This Week's/Trending Posts

Solution Saturday Series

Sunday Funday Series

Forensic Lunch

The Most/Recent Articles

testing

Daily Blog #804: Introducing Puck!


 

Hello Reader,

I'm excited to share some news today—Evan Anderson, who you might recognize from our Vibe Coding livestreams, has just launched a new product: Puck!

Puck (available at puck.tools) is the result of Evan’s 20 years in cybersecurity, including extensive experience in offensive operations and advanced red team deployments. At its core, Puck simulates a threat actor within your network with one simple mission: to get back home.

But let’s be clear—Puck isn’t an automated pentesting framework, a vulnerability scanner, or an attack surface mapping tool. It does just one thing, and it does it exceptionally well: it tests your network's egress controls. Using a wide array of protocols, techniques, and methods—much like a sophisticated command-and-control (C2) tool or real-world threat actor—Puck tries to reach out. If it succeeds, it reports back with the exact methods that worked, alerting you to any changes that may have weakened your defenses.

Puck is especially valuable in environments that require strict segmentation, such as PCI-regulated networks and other high-security zones where internet access is supposed to be tightly controlled. It can be deployed either as a virtual machine or a physical device, running continuously to ensure you're immediately aware of any egress violations caused by network changes.

Check it out at puck.tools—I genuinely think it’s a fantastic tool!


Read More
powerpoint

Daily Blog #803: Getting Chat GPT 4o to make fancy powepoints

 

Hello Reader,

Yesterday, when I shared my presentation, I mentioned that while I conducted all the research myself, I used ChatGPT-4o to create all of the slides.

Why? Because I have absolutely no artistic skills—but I did have all the technical knowledge I wanted to communicate. If you’re like me and want your presentations to look like you hired a professional designer, here’s how I made it happen.

Step 1: Tell It What You Want

I started by describing the scope of the presentation:

Create a slideshow presentation about Windows Hello forensics complete with graphics 
and text.

It should cover how to perform forensics on the Windows 11 Hello security feature.
Include slides on:

- History of Hello  
- The historical forensic challenge of identifying who is at the keyboard  
- A list of Windows Hello authentication methods  
- Where in the registry to find which authentication methods are enabled  
- What the event logs show for:
    - PIN login  
    - Fingerprint login  
    - Facial scan login  
- Where Windows Hello data is stored  
- How the stored data is protected  
- How the data can be accessed  

Also, include any other slides you think would be interesting.



It responded with a detailed outline of the slide contents—a sort of text storyboard. 

Step 2: Ask for the Presentation

So I followed up with: 

Turn this into a PowerPoint presentation with graphics you create for each slide.

 

This generated text-only slides. So I clarified further:

Yes, I would like all of the above as you find them most useful.
Generate all relevant graphics and insert them into the slides. 
Also give it a cyberpunk theme.

 

Step 3: Let It Build

It generated the first image, and I simply told it:

Finish all the slides and provide me the updated PPT with the graphics added in.

 

I had to say “continue” a couple of times to get it to finish the entire deck—but that was it! Afterward, I went in and added relevant technical facts, and the presentation was complete.

Looking back, I probably could have done it all in one prompt if I had been more specific. Still, I’m incredibly happy with the results—and I didn’t need any design skills to get there.
Read More
windows hello

Daily Blog #802: Windows Helllo Forensics presentation

 


Hello Reader,

 Today I gave a presentation on Windows Hello Forensics to the HTCIA Northeast chapter. I wanted to share the presentation here for the attendees and anyone else interested in seeing it all the prior blog posts data in one place. 

If you like the slides I made them using Chat GPT 4o and I'll go through the prompts I used in tomorrows blog!

You can download them here: 

https://docs.google.com/presentation/d/1hDpBJgh6V21diSxY8Lei8gfgshwYnYpW/edit?usp=sharing&ouid=104808728995007755708&rtpof=true&sd=true

Read More
images

Daily Blog #801: New capabilities of Chat GPT 4o Image Creation

 Hello Reader,

As you have noticed I've been really enjoying all the newest and strangest things you can do with all of the AI models as they've come out. While everyone has been focusing on how you can 'ghibli' , 'barbie' or 'lego' a photo I realized you can do something even better!

 You see in the recent  past Chat GPT 4o refused to create images based on real people, even your own face. However with the new model that is a restriction of the past so you can now ask it to do all sorts of amazing creations!

I present to you myself in a lord of the rings movie poster (as close as their policies would let me)

 


  For some reason it didn't have a problem with Grimace as Chuck Norris:


 All of this to say, AI keeps evolving and trusting images will keep getting harder.

Read More
wsl

Daily Blog #800: Sunday Funday 4/6/25

Hello Reader, 

This week I wanted to turn your attention to WSL or Windows Subsystem for Linux. With WSL becoming more common on windows systems for things like Docker its been awhile since I've seen a lot of research around whats left behind from it's usage. Let's see what you can do!

The Prize:

$100 Amazon Giftcard

 
The Rules:

  1. You must post your answer before Friday 4/11/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

What artifacts are left behind when running a docker container using Ubuntu WSL (which I believe is the default standard. Bonus points for artifacts that reflect interactions between the container and the host.

Also Read: Daily Blog #799: Solution Saturday 4/5/25


Read More
sunday funday

Daily Blog #799: Solution Saturday 4/5/25


Hello Reader, 

This week no one managed to submit a full answer as I did ask for all three major clouds. The closest with Chris Eng who did a full review of Azure and found times that were much faster than the last time I checked! It does look like I need to go back and do my own tests and write them up here.


The Challenge:

For the main cloud providers (AWS, Azure, Google Cloud) determine how long it takes from you performing the action the log being available for the following actions:

1. Logging in successfully

2. Failing to login

3. Changing a users permissions

4. Deleting a user

5. Creating a user 

The Winning Answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/02/David-Cowen-Sunday-Funday-Cloud-Log-Delays.html


Also Read:  Forensic Lunch Test Kitchen 4/4/25 - Using Replit!


Read More
replit

Daily Blog #798: Forensic Lunch Test Kitchen 4/4/25 - Using Replit!

Hello Reader,

Today Evan and I used Replit to create a digital forensic artifact website. While the website itself needs alot of content to be useful the fact that it created, tested, and deployed it within an hour is really impressive considering neither of us had used replit before. 

Here is the website it made:

https://autodavecowen.replit.app/

Here is the video:

 

Read More
snapshots

Daily Blog #797: Azure Snapshot Downloads

Hello Reader,

One of my favorite features in Azure is how easy it is to work with virtual disk snapshots. When you create a snapshot of a virtual disk (VHD), Azure lets you generate a direct download link for the raw disk—no extra steps needed.

Compare that to other cloud platforms:

  • In AWS, I have to use tools like coldsnap

  • In Google Cloud, I need to convert the snapshot into an image first
    But with Azure, it just works.

Want to try it yourself? Here’s how:

 Steps to Export a Snapshot in Azure

  1. Create a Snapshot
    Choose the storage or OS disk you want to analyze.


     

  2. Select "Full Snapshot" otherwise you'll only get recent changes and your forensic tools can't parse it.


     

  3. Click "Export Snapshot"


     

  4. Click "Generate URL"
    Azure will create a temporary, signed URL for direct download that will live for one hour. Want it to last longer just add zeros to the expires time.


     

Use your favorite download tool to grab the file. I usually go with azcopy for speed and reliability.


Also Read: Using AI's to help you with EDR searches


Read More
Subscribe to: Posts ( Atom )