ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.

---

About Blog Posts by Tags Research CTF/Challenge GitHub RSS

Posts organized by Tags

#010-Editor #AI #AmCache #Apple #AutoFill #Belkasoft #CTF #Certification #Challenge #Challenges #ChatGPT #Chrome #Coursework #Cursor-AI #DFIR #DFIR-Review #DPAPI #Exploration #GaslitPad #Graphene #HackBrowserData #Hex-Editors #Homelab #KAPE #KQL #LOLRMM #LaZagne #LevelDB #Life-Plan #MacOS #Malware #Memory-Forensics #Microsoft-Edge #Microsoft-Paint #Musings #News #Notepad++ #Prefetch #RDCMan #RDP #Registryhive #Remote-Desktop-Manager #Research #Reverse-Engineering #Rewrite-AI #Rewrite-API #ShimCache #Sunday-Funday #Talk #Training #UWP #Velociraptor #Visual-Studio-Code #Volatility #WebBrowserPassView #WinFE #Windows-Events #Windows-Notepad #Workshop #Writeups

---

#010-Editor:

• 010 Editor - RegistryHive Binary Template - Jun 16, 2025

#AI:

• SANS - Ransomware Summit 2025 - May 30, 2025
• Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025

#AmCache:

• Revisiting ShimCache/AmCache - May 4, 2025

#Apple:

• Choices - MacBook Air or Google Pixel - Apr 17, 2025

#AutoFill:

• Microsoft Edge - AutoFill Database - May 5, 2025

#Belkasoft:

• BelkaCTF 7 - AAR Sample - Aug 1, 2025
• BelkaCTF 7 - AAR Locker - Jul 29, 2025
• BelkaCTF 7 - Whoami - Jul 28, 2025
• BelkaCTF 7 - Volatility 3 vs MemProcFS - Jul 27, 2025
• BelkaCTF 7 - Stranger Dfings Closing Out - Jul 26, 2025
• BelkaCTF 7 - Stranger Dfings Live - Jul 25, 2025
• BelkaCTF 6 - Bogus Bill Tasks 1-5 - Jul 24, 2025
• BelkaCTF 7 - Stranger Dfings Prep - Jul 23, 2025
• BelkaCTF 7 - Stranger Dfings - Jun 25, 2025
• Starting Belkasoft CTFs - Feb 5, 2025

#CTF:

• BelkaCTF 7 - AAR Sample - Aug 1, 2025
• BelkaCTF 7 - AAR Locker - Jul 29, 2025
• BelkaCTF 7 - Whoami - Jul 28, 2025
• BelkaCTF 7 - Volatility 3 vs MemProcFS - Jul 27, 2025
• BelkaCTF 7 - Stranger Dfings Closing Out - Jul 26, 2025
• BelkaCTF 7 - Stranger Dfings Live - Jul 25, 2025
• BelkaCTF 6 - Bogus Bill Tasks 1-5 - Jul 24, 2025
• BelkaCTF 7 - Stranger Dfings Prep - Jul 23, 2025
• Hackers N' Hops CTF - Part 2 - Jul 16, 2025
• Hackers N' Hops CTF - Jul 15, 2025
• BelkaCTF 7 - Stranger Dfings - Jun 25, 2025
• The DFIR Report - Public CTF - Part 2 - Jun 7, 2025
• The DFIR Report - Public CTF - Jun 6, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
• Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
• picoCTF - Mar 7, 2025
• Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
• Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
• Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
• Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
• Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025
• Magnet Virtual Summit 2025 CTF - Post-Analysis - Feb 13, 2025
• Magnet Virtual Summit 2025 CTF - Pre-Analysis - Feb 12, 2025
• Magnet Virtual Summit 2025 CTF / Belkasoft CTF 01 - Feb 11, 2025
• Starting Belkasoft CTFs - Feb 5, 2025
• Hurdles to competing in CTFs - Jan 2, 2025

#Certification:

• Saturday CISSP Prep - May 17, 2025
• CISSP Practice Questions - May 1, 2025
• MacOS / CISSP Practice Tests - Apr 26, 2025
• CISSP - Practice Tests - Apr 19, 2025
• CISSP - Domain 8 - Apr 7, 2025
• CISSP - Domain 7 - Apr 6, 2025
• CISSP - Domain 6 - Apr 5, 2025
• CISSP - Domain 5 - Apr 4, 2025
• CISSP - Domain 4 - Apr 3, 2025
• CISSP - Domain 3 - Apr 1, 2025
• CISSP - Stalled - Mar 30, 2025
• Belkasoft - Windows Forensics with Belkasoft - Feb 4, 2025
• CISSP - Domain 1 and 2 - Feb 3, 2025
• CISSP - Study Plan - Jan 26, 2025
• Belkasoft - Windows Forensics with Belkasoft Part 2 - Jan 25, 2025
• Belkasoft - Windows Forensics with Belkasoft - Jan 24, 2025
• Certification and Training Plans for 2025 - Jan 4, 2025

#Challenge:

• David Cowen Sunday Funday Challenge - FAT32 Access Date?! - Apr 22, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence - Apr 14, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 3 - Apr 11, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 2 - Apr 10, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Apr 8, 2025
• David Cowen Sunday Funday Challenge - Cloud Log Availability Delays - Apr 2, 2025
• SSH Artifacts in Windows 11 - Part 3 - Mar 28, 2025
• SSH Artifacts in Windows 11 - Part 2 - Mar 27, 2025
• SSH Artifacts in Windows 11 - Part 1 - Mar 26, 2025
• David Cowen Sunday Funday Challenge - SSH Artifacts in Windows 11 - Mar 25, 2025
• David Cowen Sunday Funday Challenge - SSH Artifacts - Mar 21, 2025
• David Cowen Sunday Funday Challenge - ChatGPT Desktop Artifacts - Jan 20, 2025
• David Cowen Sunday Funday Challenge - SRUM Validation - Jan 13, 2025

#Challenges:

• The DFIR Report - Public CTF - Part 2 - Jun 7, 2025
• The DFIR Report - Public CTF - Jun 6, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
• Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
• picoCTF - Mar 7, 2025
• Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
• Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
• Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
• Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
• Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025
• Magnet Virtual Summit 2025 CTF - Post-Analysis - Feb 13, 2025
• Magnet Virtual Summit 2025 CTF - Pre-Analysis - Feb 12, 2025
• Magnet Virtual Summit 2025 CTF / Belkasoft CTF 01 - Feb 11, 2025
• Starting Belkasoft CTFs - Feb 5, 2025

#ChatGPT:

• ChatGPT Desktop - Kape Target - May 16, 2025

#Chrome:

• ChromeCacheView / ChromeHistoryView - Jan 23, 2025

#Coursework:

• Expectations vs Reality - Digital Forensic Science Master's Degree Part 9 - Jul 14, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 9 - Jun 26, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 8 - Jun 9, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 7 - Apr 13, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 6 - Mar 23, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 5 - Mar 17, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 4 - Mar 5, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 3 - Feb 17, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree Part 2 - Jan 14, 2025
• Expectations vs Reality - Digital Forensic Science Master's Degree - Jan 6, 2025

#Cursor-AI:

• Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025

#DFIR:

• Velociraptor - Artifact Windows Notepad - Jul 30, 2025
• Windows Notepad Parser - Documentation Update - Jun 5, 2025
• RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
• Remote Desktop Manager - Artifacts Part 7 - Jun 3, 2025
• Remote Desktop Manager - LOLRMM - May 31, 2025
• SANS - Ransomware Summit 2025 - May 30, 2025
• RDCMan - Importance of DPAPI Activity - May 29, 2025
• RDCMan - Verifying DPAPI Activity - May 27, 2025
• Remote Desktop Manager - Artifacts Part 6 - May 25, 2025
• Remote Desktop Manager - Artifacts Part 5 - May 24, 2025
• Remote Desktop Manager - Artifacts Part 4 - May 23, 2025
• Remote Desktop Manager - Working on SQLECmd Map - May 22, 2025
• Remote Desktop Manager - Artifacts Part 3 - May 21, 2025
• Remote Desktop Manager - Artifacts Part 2 - May 20, 2025
• Remote Desktop Manager - Artifacts - May 19, 2025
• DPAPI - Audit DPAPI Activity - May 18, 2025
• ChatGPT Desktop - Kape Target - May 16, 2025
• Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
• Reading up on Volatility - May 11, 2025
• Volatility - Plugin? - May 10, 2025
• Researching RDCMan - Part 3 - May 9, 2025
• RDCMan - Kape Target - May 8, 2025
• Researching RDCMan - Part 2 - May 7, 2025
• Researching RDCMan - May 6, 2025
• Microsoft Edge - AutoFill Database - May 5, 2025
• Revisiting ShimCache/AmCache - May 4, 2025
• KAPE Module - Windows Notepad Parser - May 3, 2025
• Release - Windows Notepad Parser v1.0.4 - Apr 30, 2025
• Revisiting Prefetch - Apr 21, 2025
• Beyond Sunday Funday - Revisiting Shimcache, Amcache, MUICache, and Prefetch - Apr 20, 2025
• Choices - MacBook Air or Google Pixel - Apr 17, 2025
• Beyond Sunday Funday - SSH Artifacts in Windows 11 - Mar 22, 2025
• Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
• Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
• Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
• Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
• Windows Notepad - Rewrite / AI - Mar 8, 2025
• Release - Windows Notepad Parser v1.0.3 - Mar 6, 2025
• Investigating Visual Studio Code - Part 3 - Feb 22, 2025
• KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
• KAPE Target - Windows Notepad - Feb 20, 2025
• Release - Windows Notepad Parser v1.0.2 - Feb 19, 2025
• Investigating Visual Studio Code - Part 2 - Feb 16, 2025
• Investigating Visual Studio Code - Feb 15, 2025
• Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
• Playing with Cursor AI - Notepad++ Digital Artifacts - Feb 10, 2025
• Notepad++ - Documenting Digital Artifacts Part 2 - Feb 9, 2025
• Notepad++ - Documenting Digital Artifacts - Feb 8, 2025
• Is that Windows Notepad window really empty? - Dec 1, 2024
• Microsoft Store Apps - Challenge in validating previous versions - Nov 27, 2024

#DFIR-Review:

• DFIR Review - Acceptance on Windows Notepad Research - Jul 8, 2025

#DPAPI:

• RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
• RDCMan - Importance of DPAPI Activity - May 29, 2025
• RDCMan - Verifying DPAPI Activity - May 27, 2025
• DPAPI - Audit DPAPI Activity - May 18, 2025

#Exploration:

• Diving Deep - LevelDB Part 5 - Jan 30, 2025
• Diving Deep - LevelDB Part 4 - Jan 29, 2025
• Diving Deep - LevelDB Part 3 - Jan 27, 2025
• ChromeCacheView / ChromeHistoryView - Jan 23, 2025
• Diving Deep - LevelDB Part 2 - Jan 22, 2025
• Diving Deep - LevelDB - Jan 21, 2025

#GaslitPad:

• GaslitPad - DNS Communication - Mar 24, 2025
• GaslitPad - Release - Feb 7, 2025
• POC Malware - Part 3 - Feb 1, 2025
• POC Malware - Part 2 - Jan 31, 2025

#Graphene:

• Choices - MacBook Air or Google Pixel - Apr 17, 2025

#HackBrowserData:

• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025

#Hex-Editors:

• Hex Editors for Digital Forensics and Reverse Engineering - Jan 11, 2025

#Homelab:

• Homelab Part 3 - Thought Process - Feb 18, 2025
• Homelab Part 2 - The Next Iteration - Jan 18, 2025
• MSLab - Part 1 - Jan 17, 2025
• Investigating Lab Automation - MSLab - Jan 15, 2025
• Homelab Part 1 - The Current Setup - Jan 12, 2025

#KAPE:

• ChatGPT Desktop - Kape Target - May 16, 2025
• KAPE Module - Windows Notepad Parser - May 3, 2025
• KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
• KAPE Target - Windows Notepad - Feb 20, 2025

#KQL:

• Exploring KQL - Apr 12, 2025

#LOLRMM:

• Remote Desktop Manager - LOLRMM - May 31, 2025

#LaZagne:

• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025

#LevelDB:

• Diving Deep - LevelDB Part 5 - Jan 30, 2025
• Diving Deep - LevelDB Part 4 - Jan 29, 2025
• Diving Deep - LevelDB Part 3 - Jan 27, 2025
• Diving Deep - LevelDB Part 2 - Jan 22, 2025
• Diving Deep - LevelDB - Jan 21, 2025

#Life-Plan:

• New Beginnings - Nov 14, 2024

#MacOS:

• Choices - MacBook Air or Google Pixel - Apr 17, 2025

#Malware:

• GaslitPad - DNS Communication - Mar 24, 2025
• GaslitPad - Release - Feb 7, 2025
• POC Malware - Part 3 - Feb 1, 2025
• POC Malware - Part 2 - Jan 31, 2025
• POC Malware - Part 1 - Jan 3, 2025

#Memory-Forensics:

• Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
• Reading up on Volatility - May 11, 2025
• Volatility - Plugin? - May 10, 2025

#Microsoft-Edge:

• Microsoft Edge - AutoFill Database - May 5, 2025

#Microsoft-Paint:

• Microsoft Paint - Application Hive - Jun 14, 2025

#Musings:

• MB x MS - Jul 18, 2025
• CFP Submission - Finalizing Submission - Jul 17, 2025
• Fun CVE on Trains - Foamers Beware - Jul 13, 2025
• All the Things I’m Working On (a.k.a. Too Many Pokers in the Fire) - Jul 11, 2025
• Cleanup / Linting / Updating - Jul 9, 2025
• Zeltser Challenge - Sixth Month Accomplishments - Jul 1, 2025
• Random Thoughts - Implications of MSIX App Containerization - Jun 15, 2025
• SSD Forensics - Flex Capacity - Jun 8, 2025
• 2025 New York State Cybersecurity Conference - Jun 2, 2025
• Zeltser Challenge - Fifth Month Accomplishments - Jun 1, 2025
• Random Thoughts - System Naming - May 26, 2025
• Saturday CISSP Prep - May 17, 2025
• Zeltser Challenge - Fourth Month Accomplishments - May 2, 2025
• CISSP Practice Questions - May 1, 2025
• Thoughts from a Developer on the Truth in Data Podcast - Apr 29, 2025
• macOS Forensics Books/Resources - Apr 28, 2025
• MacOS / CISSP Practice Tests - Apr 26, 2025
• The Day Job - Security/DR Planning - Apr 9, 2025
• Zeltser Challenge - Third Month Accomplishments - Mar 31, 2025
• The Intersection of DFIR and IT Troubleshooting - Mar 20, 2025
• Wide World of DFIR - Mar 9, 2025
• Zeltser Challenge - Second Month Accomplishments - Mar 3, 2025
• Zeltser Challenge - First Month Accomplishments - Feb 2, 2025
• Second Week Musings - Jan 19, 2025
• First Week Musings - Jan 5, 2025
• 2025 Zeltser Challenge - Jan 1, 2025

#News:

• Pearson - Cyberattack - May 12, 2025
• K-12 Student Data - Why would anyone steal that? - Jan 9, 2025
• Powerschool Hack - Jan 8, 2025

#Notepad++:

• Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
• Notepad++ - Documenting Digital Artifacts Part 2 - Feb 9, 2025
• Notepad++ - Documenting Digital Artifacts - Feb 8, 2025

#Prefetch:

• Revisiting Prefetch - Apr 21, 2025

#RDCMan:

• RDCMan - Cracking DPAPI w/mimikatz - Jun 4, 2025
• RDCMan - Importance of DPAPI Activity - May 29, 2025
• RDCMan - Verifying DPAPI Activity - May 27, 2025
• DPAPI - Audit DPAPI Activity - May 18, 2025
• Researching RDCMan - Part 3 - May 9, 2025
• RDCMan - Kape Target - May 8, 2025
• Researching RDCMan - Part 2 - May 7, 2025
• Researching RDCMan - May 6, 2025

#RDP:

• RDP Timelining Tool - Jun 27, 2025

#Registryhive:

• Registry Hive - Data Types Part 8 - Jul 10, 2025
• Registry Hive - Data Types Part 7 - Jul 7, 2025
• Registry Hive - Data Types Part 6 - Jul 6, 2025
• Registry Hive - Data Types Part 5 - Jul 5, 2025
• Registry Hive - Data Types Part 4 - Jun 22, 2025
• My Methodology for Reverse Engineering Binary Files - Jun 21, 2025
• Registry Hive - Data Types Part 3 - Jun 20, 2025
• Registry Hive - Data Types Part 2 - Jun 19, 2025
• Registry Hive - Data Types - Jun 18, 2025
• Registry Hive - Revisiting Documentation - Jun 17, 2025
• 010 Editor - RegistryHive Binary Template - Jun 16, 2025

#Remote-Desktop-Manager:

• Remote Desktop Manager - Artifacts Part 7 - Jun 3, 2025
• Remote Desktop Manager - LOLRMM - May 31, 2025
• Remote Desktop Manager - Artifacts Part 6 - May 25, 2025
• Remote Desktop Manager - Artifacts Part 5 - May 24, 2025
• Remote Desktop Manager - Artifacts Part 4 - May 23, 2025
• Remote Desktop Manager - Working on SQLECmd Map - May 22, 2025
• Remote Desktop Manager - Artifacts Part 3 - May 21, 2025
• Remote Desktop Manager - Artifacts Part 2 - May 20, 2025
• Remote Desktop Manager - Artifacts - May 19, 2025

#Research:

• Windows Notepad - Version Changes (11.2410.21.0) - Jul 22, 2025
• Windows Notepad - Markdown Support Limitations - Jul 4, 2025
• Windows Notepad - Forced Save Regression Testing - Jul 3, 2025
• Windows Notepad - Forced Save on Detecting Manipulation? - Jul 2, 2025
• Windows Notepad - Application Hive Markdown Setting - Jun 30, 2025
• Thinking about that Windows Notepad - Jun 29, 2025
• Windows Notepad - Markdown Support - Jun 28, 2025
• Windows Notepad - Revisiting Application Hive Part 2 - Jun 13, 2025
• Windows Notepad - Revisiting Application Hive - Jun 12, 2025
• Windows Notepad - Find/Replace/Bing - Jun 11, 2025
• Windows Notepad - Recent Files (New Option) - Jun 10, 2025
• Windows Notepad - Version Changes (11.2410.20.0) - Apr 27, 2025
• Windows Notepad - Version Changes (11.2409.9.0) - Apr 25, 2025
• Windows Notepad - Version Changes (11.2408.12.0) - Apr 24, 2025
• Windows Notepad - Version Changes (11.2407.9.0) - Apr 23, 2025
• Revisiting Prefetch - Apr 21, 2025
• Beyond Sunday Funday - Revisiting Shimcache, Amcache, MUICache, and Prefetch - Apr 20, 2025
• Beyond Sunday Funday - SSH Artifacts in Windows 11 - Mar 22, 2025
• Forensics Software - Automated Regression/Version Testing Part 1 - Jan 10, 2025

#Reverse-Engineering:

• Reverse Engineering Rewrite API - Mar 29, 2025

#Rewrite-AI:

• Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
• Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
• Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
• Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
• Windows Notepad - Rewrite / AI - Mar 8, 2025

#Rewrite-API:

• Reverse Engineering Rewrite API - Mar 29, 2025

#ShimCache:

• Revisiting ShimCache/AmCache - May 4, 2025

#Sunday-Funday:

• David Cowen Sunday Funday Challenge - FAT32 Access Date?! - Apr 22, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (HackBrowserData) - Apr 18, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (LaZagne) - Apr 15, 2025
• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence - Apr 14, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 3 - Apr 11, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Part 2 - Apr 10, 2025
• David Cowen Sunday Funday Challenge - Docker Containers on WSL Artifacts - Apr 8, 2025
• David Cowen Sunday Funday Challenge - Cloud Log Availability Delays - Apr 2, 2025
• SSH Artifacts in Windows 11 - Part 3 - Mar 28, 2025
• SSH Artifacts in Windows 11 - Part 2 - Mar 27, 2025
• SSH Artifacts in Windows 11 - Part 1 - Mar 26, 2025
• David Cowen Sunday Funday Challenge - SSH Artifacts in Windows 11 - Mar 25, 2025
• David Cowen Sunday Funday Challenge - SSH Artifacts - Mar 21, 2025
• David Cowen Sunday Funday Challenge - ChatGPT Desktop Artifacts - Jan 20, 2025
• David Cowen Sunday Funday Challenge - SRUM Validation - Jan 13, 2025

#Talk:

• Conference talk and other updates - Jul 31, 2025

#Training:

• WinFE Training - Completed - May 28, 2025
• CISA IR Training - Incident Response Triage - Mitigation (IR218) - May 15, 2025
• WinFE Training - Brett Shavers - May 14, 2025
• CISA IR Training - Preventing Web and Email Server Attacks (IR205) - Feb 6, 2025
• Belkasoft - Windows Forensics with Belkasoft - Feb 4, 2025
• CISA IR Training - Introduction to Log Management (IR210) - Jan 28, 2025
• Belkasoft - Windows Forensics with Belkasoft Part 2 - Jan 25, 2025
• Belkasoft - Windows Forensics with Belkasoft - Jan 24, 2025
• CISA IR Training - Preventing DNS Infrastructure Tampering (IR206) - Jan 16, 2025
• CISA IR Training - Defend Against Ransomware Attacks Cyber Range Training (IR209) - Jan 7, 2025
• Certification and Training Plans for 2025 - Jan 4, 2025

#UWP:

• Windows Store/UWP Application Data - Versioning - Jul 12, 2025

#Velociraptor:

• Velociraptor - Artifact Windows Notepad - Jul 30, 2025

#Visual-Studio-Code:

• Investigating Visual Studio Code - Part 3 - Feb 22, 2025
• Investigating Visual Studio Code - Part 2 - Feb 16, 2025
• Investigating Visual Studio Code - Feb 15, 2025

#Volatility:

• Volatility3 - Windows 11 24H2 Memory Dump issues? - May 13, 2025
• Reading up on Volatility - May 11, 2025
• Volatility - Plugin? - May 10, 2025

#WebBrowserPassView:

• David Cowen Sunday Funday Challenge - Browser Password Extraction Evidence (WebBrowserPassView) - Apr 16, 2025

#WinFE:

• WinFE Training - Completed - May 28, 2025
• WinFE Training - Brett Shavers - May 14, 2025

#Windows-Events:

• RDP Timelining Tool - Jun 27, 2025

#Windows-Notepad:

• Velociraptor - Artifact Windows Notepad - Jul 30, 2025
• Windows Notepad - Version Changes (11.2410.21.0) - Jul 22, 2025
• Windows Notepad - Markdown Support Limitations - Jul 4, 2025
• Windows Notepad - Forced Save Regression Testing - Jul 3, 2025
• Windows Notepad - Forced Save on Detecting Manipulation? - Jul 2, 2025
• Windows Notepad - Application Hive Markdown Setting - Jun 30, 2025
• Thinking about that Windows Notepad - Jun 29, 2025
• Windows Notepad - Markdown Support - Jun 28, 2025
• Windows Notepad - Windows State Editor Pre-Release - Jun 24, 2025
• Windows Notepad - Modifying TabState or WindowState Files - Jun 23, 2025
• Windows Notepad - Revisiting Application Hive Part 2 - Jun 13, 2025
• Windows Notepad - Revisiting Application Hive - Jun 12, 2025
• Windows Notepad - Find/Replace/Bing - Jun 11, 2025
• Windows Notepad - Recent Files (New Option) - Jun 10, 2025
• Windows Notepad Parser - Documentation Update - Jun 5, 2025
• KAPE Module - Windows Notepad Parser - May 3, 2025
• Release - Windows Notepad Parser v1.0.4 - Apr 30, 2025
• Windows Notepad - Version Changes (11.2410.20.0) - Apr 27, 2025
• Windows Notepad - Version Changes (11.2409.9.0) - Apr 25, 2025
• Windows Notepad - Version Changes (11.2408.12.0) - Apr 24, 2025
• Windows Notepad - Version Changes (11.2407.9.0) - Apr 23, 2025
• Windows Notepad - Rewrite / AI Part 5 - Mar 19, 2025
• Windows Notepad - Rewrite / AI Part 4 - Mar 18, 2025
• Windows Notepad - Rewrite / AI Part 3 - Mar 16, 2025
• Windows Notepad - Rewrite / AI Part 2 - Mar 14, 2025
• Windows Notepad - Rewrite / AI - Mar 8, 2025
• Release - Windows Notepad Parser v1.0.3 - Mar 6, 2025
• KAPE Target - Windows Notepad WOOPS - Feb 21, 2025
• KAPE Target - Windows Notepad - Feb 20, 2025
• Release - Windows Notepad Parser v1.0.2 - Feb 19, 2025
• Windows Notepad vs Notepad++ - Artifact Comparison - Feb 14, 2025
• Forensics Software - Automated Regression/Version Testing Part 1 - Jan 10, 2025

#Workshop:

• SANS - Ransomware Summit 2025 - May 30, 2025

#Writeups:

• BelkaCTF 7 - AAR Sample - Aug 1, 2025
• BelkaCTF 7 - AAR Locker - Jul 29, 2025
• BelkaCTF 7 - Whoami - Jul 28, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Hidden Spirits" - Mar 15, 2025
• Magnet Virtual Summit 2025 CTF - AAR "100X Scale" - Mar 13, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Capital Offense" - Mar 12, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dressing, with a dash, of 17 spices" - Mar 11, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Pigs in a Blanket" - Mar 10, 2025
• Magnet Virtual Summit 2025 CTF - AAR "All of my work is gone!" - Mar 4, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The masked singer" - Mar 2, 2025
• Magnet Virtual Summit 2025 CTF - AAR "ICONic green bubbles" - Mar 1, 2025
• Magnet Virtual Summit 2025 CTF - AAR "YOU Watch a Lot of space Videos" - Feb 28, 2025
• Magnet Virtual Summit 2025 CTF - AAR "DAdataTA" - Feb 27, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Dead Portrait Society" - Feb 26, 2025
• Magnet Virtual Summit 2025 CTF - AAR "Out of the Ordinary" - Feb 25, 2025
• Magnet Virtual Summit 2025 CTF - AAR "A Shadow of the Real Thing" - Feb 24, 2025
• Magnet Virtual Summit 2025 CTF - AAR "The SPIRITs are among us" - Feb 23, 2025