ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.

About Blog Posts by Tags Research CTF/Challenge GitHub RSS

Posts organized by Tags

#010-Editor:

010 Editor - RegistryHive Binary Template - Jun 16, 2025

#AI:

SANS - Ransomware Summit 2025 - May 30, 2025
Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025

#ALEAPP:

ALEAPP Plugin - Gmail App - IMAP Accounts - Aug 20, 2025

#AmCache:

Revisiting ShimCache/AmCache - May 4, 2025

#Android:

Pixel 7 - Data Acquisition - Sep 11, 2025
Pixel 7 - Patching init_boot - Sep 10, 2025
Pixel 7 - Unlocking the Bootloader - Sep 9, 2025
Pixel 7 - Researching Rooting Options - Sep 7, 2025
ALEAPP Plugin - Gmail App - IMAP Accounts - Aug 20, 2025

#Apple:

Choices - MacBook Air or Google Pixel - Apr 17, 2025

#AutoFill:

Microsoft Edge - AutoFill Database - May 5, 2025

#Belkasoft:

BelkaCTF 7 - AAR New Name - Sep 8, 2025
BelkaCTF 7 - AAR Party Van - Sep 5, 2025
BelkaCTF 7 - AAR Junk Messaging - Aug 22, 2025
BelkaCTF 7 - AAR Banking - Aug 21, 2025
BelkaCTF 7 - AAR Workspace - Aug 19, 2025
BelkaCTF 7 - AAR Android - Aug 18, 2025
BelkaCTF 7 - AAR Puppetmaster - Aug 12, 2025
BelkaCTF 7 - AAR API Key - Aug 11, 2025
BelkaCTF 7 - AAR Command and Control - Aug 5, 2025
BelkaCTF 7 - AAR Infection - Aug 2, 2025
BelkaCTF 7 - AAR Sample - Aug 1, 2025
BelkaCTF 7 - AAR Locker - Jul 29, 2025
BelkaCTF 7 - Whoami - Jul 28, 2025
BelkaCTF 7 - Volatility 3 vs MemProcFS - Jul 27, 2025
BelkaCTF 7 - Stranger Dfings Closing Out - Jul 26, 2025
BelkaCTF 7 - Stranger Dfings Live - Jul 25, 2025
BelkaCTF 6 - Bogus Bill Tasks 1-5 - Jul 24, 2025
BelkaCTF 7 - Stranger Dfings Prep - Jul 23, 2025
BelkaCTF 7 - Stranger Dfings - Jun 25, 2025
Starting Belkasoft CTFs - Feb 5, 2025

#CTF:

BelkaCTF 7 - AAR New Name - Sep 8, 2025
BelkaCTF 7 - AAR Party Van - Sep 5, 2025
BelkaCTF 7 - AAR Junk Messaging - Aug 22, 2025
BelkaCTF 7 - AAR Banking - Aug 21, 2025
BelkaCTF 7 - AAR Workspace - Aug 19, 2025
BelkaCTF 7 - AAR Android - Aug 18, 2025
BelkaCTF 7 - AAR Puppetmaster - Aug 12, 2025
BelkaCTF 7 - AAR API Key - Aug 11, 2025
BelkaCTF 7 - AAR Command and Control - Aug 5, 2025
BelkaCTF 7 - AAR Infection - Aug 2, 2025
BelkaCTF 7 - AAR Sample - Aug 1, 2025
BelkaCTF 7 - AAR Locker - Jul 29, 2025
BelkaCTF 7 - Whoami - Jul 28, 2025
BelkaCTF 7 - Volatility 3 vs MemProcFS - Jul 27, 2025
BelkaCTF 7 - Stranger Dfings Closing Out - Jul 26, 2025
BelkaCTF 7 - Stranger Dfings Live - Jul 25, 2025
BelkaCTF 6 - Bogus Bill Tasks 1-5 - Jul 24, 2025
BelkaCTF 7 - Stranger Dfings Prep - Jul 23, 2025
Hackers N' Hops CTF - Part 2 - Jul 16, 2025
Hackers N' Hops CTF - Jul 15, 2025
BelkaCTF 7 - Stranger Dfings - Jun 25, 2025
The DFIR Report - Public CTF - Part 2 - Jun 7, 2025
The DFIR Report - Public CTF - Jun 6, 2025
Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
picoCTF - Mar 7, 2025
Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025
Magnet Virtual Summit 2025 CTF - Post-Analysis - Feb 13, 2025
Magnet Virtual Summit 2025 CTF - Pre-Analysis - Feb 12, 2025
Magnet Virtual Summit 2025 CTF / Belkasoft CTF 01 - Feb 11, 2025
Starting Belkasoft CTFs - Feb 5, 2025
Hurdles to competing in CTFs - Jan 2, 2025

#Certification:

Saturday CISSP Prep - May 17, 2025
CISSP Practice Questions - May 1, 2025
MacOS / CISSP Practice Tests - Apr 26, 2025
CISSP - Practice Tests - Apr 19, 2025
CISSP - Domain 8 - Apr 7, 2025
CISSP - Domain 7 - Apr 6, 2025
CISSP - Domain 6 - Apr 5, 2025
CISSP - Domain 5 - Apr 4, 2025
CISSP - Domain 4 - Apr 3, 2025
CISSP - Domain 3 - Apr 1, 2025
CISSP - Stalled - Mar 30, 2025
Belkasoft - Windows Forensics with Belkasoft - Feb 4, 2025
CISSP - Domain 1 and 2 - Feb 3, 2025
CISSP - Study Plan - Jan 26, 2025
Belkasoft - Windows Forensics with Belkasoft Part 2 - Jan 25, 2025
Belkasoft - Windows Forensics with Belkasoft - Jan 24, 2025
Certification and Training Plans for 2025 - Jan 4, 2025

#Challenge:

David Cowen Sunday Funday Challenge - FAT32 Access Date?! - Apr 22, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence - Apr 14, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 3 - Apr 11, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 2 - Apr 10, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Apr 8, 2025
David Cowen Sunday Funday Challenge - Cloud Log Availability Delays - Apr 2, 2025
SSH Artifacts in Windows 11 - Part 3 - Mar 28, 2025
SSH Artifacts in Windows 11 - Part 2 - Mar 27, 2025
SSH Artifacts in Windows 11 - Part 1 - Mar 26, 2025
David Cowen Sunday Funday Challenge - SSH Artifacts in Windows 11 - Mar 25, 2025
David Cowen Sunday Funday Challenge - SSH Artifacts - Mar 21, 2025
David Cowen Sunday Funday Challenge - ChatGPT Desktop Artifacts - Jan 20, 2025
David Cowen Sunday Funday Challenge - SRUM Validation - Jan 13, 2025

#Challenges:

The DFIR Report - Public CTF - Part 2 - Jun 7, 2025
The DFIR Report - Public CTF - Jun 6, 2025
Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
picoCTF - Mar 7, 2025
Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025
Magnet Virtual Summit 2025 CTF - Post-Analysis - Feb 13, 2025
Magnet Virtual Summit 2025 CTF - Pre-Analysis - Feb 12, 2025
Magnet Virtual Summit 2025 CTF / Belkasoft CTF 01 - Feb 11, 2025
Starting Belkasoft CTFs - Feb 5, 2025

#ChatGPT:

ChatGPT Desktop - Kape Target - May 16, 2025

#Chrome:

ChromeCacheView / ChromeHistoryView - Jan 23, 2025

#Coursework:

Expectations vs Reality - Digital Forensic Science Master's Degree Part 9 - Jul 14, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 9 - Jun 26, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 8 - Jun 9, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 7 - Apr 13, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 6 - Mar 23, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 5 - Mar 17, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 4 - Mar 5, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 3 - Feb 17, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree Part 2 - Jan 14, 2025
Expectations vs Reality - Digital Forensic Science Master's Degree - Jan 6, 2025

#Cursor-AI:

Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025

#DFIR:

Velociraptor - Artifact Windows Notepad - Part 2 - Aug 3, 2025
Velociraptor - Artifact Windows Notepad - Jul 30, 2025
Windows Notepad Parser - Documentation Update - Jun 5, 2025
RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
Remote Desktop Manager - Artifacts Part 7 - Jun 3, 2025
Remote Desktop Manager - LOLRMM - May 31, 2025
SANS - Ransomware Summit 2025 - May 30, 2025
RDCMan - Importance of DPAPI Activity - May 29, 2025
RDCMan - Verifying DPAPI Activity - May 27, 2025
Remote Desktop Manager - Artifacts Part 6 - May 25, 2025
Remote Desktop Manager - Artifacts Part 5 - May 24, 2025
Remote Desktop Manager - Artifacts Part 4 - May 23, 2025
Remote Desktop Manager - Working on SQLECmd Map - May 22, 2025
Remote Desktop Manager - Artifacts Part 3 - May 21, 2025
Remote Desktop Manager - Artifacts Part 2 - May 20, 2025
Remote Desktop Manager - Artifacts - May 19, 2025
DPAPI - Audit DPAPI Activity - May 18, 2025
ChatGPT Desktop - Kape Target - May 16, 2025
Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
Reading up on Volatility - May 11, 2025
Volatility - Plugin? - May 10, 2025
Researching RDCMan - Part 3 - May 9, 2025
RDCMan - Kape Target - May 8, 2025
Researching RDCMan - Part 2 - May 7, 2025
Researching RDCMan - May 6, 2025
Microsoft Edge - AutoFill Database - May 5, 2025
Revisiting ShimCache/AmCache - May 4, 2025
KAPE Module - Windows Notepad Parser - May 3, 2025
Release - Windows Notepad Parser v1.0.4 - Apr 30, 2025
Revisiting Prefetch - Apr 21, 2025
Beyond Sunday Funday - Revisiting Shimcache, Amcache, MUICache, and Prefetch - Apr 20, 2025
Choices - MacBook Air or Google Pixel - Apr 17, 2025
Beyond Sunday Funday - SSH Artifacts in Windows 11 - Mar 22, 2025
Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
Windows Notepad - Rewrite / AI - Mar 8, 2025
Release - Windows Notepad Parser v1.0.3 - Mar 6, 2025
Investigating Visual Studio Code - Part 3 - Feb 22, 2025
KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
KAPE Target - Windows Notepad - Feb 20, 2025
Release - Windows Notepad Parser v1.0.2 - Feb 19, 2025
Investigating Visual Studio Code - Part 2 - Feb 16, 2025
Investigating Visual Studio Code - Feb 15, 2025
Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025
Notepad++ - Documenting Digital Artifacts Part 2 - Feb 9, 2025
Notepad++ - Documenting Digital Artifacts - Feb 8, 2025
Is that Windows Notepad window really empty? - Dec 1, 2024
Microsoft Store Apps - Challenge in validating previous versions - Nov 27, 2024

#DFIR-Review:

DFIR Review - Acceptance on Windows Notepad Research - Jul 8, 2025

#DPAPI:

RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
RDCMan - Importance of DPAPI Activity - May 29, 2025
RDCMan - Verifying DPAPI Activity - May 27, 2025
DPAPI - Audit DPAPI Activity - May 18, 2025

#Exploration:

Diving Deep - LevelDB Part 5 - Jan 30, 2025
Diving Deep - LevelDB Part 4 - Jan 29, 2025
Diving Deep - LevelDB Part 3 - Jan 27, 2025
ChromeCacheView / ChromeHistoryView - Jan 23, 2025
Diving Deep - LevelDB Part 2 - Jan 22, 2025
Diving Deep - LevelDB - Jan 21, 2025

#GaslitPad:

GaslitPad - DNS Communication - Mar 24, 2025
GaslitPad - Release - Feb 7, 2025
POC Malware - Part 3 - Feb 1, 2025
POC Malware - Part 2 - Jan 31, 2025

#Graphene:

Choices - MacBook Air or Google Pixel - Apr 17, 2025

#HackBrowserData:

David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025

#Hex-Editors:

Hex Editors for Digital Forensics and Reverse Engineering - Jan 11, 2025

#Homelab:

Homelab Part 3 - Thought Process - Feb 18, 2025
Homelab Part 2 - The Next Iteration - Jan 18, 2025
MSLab - Part 1 - Jan 17, 2025
Investigating Lab Automation - MSLab - Jan 15, 2025
Homelab Part 1 - The Current Setup - Jan 12, 2025

#KAPE:

ChatGPT Desktop - Kape Target - May 16, 2025
KAPE Module - Windows Notepad Parser - May 3, 2025
KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
KAPE Target - Windows Notepad - Feb 20, 2025

#KQL:

Exploring KQL - Apr 12, 2025

#LOLRMM:

Remote Desktop Manager - LOLRMM - May 31, 2025

#LaZagne:

David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025

#LevelDB:

Diving Deep - LevelDB Part 5 - Jan 30, 2025
Diving Deep - LevelDB Part 4 - Jan 29, 2025
Diving Deep - LevelDB Part 3 - Jan 27, 2025
Diving Deep - LevelDB Part 2 - Jan 22, 2025
Diving Deep - LevelDB - Jan 21, 2025

#Life-Plan:

New Beginnings - Nov 14, 2024

#MacOS:

Choices - MacBook Air or Google Pixel - Apr 17, 2025

#Malware:

GaslitPad - DNS Communication - Mar 24, 2025
GaslitPad - Release - Feb 7, 2025
POC Malware - Part 3 - Feb 1, 2025
POC Malware - Part 2 - Jan 31, 2025
POC Malware - Part 1 - Jan 3, 2025

#MemProcFS:

Memory Forensics - Windows Notepad Part 6 - Sep 6, 2025
Memory Forensics - Windows Notepad Part 5 - Aug 29, 2025
Memory Forensics - Windows Notepad Part 4 - Aug 16, 2025
Memory Forensics - Windows Notepad Part 3 - Aug 15, 2025
Memory Forensics - Windows Notepad Part 2 - Aug 14, 2025
Memory Forensics - Windows Notepad Part 1 - Aug 13, 2025

#Memory-Forensics:

Memory Forensics - Windows Notepad Part 6 - Sep 6, 2025
Memory Forensics - Windows Notepad Part 5 - Aug 29, 2025
Memory Forensics - Windows Notepad Part 4 - Aug 16, 2025
Memory Forensics - Windows Notepad Part 3 - Aug 15, 2025
Memory Forensics - Windows Notepad Part 2 - Aug 14, 2025
Memory Forensics - Windows Notepad Part 1 - Aug 13, 2025
Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
Reading up on Volatility - May 11, 2025
Volatility - Plugin? - May 10, 2025

#Microsoft-Edge:

Microsoft Edge - AutoFill Database - May 5, 2025

#Microsoft-Paint:

Microsoft Paint - Application Hive - Jun 14, 2025

#Musings:

Zeltser Challenge - Eighth Month Accomplishments - Sep 3, 2025
Zeltser Challenge - Seventh Month Accomplishments - Aug 4, 2025
MB x MS - Jul 18, 2025
CFP Submission - Finalizing Submission - Jul 17, 2025
Fun CVE on Trains - Foamers Beware - Jul 13, 2025
All the Things I’m Working On (a.k.a. Too Many Pokers in the Fire) - Jul 11, 2025
Cleanup / Linting / Updating - Jul 9, 2025
Zeltser Challenge - Sixth Month Accomplishments - Jul 1, 2025
Random Thoughts - Implications of MSIX App Containerization - Jun 15, 2025
SSD Forensics - Flex Capacity - Jun 8, 2025
2025 New York State Cybersecurity Conference - Jun 2, 2025
Zeltser Challenge - Fifth Month Accomplishments - Jun 1, 2025
Random Thoughts - System Naming - May 26, 2025
Saturday CISSP Prep - May 17, 2025
Zeltser Challenge - Fourth Month Accomplishments - May 2, 2025
CISSP Practice Questions - May 1, 2025
Thoughts from a Developer on the Truth in Data Podcast - Apr 29, 2025
macOS Forensics Books/Resources - Apr 28, 2025
MacOS / CISSP Practice Tests - Apr 26, 2025
The Day Job - Security/DR Planning - Apr 9, 2025
Zeltser Challenge - Third Month Accomplishments - Mar 31, 2025
The Intersection of DFIR and IT Troubleshooting - Mar 20, 2025
Wide World of DFIR - Mar 9, 2025
Zeltser Challenge - Second Month Accomplishments - Mar 3, 2025
Zeltser Challenge - First Month Accomplishments - Feb 2, 2025
Second Week Musings - Jan 19, 2025
First Week Musings - Jan 5, 2025
2025 Zeltser Challenge - Jan 1, 2025

#News:

Pearson - Cyberattack - May 12, 2025
K-12 Student Data - Why would anyone steal that? - Jan 9, 2025
Powerschool Hack - Jan 8, 2025

#Notepad++:

Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
Notepad++ - Documenting Digital Artifacts Part 2 - Feb 9, 2025
Notepad++ - Documenting Digital Artifacts - Feb 8, 2025

#Prefetch:

Revisiting Prefetch - Apr 21, 2025

#RDCMan:

RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
RDCMan - Importance of DPAPI Activity - May 29, 2025
RDCMan - Verifying DPAPI Activity - May 27, 2025
DPAPI - Audit DPAPI Activity - May 18, 2025
Researching RDCMan - Part 3 - May 9, 2025
RDCMan - Kape Target - May 8, 2025
Researching RDCMan - Part 2 - May 7, 2025
Researching RDCMan - May 6, 2025

#RDP:

RDP Timelining Tool - Jun 27, 2025

#RECmd:

Registry Plugin (RECmd and Registry Explorer) - Application Settings Container - Aug 6, 2025

#Registry-Explorer:

Registry Plugin (RECmd and Registry Explorer) - Application Settings Container - Aug 6, 2025

#RegistryPlugins:

Application Settings Container - RegUwpDateTimeOffset Weirdness? - Aug 10, 2025
Windows Snipping Tool - Part 1 - Aug 9, 2025
Application Settings Container - Subkeys! - Aug 8, 2025
Poking Windows Snipping Tool aka Screen Sketch - Aug 7, 2025
Registry Plugin (RECmd and Registry Explorer) - Application Settings Container - Aug 6, 2025

#Registryhive:

Application Settings Container - RegUwpDateTimeOffset Weirdness? - Aug 10, 2025
Windows Snipping Tool - Part 1 - Aug 9, 2025
Application Settings Container - Subkeys! - Aug 8, 2025
Poking Windows Snipping Tool aka Screen Sketch - Aug 7, 2025
Registry Plugin (RECmd and Registry Explorer) - Application Settings Container - Aug 6, 2025
Registry Hive - Data Types Part 8 - Jul 10, 2025
Registry Hive - Data Types Part 7 - Jul 7, 2025
Registry Hive - Data Types Part 6 - Jul 6, 2025
Registry Hive - Data Types Part 5 - Jul 5, 2025
Registry Hive - Data Types Part 4 - Jun 22, 2025
My Methodology for Reverse Engineering Binary Files - Jun 21, 2025
Registry Hive - Data Types Part 3 - Jun 20, 2025
Registry Hive - Data Types Part 2 - Jun 19, 2025
Registry Hive - Data Types - Jun 18, 2025
Registry Hive - Revisiting Documentation - Jun 17, 2025
010 Editor - RegistryHive Binary Template - Jun 16, 2025

#Remote-Desktop-Manager:

Remote Desktop Manager - Artifacts Part 7 - Jun 3, 2025
Remote Desktop Manager - LOLRMM - May 31, 2025
Remote Desktop Manager - Artifacts Part 6 - May 25, 2025
Remote Desktop Manager - Artifacts Part 5 - May 24, 2025
Remote Desktop Manager - Artifacts Part 4 - May 23, 2025
Remote Desktop Manager - Working on SQLECmd Map - May 22, 2025
Remote Desktop Manager - Artifacts Part 3 - May 21, 2025
Remote Desktop Manager - Artifacts Part 2 - May 20, 2025
Remote Desktop Manager - Artifacts - May 19, 2025

#Research:

Windows Notepad - Version Changes (11.2410.21.0) - Jul 22, 2025
Windows Notepad - Markdown Support Limitations - Jul 4, 2025
Windows Notepad - Forced Save Regression Testing - Jul 3, 2025
Windows Notepad - Forced Save on Detecting Manipulation? - Jul 2, 2025
Windows Notepad - Application Hive Markdown Setting - Jun 30, 2025
Thinking about that Windows Notepad - Jun 29, 2025
Windows Notepad - Markdown Support - Jun 28, 2025
Windows Notepad - Revisiting Application Hive Part 2 - Jun 13, 2025
Windows Notepad - Revisiting Application Hive - Jun 12, 2025
Windows Notepad - Find/Replace/Bing - Jun 11, 2025
Windows Notepad - Recent Files (New Option) - Jun 10, 2025
Windows Notepad - Version Changes (11.2410.20.0) - Apr 27, 2025
Windows Notepad - Version Changes (11.2409.9.0) - Apr 25, 2025
Windows Notepad - Version Changes (11.2408.12.0) - Apr 24, 2025
Windows Notepad - Version Changes (11.2407.9.0) - Apr 23, 2025
Revisiting Prefetch - Apr 21, 2025
Beyond Sunday Funday - Revisiting Shimcache, Amcache, MUICache, and Prefetch - Apr 20, 2025
Beyond Sunday Funday - SSH Artifacts in Windows 11 - Mar 22, 2025
Forensics Software - Automated Regression/Version Testing Part 1 - Jan 10, 2025

#Reverse-Engineering:

Reverse Engineering Rewrite API - Mar 29, 2025

#Rewrite-AI:

Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
Windows Notepad - Rewrite / AI - Mar 8, 2025

#Rewrite-API:

Reverse Engineering Rewrite API - Mar 29, 2025

#Root:

Pixel 7 - Data Acquisition - Sep 11, 2025
Pixel 7 - Patching init_boot - Sep 10, 2025
Pixel 7 - Unlocking the Bootloader - Sep 9, 2025
Pixel 7 - Researching Rooting Options - Sep 7, 2025

#ShimCache:

Revisiting ShimCache/AmCache - May 4, 2025

#Snipping-Tool:

Windows Snipping Tool - Part 1 - Aug 9, 2025
Poking Windows Snipping Tool aka Screen Sketch - Aug 7, 2025

#Sunday-Funday:

David Cowen Sunday Funday Challenge - FAT32 Access Date?! - Apr 22, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025
David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence - Apr 14, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 3 - Apr 11, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 2 - Apr 10, 2025
David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Apr 8, 2025
David Cowen Sunday Funday Challenge - Cloud Log Availability Delays - Apr 2, 2025
SSH Artifacts in Windows 11 - Part 3 - Mar 28, 2025
SSH Artifacts in Windows 11 - Part 2 - Mar 27, 2025
SSH Artifacts in Windows 11 - Part 1 - Mar 26, 2025
David Cowen Sunday Funday Challenge - SSH Artifacts in Windows 11 - Mar 25, 2025
David Cowen Sunday Funday Challenge - SSH Artifacts - Mar 21, 2025
David Cowen Sunday Funday Challenge - ChatGPT Desktop Artifacts - Jan 20, 2025
David Cowen Sunday Funday Challenge - SRUM Validation - Jan 13, 2025

#Talk:

Conference talk prep - Aug 17, 2025
Conference talk and other updates - Jul 31, 2025

#Training:

WinFE Training - Completed - May 28, 2025
CISA IR Training - Incident Response Triage - Mitigation (IR218) - May 15, 2025
WinFE Training - Brett Shavers - May 14, 2025
CISA IR Training - Preventing Web and Email Server Attacks (IR205) - Feb 6, 2025
Belkasoft - Windows Forensics with Belkasoft - Feb 4, 2025
CISA IR Training - Introduction to Log Management (IR210) - Jan 28, 2025
Belkasoft - Windows Forensics with Belkasoft Part 2 - Jan 25, 2025
Belkasoft - Windows Forensics with Belkasoft - Jan 24, 2025
CISA IR Training - Preventing DNS Infrastructure Tampering (IR206) - Jan 16, 2025
CISA IR Training - Defend Against Ransomware Attacks Cyber Range Training (IR209) - Jan 7, 2025
Certification and Training Plans for 2025 - Jan 4, 2025

#UWP:

Windows Store/UWP Application Data - Versioning - Jul 12, 2025

#Velociraptor:

Velociraptor - Artifact Windows Notepad - Part 2 - Aug 3, 2025
Velociraptor - Artifact Windows Notepad - Jul 30, 2025

#Visual-Studio-Code:

Investigating Visual Studio Code - Part 3 - Feb 22, 2025
Investigating Visual Studio Code - Part 2 - Feb 16, 2025
Investigating Visual Studio Code - Feb 15, 2025

#Volatility:

Memory Forensics - Windows Notepad Part 6 - Sep 6, 2025
Memory Forensics - Windows Notepad Part 5 - Aug 29, 2025
Volatility 3 - Learning to Write a Plugin Part 1 - Aug 23, 2025
Memory Forensics - Windows Notepad Part 4 - Aug 16, 2025
Memory Forensics - Windows Notepad Part 3 - Aug 15, 2025
Memory Forensics - Windows Notepad Part 2 - Aug 14, 2025
Memory Forensics - Windows Notepad Part 1 - Aug 13, 2025
Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
Reading up on Volatility - May 11, 2025
Volatility - Plugin? - May 10, 2025

#WebBrowserPassView:

David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025

#WinFE:

WinFE Training - Completed - May 28, 2025
WinFE Training - Brett Shavers - May 14, 2025

#Windows-Events:

RDP Timelining Tool - Jun 27, 2025

#Windows-Notepad:

Memory Forensics - Windows Notepad Part 6 - Sep 6, 2025
Memory Forensics - Windows Notepad Part 5 - Aug 29, 2025
Memory Forensics - Windows Notepad Part 4 - Aug 16, 2025
Memory Forensics - Windows Notepad Part 3 - Aug 15, 2025
Memory Forensics - Windows Notepad Part 2 - Aug 14, 2025
Memory Forensics - Windows Notepad Part 1 - Aug 13, 2025
Velociraptor - Artifact Windows Notepad - Part 2 - Aug 3, 2025
Velociraptor - Artifact Windows Notepad - Jul 30, 2025
Windows Notepad - Version Changes (11.2410.21.0) - Jul 22, 2025
Windows Notepad - Markdown Support Limitations - Jul 4, 2025
Windows Notepad - Forced Save Regression Testing - Jul 3, 2025
Windows Notepad - Forced Save on Detecting Manipulation? - Jul 2, 2025
Windows Notepad - Application Hive Markdown Setting - Jun 30, 2025
Thinking about that Windows Notepad - Jun 29, 2025
Windows Notepad - Markdown Support - Jun 28, 2025
Windows Notepad - Windows State Editor Pre-Release - Jun 24, 2025
Windows Notepad - Modifying TabState or WindowState Files - Jun 23, 2025
Windows Notepad - Revisiting Application Hive Part 2 - Jun 13, 2025
Windows Notepad - Revisiting Application Hive - Jun 12, 2025
Windows Notepad - Find/Replace/Bing - Jun 11, 2025
Windows Notepad - Recent Files (New Option) - Jun 10, 2025
Windows Notepad Parser - Documentation Update - Jun 5, 2025
KAPE Module - Windows Notepad Parser - May 3, 2025
Release - Windows Notepad Parser v1.0.4 - Apr 30, 2025
Windows Notepad - Version Changes (11.2410.20.0) - Apr 27, 2025
Windows Notepad - Version Changes (11.2409.9.0) - Apr 25, 2025
Windows Notepad - Version Changes (11.2408.12.0) - Apr 24, 2025
Windows Notepad - Version Changes (11.2407.9.0) - Apr 23, 2025
Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
Windows Notepad - Rewrite / AI - Mar 8, 2025
Release - Windows Notepad Parser v1.0.3 - Mar 6, 2025
KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
KAPE Target - Windows Notepad - Feb 20, 2025
Release - Windows Notepad Parser v1.0.2 - Feb 19, 2025
Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
Forensics Software - Automated Regression/Version Testing Part 1 - Jan 10, 2025

#Workshop:

SANS - Ransomware Summit 2025 - May 30, 2025

#Writeups:

BelkaCTF 7 - AAR New Name - Sep 8, 2025
BelkaCTF 7 - AAR Party Van - Sep 5, 2025
BelkaCTF 7 - AAR Junk Messaging - Aug 22, 2025
BelkaCTF 7 - AAR Banking - Aug 21, 2025
BelkaCTF 7 - AAR Workspace - Aug 19, 2025
BelkaCTF 7 - AAR Android - Aug 18, 2025
BelkaCTF 7 - AAR Puppetmaster - Aug 12, 2025
BelkaCTF 7 - AAR API Key - Aug 11, 2025
BelkaCTF 7 - AAR Command and Control - Aug 5, 2025
BelkaCTF 7 - AAR Infection - Aug 2, 2025
BelkaCTF 7 - AAR Sample - Aug 1, 2025
BelkaCTF 7 - AAR Locker - Jul 29, 2025
BelkaCTF 7 - Whoami - Jul 28, 2025
Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025