Having fun while learning about and pivoting into the world of DFIR.
by ogmini
That was a very quick turnaround from my previous post and opening an issue on the Velociraptor repository. There is now an official artifact from this commit by Mike Cohen.
I still want to get better acquainted with Go and will be dissecting how they added varint support to the binary parser.
He did find my half finished test cases which initially caused some confusion as they appear to be messed up or at least out of date. This did give me the push to revisit my testing data and testing process. I never finished it. I’ve generated new testing data based on the current version of Windows Notepad (11.2504.62.0) and added it to the repository.
My new testing plan for when a new version is released:
This should hopefully let me detect any changes to the files that break the parser. I continue to be particularly interested in the Configuration Block, mainly the More Options. If I see that value go above 3, it will be an exciting time. Now, it is just a matter of DOING IT.
tags: #DFIR #Windows-Notepad #Velociraptor