- Python analysis: how to deal with compiled scripts.by Krzysztof GajewskiOver last few months, I had few occasions to tackle suspicious Python scripts. And that helped me to realize that I really suck in Python scripting and that I am not really sure how to analyze compiled Python code. Spending some time on that topic, and digging deeper and deeper I have learnt few things …
Continue reading “Python analysis: how to deal with compiled scripts.”
- The $MFT flag that you have never considered before – OneDrive not synchronized files.by Krzysztof GajewskiThis article, shows how you can use $MFT flags to find “not synchronized” OneDrive files – files which actually do not exist on the system. And now you may ask yourself a question: “So in $MFT there are entries for files that actually do not exist on the disk?”. Well… yes, and it’s not something …
- C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device.by Krzysztof GajewskiToday I am writing about my recent finding, which I can bet, that majority of us were not aware of before – if I am wrong (let me know about it in comments), believe me, I am more than happy! I found out that on Windows systems, there are files which tell what Windows Event …
- Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs.by Krzysztof GajewskiIn this article, I am showing you how you can determine if a file was downloaded by a web browser (like Chrome, Opera, Firefox etc.) without having a browser history and any other browser or network logs. It may be especially handy, when you are investigating the case, in which your suspect was using the …
- Stripped off ADS (Zone.Identifier) for files downloaded in the incognito/private mode.by Krzysztof GajewskiRecently people in our industry (DFIR) got excited, because web browsers started to track URLs used to download files in the ADS, along with ZoneID=3 (MOTW). The Zone.Identifier feature was first introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 (source: https://www.digital-detective.net/forensic-analysis-of-zone-identifier-stream/). And indeed, it’s a very nice new (actually it …
- How long was the malicious PowerShell script active on the compromised machine?by Krzysztof GajewskiAfter long break I am here again, and this time I will show you very handy PowerShell logs that will help you understand how long the malicious PowerShell script was active on the infected device. The logs I am talking about can be found in the log file named Windows PowerShell.evtx. Probably you have seen …
Continue reading “How long was the malicious PowerShell script active on the compromised machine?”
- Artifacts that you have never analyzed before… namely ETL files.by Krzysztof GajewskiThis article is for me like the cherry on top. I spent a lot of time checking how power history and power supply details can be used by DFIR analyst, and finally I found another source of useful information. Multiple times (during investigations that I was conducting), I encountered (either in $MFT or in $UsnJrnl) …
Continue reading “Artifacts that you have never analyzed before… namely ETL files.”
- Let me show you how to bite AutoIt scripts!by Krzysztof GajewskiAt the beginning of this week, someone reached out to me asking if I can help him analyze one sample. I found out that the sample he asked me to review was created using AutoIt, so I thought that this is a great moment to create an article explaining: what AutoIt is and how you …
Continue reading “Let me show you how to bite AutoIt scripts!”
- The way to run the RunOnce key without any logons/reboots.by Krzysztof GajewskiToday I will share something that I have discovered some time ago. It is not something that will revolutionize your investigations, but sometimes can help you understand what happened on the system that you are investigating. What is more, it may be treated as a curiosity (personally I really like such things). So what am …
Continue reading “The way to run the RunOnce key without any logons/reboots.”
- Why do the battery use and the battery level matter during the investigation?by Krzysztof GajewskiMy post today is a continuation of my recent article that you can find here. In the previous article, I shared a .Net tool that allows you to parse a SRUM database and extracts the battery information (battery level and timestamps). The output is saved to a CSV file – timeline, which uses TLN format. …
Continue reading “Why do the battery use and the battery level matter during the investigation?”