Daily Blog #754: Pagefile carving with Page Brute

 

Hello Reader,

I’m often surprised by how many effective open source DFIR tools are overlooked. One of my favorites is page_brute. This tool tackles a tricky problem: parsing logical data chunks from the page file without accidentally merging memory segments from different programs.

Page_brute accomplishes this elegantly by carving the page file into segments equal to a single memory page. It then applies YARA rules to categorize each chunk. I mainly use it to recover AJAX fragments and other temporary web objects that never make it to disk. Since the content I’m after is usually small enough to fit within one memory page, this approach works exceptionally well for webmail investigations.

If you’re looking for a reliable method to recover and categorize page file contents, I highly recommend giving page_brute a try: GitHub - matonis/page_brute.

 

Read More

Daily Blog #753: Windows hello challenge part 4

 

Hello, Reader,

The bonus question in this challenge asked where Windows stores the biometric data used for facial recognition or fingerprint authentication. It turns out that this information is kept in a database located at:

\Windows\System32\WinBioDatabase

Inside this folder, you’ll find files named with GUIDs and a .DAT extension, for example:

DC576DA6-D676-4A15-906D-C0CEAF949543.DAT

These files contain an encrypted and hashed version of a user’s identity that Windows uses for system authentication. This process is part of the Windows Biometric Framework. For more details, check out the Biometric Framework Overview on Microsoft Learn.

The encryption key being used remains unclear, and it’s possible that these keys are stored in a TPM chip. I’ll take a closer look at this file in my next post to see if the Data Protection API is also being utilized.

Stay tuned!

 

Read More

Daily Blog #752: Windows hello challenge part 3 fingerprints

 

Hello Readers,

Believe it or not, I recently purchased a Windows Hello-compatible fingerprint reader purely to test its capabilities and examine the logs it generates. I’m pleased to report that the investment paid off—there’s now an event log entry in Microsoft-Windows-Biometrics that confirms a successful fingerprint-based authentication.

Here’s the log entry it's event id 1004:

The Windows Biometric Service successfully identified <hostname>\<username> (S-1-5-21-3400467401-1001) using sensor: VeriMark DT Fingerprint Key (USB\VID_047D&PID_00F2&MI_01\7&163AA6B8&0&0001).

Much like facial recognition, this distinct log entry clearly indicates that a person (or someone who managed to spoof the sensor) was present at the keyboard.

 

 

Read More

Daily Blog #751: Sunday Funday 2/16/25

 

Hello Reader,

It's Sunday! This week's challenge is all about whats left behind when someone is able to get a temporary access key from an IAM role in AWS. Let's see who is able to build out the best detection set!

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 2/21/25 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 

The Challenge:

 AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred. 

1. Retrieve a temporary AWS access key credential from IMDS v1

2. Retrieve a temporary AWS access key credential from IMDS v2

3. Use the temporary access key within an AWS vm

4. Use the temporary access key from outside of AWS

From all four scenarios determine what logs are created.

bonus: Try and document other scenarios of theft and use and additional sources of evidence. 

Read More

Daily Blog #750: Solution Saturday 2/15/25

 

 

Hello Reader,

  It's always a surprise to me what gets lots of entries and what just gets a few dedicated researchers. This week we have another winning answer from Ilya Kobzar. Ilya took the time to research Windows 11 shell bags and we can test this in an upcoming test kitchen!

 The Challenge:

Test what causes a shell bag to be created or updated based on the following actions:

1. A directory created in the command line

2. A file being copy and pasted

3. A folder being copy and pasted

4. A file being cut and pasted

5. a folder being cut and pasted

6. A directory being opened from file explorer

7. A directory being opened from the desktop

8. A directory being clicked on from file explorer

9. A directory being clicked on from the desktop

 

 The Winning Answer:

Ilya's Answer

Read More

Daily Blog #749: Happy Valentines Day

 

 Hello Reader,

    It's Valentines Day! Make sure to take a moment to let the ones you love know you care.  Here is a little card from Chat GPT 4o and me.

Read More

Daily Blog #748: National CCDC 2025

 

 

Hello Reader,

For over 15 years, I’ve had the honor of serving as the red team captain for the National Collegiate Cyber Defense Competition (NCCDC). Since its inception in the early 2000s, NCCDC has evolved from a  a handful of schools into a premier, nationwide event that now attracts teams from over 180 institutions across the country. This competition is more than just a contest—it’s a rigorous, real-world simulation where our nation’s next generation of cyber defenders learn to tackle emerging threats head-on (us).

At NCCDC, we simulate live attack scenarios, leveraging the very tools and techniques that threat actors use in the field. Every year, I bring together the most effective strategies and custom tooling I've encountered in my real worfk, challenging collegiate teams to defend against sophisticated, dynamic cyber engagements. The environment is intense, and every engagement is a testament to the creativity and resilience of our future security professionals. Don't feel bad for these college students they train all year long to have a chance of locking us out.

What truly sets NCCDC apart is its lasting impact on participants. Many past competitors have gone on to become leaders in the cybersecurity world—working with top-tier companies, federal agencies, and innovative startups. Our alumni network is a vibrant community of experts who continue to shape our nation’s cybersecurity landscape, using the skills honed in these competitions to safeguard our digital future. 

Now, as we gear up for another exhilarating season, I’m reaching out to all skilled individuals ready to step into one of the best cyber simulations on the planet. Ever year I put out a call for the limited number of volunteer spots for our red team—those with a knack for thinking like an adversary. If you have a proven track record demonstrated by a robust GitHub portfolio, innovative custom tooling, and a passion for making our digital world more secure, we want to hear from you.

This is your chance to:

• Challenge Yourself: Engage in realistic simulations that push your skills to the limit.
• Inspire Future Defenders: Share your expertise with tomorrow’s cybersecurity leaders.
• Be Part of a Legacy: Join a community whose alumni have gone on to make significant impacts in cybersecurity nationwide.
• Be Destructive: We are one of the few competition that allows the red team to take down blue team infrastructue and forces them to rebuild and defend.
  

If you believe you have what it takes to survive in one the best cyber simulation engagements, please email your resume and GitHub portfolio to dlcowen@gmail.com.

Read More

Daily Blog #747: What I look for when reviewing external ips

 

 

Hello Reader,

One question I often receive from clients and new associates is: What do you look for when reviewing external IP addresses in logs, especially VPN or SAS logs?

In the past, analysts would typically begin their investigations by searching for suspicious connections originating from foreign countries. However, this approach is less effective today. Many companies operate globally, and even those that don’t often experience noise from automated scanners and brute-force attempts from foreign countries. While scanning for foreign countries sometimes yields results, most threat actors we track don’t actually originate from their native countries as indicated by their IP addresses.

What we’ve observed instead is that many threat actors—ranging from organized crime groups to nation-state actors—have shifted their operations to US-hosted virtual private servers (VPS). My current approach is to collect all unique IPs within a given time frame and enrich them with additional data, such as the datasets available from ipinfo.io. Their API can identify whether an IP is linked to hosting services, proxies, Tor nodes, anonymous IPs, or VPNs.

Documentation: IP Privacy Detection Database - IPinfo.io

I’ve found it’s very rare for a legitimate company employee to connect from a VPS. Therefore, when we narrow our list down to this subset, it often reliably indicates signs of compromise.

What techniques do you use? Let me know in the comments!

Read More