the default installation using the installer and not the standalone version.

Read More

DPAPI - Audit DPAPI Activity

May 18, 2025

Came across a post on LinkedIn recently about enable “Audit DPAPI Activity” in order to see event logs related to DPAPI calls. The post is coming from the standpoint of detecting anomalous actions in a SIEM or other tool.

Read More

Saturday CISSP Prep

May 17, 2025

Spent some of the day prepping for my CISSP exam. Still chipping away at the practice exam questions. I have to buckle down and just rip out the rest of the questions and schedule the exam. I know the material; just need the confidence.

Read More

ChatGPT Desktop - Kape Target

May 16, 2025

Just submitted a Target to KapeFiles for ChatGPT Desktop. I realized one didn’t exist and I had done research into its artifacts for one of David Cowen’s Sunday Funday challenges. It will grab:

Read More

Volatility3 - Windows 11 24H2 Memory Dump issues?

May 13, 2025

Had a little bit of time today to start an attempt at using Volatility to look at Windows Notepad. Sadly, I immediately encountered some issues and went into troubleshooting mode. I used both FTK Imager and DumpIt to obtain memory dumps from my test Windows 11 24H2 26100.3775 install just to make sure it wasn’t an issue with the tool I was using. I also downloaded an older Windows 11 sample memory dump from https://www.osforensics.com/tools/volatility-workbench.html. This loaded up fine in Volatility3 and I was able to examine it as expected. The windows.info plugin provided the information below:

Read More

Reading up on Volatility

May 11, 2025

Following up on yesterday’s post, I’ve started refreshing my knowledge and looking for useful articles on Volatility. I came across a Volatility 3 Cheatsheet from Ashley Pearson. I like the command comparisons between Volatility 2 and 3. There is of course Andrea Fortuna’s multiple articles on Volatility - https://andreafortuna.org/. I made extensive use of these during my coursework. If anyone has any other useful references, please share!

Read More

Volatility - Plugin?

May 10, 2025

I’ve been wanting to dabble more with Volatility beyond the standard CTF or assignments that I had in my courses. I recently came across a post talking about using Volatility to recover text from Notepad (The old version) for a CTF Challenge. I think it would be a fun exercise to write a Volatility plugin to specifically scan and parse out the Unsaved Buffer Chunks from active Windows Notepad sessions.

Read More

Researching RDCMan - Part 3

May 9, 2025

Was poking around the Recent Virtual Group settings and it looks like I discovered a bug in the latest version (v3.1) of RDCMan. I’ve already reported it so hopefully it will get fixed. Would be a useful forensic artifact to have! It does work as expected on an older version of RDCMan that I still have (v2.93). So the below testing has been done on that version.

Read More

Researching RDCMan - Part 2

May 7, 2025

Andrew Rathbun pointed out an interesting anomaly that I didn’t pick up on related to the versioning. Sysinternals announced on their blog on 5/5/2025 that RDCMan v3.0 was released. The version listed on the documentation which was updated on 5/5/2025 was v3.1. Maybe just a quick stealth patch. Checking the executable shows the version as 3.1.0.0 and it reports as v3.1 from the About.

Read More

Researching RDCMan

May 6, 2025

Going back many years, I’ve used RDCMan or Remote Desktop Connection Manager extensively as a Systems Administrator. The price was right ($free) and it had all the features I needed to easily be able to remote into multiple servers. It is now a part of Sysinternals and up to version 3.1 as of this post. This looks like an interesting application to research from a forensic investigation standpoint. What artifacts does it leave behind and what can be gleaned from its configuration files.

Read More

Microsoft Edge - AutoFill Database

May 5, 2025

I follow Phill Moore’s great This Week in 4n6 weekly roundup as it is an awesome way to learn and keep up to date with various cybersecurity topics. I highly encourage you to follow his weekly roundups. His work is greatly appreciated. Maybe we should bring back webrings?

Read More

Revisiting ShimCache/AmCache

May 4, 2025

I came across a great writeup from Chris Ray over at Cyber Triage on ShimCache and AmCache. I made a post back on 4/20 about wanting to revisit various Windows Artifacts including ShimCache and AmCache. I really like Chris’s writeup because it is clear, organized, and easy to read. I would highly suggest reading it even just as a refresher.

Read More

Zeltser Challenge - Fourth Month Accomplishments

May 2, 2025

The fourth month of the Zeltser Challenge has been rather successful now that I’m looking back on my posts. I buckled down and finished reading all the material for the CISSP examination. I’m currently doing practice exams. I also participated and won three of David Cowen’s Sunday Funday Challenges:

Read More

CISSP Practice Questions

May 1, 2025

Not a very interesting post today. Spent the evening doing some practice questions in the CISSP book. I always find the scenario questions with names and fake companies funny. I do like them though, as they are a good way realistic question/way for people to think about situations and how to handle them.

Read More

Thoughts from a Developer on the Truth in Data Podcast

April 29, 2025

I’ve been listening/watching Hexordia’s Truth in Data Podcast on Youtube and the latest episode really resonated with my personal reasons for exploring DFIR. Jessica Hyde, Kim Bradley, and Debbie Garner interviewed Alexis Brignoni about open source code and how it relates to forensics. I’m going to pick out a few tidbits that jumped out at me. I do highly encourage everyone to give it a listen/watch. It is also on various podcast platforms in addition to Youtube.

Read More

macOS Forensics Books/Resources

April 28, 2025

With the impending delivery of my new Macbook Air, I’m compiling and reading resources on macOS forensics. I’d love it if anyone had any other suggestions for resources!

Read More

MacOS / CISSP Practice Tests

April 26, 2025

Got my “Official Practice Tests” book from ISC2 this week and spent some time doing some questions today. I did not realize that it actually has 100 questions on the 8 domains AND four practice tests. I’m hoping to get through all the questions by mid-May with a goal of trying to schedule an exam for April. I recall that test times/dates fill up pretty quick around me when I scheduled my CSSLP exam.

Read More

Windows Notepad - Version Changes (11.2408.12.0)

April 24, 2025

Continuing to document the version changes to Windows Notepad state files and today we’re comparing version 11.2407.9.0 to 11.2408.12.0. This could be useful if you somehow come across an older version of Windows Notepad on a system that is being investigated. For more details refer to https://github.com/ogmini/Notepad-State-Library. Unfortunately, I have been unable to track down the installer for 11.2404.10.0 and I don’t seem to have a VM Snapshot with that version. If anyone happens to have that version, please reach out!

Read More

Windows Notepad - Version Changes (11.2407.9.0)

April 23, 2025

During my initial research into Windows Notepad, I had noticed changes to the format of the state files and what was being stored or not stored in them. The initial version that I had torn apart was 11.2402.22.0. This post is the first part in going back to the previous versions and documenting changes. This could be useful if you somehow come across an older version of Windows Notepad on a system that is being investigated. For more details refer to https://github.com/ogmini/Notepad-State-Library. I will be documenting the changes from 11.2402.22.0 to 11.2407.9.0. Unfortunately, I have been unable to track down the installer for 11.2404.10.0 and I don’t seem to have a VM Snapshot with that version. If anyone happens to have that version, please reach out!

Read More

Revisiting Prefetch

April 21, 2025

My 4/20 post has set me on a path to revisit Windows Artifacts. I’m going to start with revisiting Prefetch by looking at existing research to gain a base of understanding.

Read More

CISSP - Practice Tests

April 19, 2025

Short post for today as I’m enjoying the weather! I finished going over the all the material for the 8 domains on the CISSP exam. I’m currently doing practice questions and just ordered the official practice exams from ISC2. Once that book arrives, I plan on ripping through those and scheduling the exam.

Read More

Exploring KQL

April 12, 2025

Started looking into Kusto Query Language (KQL) in part due to a previous post/challenge on Cloud Log Delays. I would consider myself proficient with writing SQL queries and it has been a very useful skillset in my current career. The ability to quickly query large structured databases to report on or search for information has been a boon. Being able to whip up a query to answer a question about students—like “Which students are enrolled in all the courses required for their major but have not yet completed any elective courses, and what is their expected graduation date based on their current course load?”—never fails to elicit stares of awe.

Read More

David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 2

April 10, 2025

Getting some work done on this challenge; but I am not very confident that I’ll find much before the deadline. As a quick note for anyone else trying to run Docker or really anything that results in nested virtualization. You need to set ExposeVirtualizationExtensions to true for Hyper-V https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization.

Read More

The Day Job - Security/DR Planning

April 9, 2025

For every organization with important assets, there should be security/DR plans in place that are maintained, updated, and tested. As part of my recent role change to Interim CIO, I’m reviewing all of our security/DR plans with my team. Without going into much detail, all of our plans and information are documented but are a bit disjointed and in need of a polishing to make them easier to follow. It is handy that I’ve been studying for my CISSP certification as this exercise overlaps completely with the material. Knowledge in practice as they say. We are a small team in the grand scheme and I have to wear multiple hats including that of the CIO and CISO.

Read More

CISSP - Domain 8

April 7, 2025

OK, Domain 8 really is the CSSLP with a heavy emphasis on integrating security into the development process.

Read More

CISSP - Domain 7

April 6, 2025

Domain 7 feels a bit like a rehash of my coursework. It focuses on managing incident reponses, preparation, disaster recovery, and business continuity. Pretty straightforward.

Read More

CISSP - Domain 6

April 5, 2025

Continuing our roll on CISSP study with Domain 6 today. Would you believe that there is more overlap with the CSSLP again? This domain seems to really focus on how do you assess your security program and report on it.

Read More

CISSP - Domain 5

April 4, 2025

I’m starting to sense a lot of overlap with the CSSLP material. Which makes sense though there is a slightly different viewpoint.

Read More

CISSP - Domain 4

April 3, 2025

OSI, OSI, OSI! Domain 4 is at its heart about the OSI Model, its ramifications, implementations, and security implications. It hurts me that we still need to discuss technologies such as WEP. I’ve always been skeptical about the usage of Honeypots/Honeynets for normal businesses.

Read More

CISSP - Domain 3

April 1, 2025

Domain 3 for the CISSP is a huge chunk of information and easily the longest chapter in my study book. Again, a mixture of subjects that I’m comfortable with and some that trend to the less comfortable.

Read More

Zeltser Challenge - Third Month Accomplishments

March 31, 2025

The third month of the Zeltser Challenge has been tough as I’m fully getting into my role as CIO, restructuring the department, and getting acquainted with everything involved in this new role. This new role is very taxing mentally as I’m trying to juggle so many different projects, problems, and goals. Despite all this, I’ve still somehow managed kept to my daily post cadence.

Read More

CISSP - Stalled

March 30, 2025

I stalled out HARD in studying for my CISSP and my timeline fell apart. I had planned on being done with all 8 domains by this weekend and that is definitely not the case. I left off having finished Domains 1 and 2.

Read More

Reverse Engineering Rewrite API

March 29, 2025

Last week I started poking around the network traffic generated by Windows Notepad when it makes calls to Rewrite. I made a post about what I found using Wireshark and mitmproxy. Part of the purpose of this blog is to push my knowledge by forcing me to actually DO and not just read and learn theory. That last post on mitmproxy and Wireshark was a perfect example of the DO. I had known that it was possible to setup a proxy to intecept and decrypt traffic. I even knew the general steps and tools required to analyze that traffic. What I never had was the need to put this knowledge to practice. I can now say that I’ve done it.

Read More

SSH Artifacts in Windows 11 - Part 3

March 28, 2025

Continuing from yesterday’s post, we are looking at how to tell if someone is connected via SSH. I did not have time to look at SSH Tunnels. Please refer back to the main post for full details as this post will only talk about the tests and results.

Read More

SSH Artifacts in Windows 11 - Part 1

March 26, 2025

Continuing from yesterday’s post, we are testing for SSH artifacts when connecting to a Debian OpenSSH Server and a Windows 11 OpenSSH Server. Please refer back to the main post for full details as this post will only talk about the tests and results.

Read More

GaslitPad - DNS Communication

March 24, 2025

After releasing the first iteration of GaslitPad, I’ve been thinking about how to add some C2 or data transfer capability. The ideal case would be for the malware to send back information about opened files and more importantly, the unsaved buffer chunks as they are typed by the individual. You could essentially have a live window into the user’s notepad session and see what they are typing as they type it. Always funny to me that MS essentially has a keylogger built into Windows Notepad.

Read More

Beyond Sunday Funday - SSH Artifacts in Windows 11

March 22, 2025

Another successful entry/win to one of David Cowen’s Sunday Funday Challenges involving SSH in Linux https://www.hecfblog.com/2025/03/daily-blog-785-solution-saturday-32225.html. This of course begs the question, what artifacts are left by SSH on Windows 11 or other Windows flavors! Windows uses OpenSSH for the client and server implementations https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-overview and this should make some of this research pretty straightforward when looking for artifacts specific to OpenSSH. Just as a quick example, the known_hosts file acts the same and is in essentially the same location as on Linux.

Read More

The Intersection of DFIR and IT Troubleshooting

March 20, 2025

In the world of Digital Forensics and Incident Response (DFIR), the line between traditional IT troubleshooting skills and forensic investigation isn’t as wide as it might seem. Both disciplines require a strong foundation in understanding system behavior, analyzing logs, and identifying the actions of users. A skilled IT professional is adept at navigating logs and system reports to identify irregularities, similar to a DFIR investigator who examines system artifacts, event logs, and network traffic to reconstruct incidents. The key similarity is the ability to trace actions across systems, understand what was done, and pinpoint where things went wrong. Whether it is identifying a user’s misstep during a hardware/software failure or determining the sequence of events leading to a security breach, both skill sets are rooted in keen investigative abilities and a methodical approach to troubleshooting.

Read More

Windows Notepad - Rewrite / AI Part 5

March 19, 2025

Continuing from Part 4 on researching Windows Notepad - Rewrite. Taking a little detour and looking at the Correlation Vector. I don’t think this will be useful for anything; but I’ll doument what I’m seeing. Maybe someone will recognize this or knows more than me and can reach out with more details!

Read More

Windows Notepad - Rewrite / AI Part 4

March 18, 2025

Progress has been made since Part 3 in relation to the network traffic and API calls. As we discovered earlier, Windows Notepad makes API calls to apsaiservices.microsoft.com using TLSv1.3. I’ve now successfully decrypted the calls and I’m making progress in understanding the traffic.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits"

March 15, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "100X Scale"

March 13, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Capital Offense"

March 12, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices"

March 11, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket"

March 10, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Windows Notepad - Rewrite / AI

March 8, 2025

Microsoft had previously added Rewrite to Windows Notepad on their dev release channels. It is now live to the public as of Windows Notepad Version 11.2412.16.0 and requires a subscription to Microsoft 365. I’ve already partially updated some of my documentation to note the new Application Hive entries related to Rewrite.

Read More

picoCTF

March 7, 2025

Found out about picoCTF a few days ago and decided to give it try with a few friends as a team. I would rank all of us as newcomers to CTFs. This competition is mainly meant for High Schoolers but is open to anyone to at least experience it. It runs from 3/7/2025 to 3/17/2025 so gives us a lot of time to take on the challenges in between our normal work. This is the first time I’ve formed a team to compete in one of these. We’re mainly just bouncing ideas off each other and sharing hints while indepedently tackling flags.

Read More

Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles"

March 1, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society"

February 26, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge. You can find all my writeups page.

Read More

Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing"

February 24, 2025

Continuing with my writeups on my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.

Read More

Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us"

February 23, 2025

I’m going to flip the script for the typical writeups you see for CTFs and talk specifically about my “fails” or the ones I just couldn’t figure out in the timeframe alloted. I want to talk about how I went about trying to solve the challenge and where I went wrong. This should help me in the future by highlighting weaknesses and areas for improvement. Each post will focus on just one “fail” challenge.

Read More

Investigating Visual Studio Code - Part 3

February 22, 2025

Continuing from Part 2, the existence of the History folder threw me for a bit of a loop as I use other tools such as Git or TFS to handle versioning and history. There is a setting under Workbench related to Local History that is enabled by default. You can see the options in the screenshot below.

Read More

KAPE Target - Windows Notepad WOOPS

February 21, 2025

Looks like Andrew Rathburn had already created a Target for Windows Notepad! I somehow didn’t notice it because I only checked the Apps folder and not the Windows folder. I’ve updated it to pull the Window State *.bin files and the settings.dat Application Registry file. I also added a link to my documentation on the file format and behavior.

Read More

KAPE Target - Windows Notepad

February 20, 2025

Finally got a few minutes to start working on writing the KAPE Target for Windows Notepad. It will grab the Tab State, Window State, and settings.dat files that I’ve talked about in my research. Pretty straightforward process and I just want to do a little more testing and make sure I have everything right before I submit a Pull Request.

Read More

Release - Windows Notepad Parser v1.0.2

February 19, 2025

Releasing Version 1.0.2 of Windows Notepad Parser https://github.com/ogmini/Notepad-State-Library/releases/tag/v1.0.2. This new version includes a .NET 8.0 dependent version and a standalone version that doesn’t need .NET 8.0 installed on the system. There is also a minimal branch that doesn’t include the ability to generate a GIF from the changes. The noticeable change is some formatting of the CSV files to reorder and remove unnecessary columns.

Read More

Investigating Visual Studio Code

February 15, 2025

I’ve begun to look at Visual Studio Code in my quest to document useful digital artifacts in various text editors. In a similar fashion to Windows Notepad and Notepad++, Visual Studio Code will keep unsaved content between sessions. After documenting what I can find I will use that knowledge to see how one might attack Visual Studio Code. Another project is slowly building in my head to write a unified application to attack text editors and their data.

Read More

Windows Notepad vs Notepad++ - Artifact Comparison

February 14, 2025

It is always interesting to look at two different approaches to the same problem. Both Windows Notepad and Notepad++ are at their core text editors that support tabs and have the ability to keep unsaved changes between sessions. How they approach these features differ and we’ll be talking about how these manifest themselves in the digital artifacts.

Read More

Playing with Cursor AI - Notepad++ Digital Artifacts

February 10, 2025

David Cowen recently introduced me to Cursor which is an AI Code Editor and he has a few posts on his blog about using it that you can find page. I wanted to play around with this and my recent work on researching Notepad++ gave me a good excuse as it provided a target that wasn’t too complex.

Read More

Notepad++ - Documenting Digital Artifacts Part 2

February 9, 2025

I think I’m done researching what digital artifacts can be retrieved from Notepad++. I’ve been able to confirm/validate the findings from Forensafe and I will be providing more detailed information about them below. As I stated in Part 1, there is no real complication to the digital artifacts and everything is human readable with any text editor. In a future post, I will be pointing out how Windows Notepad and Notepad++ achieve similar functionality while storing the information differently.

Read More

Notepad++ - Documenting Digital Artifacts

February 8, 2025

Stemming from my research into Windows Notepad, I think it would be fun to take a look at Notepad++ and maybe other text editors like Visual Studio Code to see what kind of digital artifacts we can uncover. Personally, I use Notepad++ and I’m sure it is a very popular text editor for many other people. I’m sure others have already looked and I’ve found information from Forensafe mainly showing how their tool can recover information. They didn’t go into many details on the page and I think it would be worthwhile to document that more fully in the open for all to see. It is also possible that changes have been made to Notepad++ since the article.

Read More

Starting Belkasoft CTFs

February 5, 2025

After completing the Windows Forensics with Belkasoft certification, I learned that Belkasoft has a bunch of different CTF challenges that are still available to practice and hone my skills. I also want to use this as an opportunity to improve my report writing and presentation skills. It is one thing to find evidence and another to present it to a non-technical audience. The plan is to start on the first one and just make my way through the list. You can find their CTFs at https://belkasoft.com/ctf.

Read More

CISSP - Domain 1 and 2

February 3, 2025

I’ve started studying for the CISSP exam and what follows are a recap and notes on Domains 1 and 2. So far, I’m finding the material pretty straightforward and things that I’m already doing in my professional life. As everyone says, you need to think like a management for this certification and I already do.

Read More

Zeltser Challenge - First Month Accomplishments

February 2, 2025

The first month of the Zeltser Challenge issued by David Cowen has been very educational and challenging! I have not missed a day though I totally threw my posting topic “plan” out the window and it has ended up being far more organic and closer to a diary of what I’m working on. So far, I know of the following fellow participants:

Read More

POC Malware - Part 3

February 1, 2025

Yesterday I posted about the plan to release GaslitPad next week and some of the future capabilities I wanted to implement. I ended up adding the “inverted” attack which I’m now calling the “Sleep Attack”. So that will be available in the first release. Just a reminder, this POC Malware makes no attempts at obfuscation or hiding its actions.

Read More

Diving Deep - LevelDB Part 5

January 30, 2025

LevelDB utilizes CRC32 for data integrity checks; but it doesn’t use the normal CRC32 algorithm. Reading the code comments it utilizes a masked representation of CRC32 because it is problematic to compute the CRC of a string that contains embedded CRCs. The code accomplishes this by rotating right by 15 bits and adding a constant of 0xa282ead8ul.

Read More

Diving Deep - LevelDB Part 4

January 29, 2025

Continuing work on the binary template file for the LevelDB .ldb files. Learning a lot and pushing my knowledge boundaries. I am definitely recreating prior research; but I find this is the best way to learn and also validate previous findings. It is also possible things have changed.

Read More

Diving Deep - LevelDB Part 3

January 27, 2025

Continuing my analysis of the ChatGPT Desktop App by creating binary template files to help me understand the LevelDB and IndexedDB databases. I personally find it useful to “visually” see the binary files structured in hex editors like 010 Editor and ImHex. It helps me know if I’m on the right track and it is pretty easy to later convert that to code for a tool.

Read More

CISSP - Study Plan

January 26, 2025

Time to get serious and study to pass the CISSP examination. Outlining my plan and giving myself a deadline will keep me motivated and on track. I picked up a copy of Destination CISSP 2nd Edition to serve as my study material since it had been updated for the revised exam.

Read More

Belkasoft - Windows Forensics with Belkasoft Part 2

January 25, 2025

Started on the Windows Forensics course from Belkasoft and I was happy to see that they explicitly mention that you can use other tools besides Belkasoft X. I did use Belkasoft X to work on the problems in order to get familiar and learn the software. What follows are some quick thoughts.

Read More

Belkasoft - Windows Forensics with Belkasoft

January 24, 2025

Belkasoft is offering a free course and certification on Windows Forensics using their software. More details can be found at this link - https://belkasoft.com/windows-forensics-training. It also provides 6 CPE credits. I just signed up and I’m hoping to complete the course this weekend. The content is obviously centered around using their tools and should be a nice introduction to them. I intend on using other free tools to get the same results. I’ve personally found it very educating to use multiple tools to retrieve and view artifacts from different lenses. After I complete the course, I’ll be posting about my impressions and thoughts.

Read More

ChromeCacheView / ChromeHistoryView

January 23, 2025

Continuing my work on David Cowen’s Sunday Funday challenge, I leveraged ChromeCacheView and ChromeHistoryView to look both at the Edge Browser and the ChatGPT Desktop App. I want to see if we can capture the user authentication process with timestamps and any artifacts related to uploaded files.

Read More

Diving Deep - LevelDB

January 21, 2025

While investigating the ChatGPT Desktop application in yesterday’s post, I came across an Electron App leveraging LevelDB databases. That of course led me to search for tools and research to help me parse and understand the LevelDB files.

Read More

Second Week Musings

January 19, 2025

It has been a busy week with multiple big changes on the horizon. Definitely feel like I have too many irons in the fire. Hopefully by next month, I can talk about them. Still fighting that imposter syndrome. What have I been able to accomplish this week though?

Read More

Homelab Part 2 - The Next Iteration

January 18, 2025

Parts have started to arrive for the next iteration of my next server. I’ll be keeping the same software stack as the current server and obviously repurposing the current server for other duties. In Part 3, I’ll talk about the thought process that led me to this configuration and what other options I investigated.

Read More

MSLab - Part 1

January 17, 2025

I’ve had a few free moments to test out MSLab and it seems very promising. By just downloading the scripts, two ISOs, and modifying 2 lines in a configuration script I was able to spin up a virtual network with a Server 2025 Domain Controller and two Windows 11 client machines that are already joined to the domain. When I’m done with the lab, I can just run the cleanup script and it removes all the VMs from Hyper-V. Redeploying the exact same lab again just requires running the deploy script with the appropriate configuration.

Read More

Investigating Lab Automation - MSLab

January 15, 2025

I am in the process of planning and building my next hypervisor for use in my homelab. Looking for infrastructure as code or scripting options to easily spin up test labs is proving to be an interesting journey. There are the standard options of Terraform, Ansible, Vagrant, and the various cloud vendor specific implementations.

Read More

Homelab Part 1 - The Current Setup

January 12, 2025

I’ve always run a few personal “servers” at home running simple services like Plex, file storage, etc. When I started my Master’s Degree, I wanted to setup a server to run Hyper-V so that I could keep all my coursework contained, backed up, and I could easily spin up VMs for exploration. Utilizing tailscale allowed me to access these VMs anytime, anywhere giving me the ability to easily work on assignments while on vacation or travelling.

Read More

K-12 Student Data - Why would anyone steal that?

January 9, 2025

Today, I was talking to a few people about the PowerSchool hack and the question was posed, “Why would anyone want student data?”. I was taken aback. In this post, I want to explore that question and give reasons why a threat actor would want this data with some hypothetical scenarios.

Read More

CISA IR Training - Defend Against Ransomware Attacks Cyber Range Training (IR209)

January 7, 2025

Just attended Defend Against Ransomware Attacks Cyber Range Training (IR209) offered by CISA. I talked about these in a previous post and would encourage those eligible to register. As always, the course was full of information with the added benefit of a virtual environment to play around in. I’m always amazed at how much they can pack into so little time. I only wish it was a full day course.

Read More

Expectations vs Reality - Digital Forensic Science Master's Degree

January 6, 2025

January 2022, I started my first course at Champlain College to complete my Master’s Degree in Digital Forensic Science. I’ll be making a few posts related to my experience with the coursework and my takeaways. It’s important to remember that everyone entering this program came from diverse professional and personal backgrounds. This diversity was both a strength and a challenge. On one hand, it sparked valuable discussions and brought differing viewpoints. On the other hand, students had widely varying expectations and skill levels, which led to inconsistencies in the perceived difficulty and usefulness of the courses. I mention this as my background will influence my viewpoint and my experience is and will be different from others. These posts are not meant to be a review of the program; but a recap of my experience and learning.

Read More

First Week Musings

January 5, 2025

When David Cowen posed this challenge for 2025, I knew it wouldn’t be easy. I may have underestimated how hard it would be though…

Read More

Certification and Training Plans for 2025

January 4, 2025

The main certification I want to complete for early 2025 is my CISSP after having already obtained my CSSLP certification in 2024. Hopefully, these weekly blog posts will help keep me on track and making forward progress towards that goal. I’ve already picked up my copy of Destination CISSP.

Read More

New Beginnings

November 14, 2024

This blog will document my exploration of Digital Forensics and Incident Response (DFIR) as I make the transition into this exciting field. More importantly, it will serve as a centralized place to store my notes, observations, and learnings.

Read More