This Week's/Trending Posts

Hand-Picked/Curated Posts

Most Popular/Amcache

Hand-Picked/Weekly News

The Most/Recent Articles

usnjrnl

Daily Blog #739: USN Versions (2, 3 and 4)

 


 

Hello Reader,

Since I first looked at the USN Journal many years ago and Matthew and I released ANJP to parse it along with other data I've known there where multiple USN versions. I thought this post would be a good place to document what the differences are and when to expect to see them. 

 

USN Journal v2 – The Vista Era

  • Introduced:
    With the arrival of Windows Vista, the USN Journal came into existence.
  • What It Contains:
    At its core, v2 records fundamental details for every change on an NTFS volume: the unique file reference number, parent file reference, a monotonically increasing USN, timestamp, and a set of reason flags indicating why the change occurred.
  • Default Status:
    On any NTFS volume running Windows Vista or later, v2 is created not at format but after a certain number of changes occur if windows search indexing is turned on. .
  • Documentation: https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v2

USN Journal v3 – Refinements in Windows 8

  • Introduced:
    Windows 8 ushered in USN Journal v3.
  • What’s New:
    Building on v2’s foundation, v3 expanded the record structure to capture additional metadata. While the basic fields remain, v3 started to include more nuanced details about certain operations—particularly those around renames and changes to alternate data streams. The idea was simple: as our file operations got more sophisticated, our change records needed to do the same.
  • Default Status:
    For systems running Windows 8 and later, v3 became the default journal version on NTFS volumes. Again the journal is a subsystem that was meant to assist with drive indexing, backup programs and other utilities that needed to know when things changed and why. If you just format a disk the USN journal will not appear until you have created data that requires tracking. 
  • Documentation: https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v3

USN Journal v4 – The Windows 10 Evolution

  • Introduced:
    With Windows 10 (in a series of updates that refined NTFS’s internal structures), Microsoft rolled out USN Journal v4.
  • What’s New:
    v4 is less about a radical overhaul and more about fine-tuning. It includes extra fields to provide even more granular information about changes—covering aspects such as improved record consistency, additional flags for security-related modifications, and adjustments for better alignment with newer NTFS features. In short, v4 offers a more complete picture of file system activity while ensuring that the data is as robust and future-proof as possible.
  • Default Status:
    According to the MSDN documentation V4 records are only read if you Range Tracking is turned on within tghe journal.  .Otherwise my Windows 10 and 11 systems return V3 records. 
  • Documentation : https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v4

 

Read More
leveldb

Daily Blog #738: Arsenal Recon LevelDB Recon

 


 

Hello Reader,

Now that last week's Sunday Funday is over I can talk about a new (to me) tool from Arsenal Recon that Mark Spencer made me aware of, LevelDB Recon. Mark and his team of experts have created a tool to parse LevelDB files and extract all of the data it can find. So if you were looking for a simpler solution that what last weeks contestants went through it's included with a Arsenal Recon subscription!

 

 "LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated. In other words, LevelDB Recon has been designed for maximum exploitation of LevelDB files - ultimately revealing records missed by other methods. LevelDB Recon includes logic to help make sense of the chaos often found within LevelDB data - for example, logic that attempts to locate and decode (in a human-friendly manner) many different types of timestamps."

 You can find out more here:

Arsenal Recon

 

Read More
windows hello

Daily Blog #737: Sunday Funday 2/2/25


 

 

Hello Reader,

It's Sunday! This week's challenge is all about Windows Hello! There is always a discussion of who was actually in front of the computer and with Windows Hello there is a chance you can say it was actually a certain person if they were using one of the biometric features. Let's see what you can determine from the logs left behind.


The Prize:

$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/7/25 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

 Test and document what logs are left behind when using Windows Hello to login into a Windows 10/11 system. This should include:

1. PIN Login

2. Fingerprint login (optional)

3. Facial Recognition login (preferred but optional)

bonus points for determining where the data for the authentication is stored.

Read More
sunday funday

Daily Blog #736: Solution Saturday 2/1/25

 


 

Hello Reader,

Another week, another new winner! Ilya Kobzar isn't new to me as we used to work together at KPMG, but he is new to the Sunday Funday winners list! Ilya isn't blogging daily but he has been blogging more recently with multiple entries for Sunday Funday's and his own research. I've always enjoyed working and learning from Ilya and I'm glad you all get a chance to as well!

The Challenge:


Test, document or if you are up for it develop/extend a solution for LevelDB databases that can:
1. Parse it's contents and display them
2. Allow you to query it
3. Optionally identify or recover deleted messages


The winning answer:

 Ilya Kobzar

https://www.ilyakobzar.com/p/leveldb-wal-log-extracting-chatgpt

Read More
zeltser challenge

Daily Blog #735: Zeltser Challenge Spotlight on Argelius Labs

 



 

Hello Reader,

Back in December when I posted the Zeltser challenge invitation, Matt Edmondson jumped right in. I made a note of his name in my secret tracking spreadsheet and assumed he’d follow through, even though he never mentioned where he’d be posting his contributions.

Today, I finally discovered the hidden treasure: 31 posts from Matt waiting to be explored! Whether you're into OSINT, AI, or NFL football, there's plenty to dive into.

Check out the Argelius Lab's blog to start exploring!

https://www.argeliuslabs.com/blog/

Read More
Interviewing

Daily Blog #734: My favorite interview question

 


 

Hello Reader,

I’ve read countless articles and attended many trainings about interview questions: what to ask, what not to ask, how to be clever, how to avoid bias, and how to make sure you’re assessing candidates thoroughly. But what I rarely see discussed is this: how do you truly get to know a candidate when you don’t even know who they are?

I’ve been interviewing and hiring people for over 25 years, and one thing I’ve learned is that the most important aspect of a candidate is what makes them special. This might be their hobbies, accomplishments, recoveries from setbacks, volunteer work, side projects, or unrelated jobs. The challenge, of course, is that you don’t know these things beforehand—so you don’t know which questions will bring them to light.

That’s where my favorite interview question comes in. If you’ve ever interviewed with me in the last seven years, you’ve likely heard me ask:

“What is the thing you are most proud of that I would never know to ask you about?”

That’s it. It seems simple, but it’s incredibly powerful. As soon as I ask it, I see a different person emerge—eyes light up, smiles appear, and the energy in the room shifts. The candidate is suddenly sharing something they’re deeply passionate about, and I get to learn something unexpected that I never would have guessed.

Because of this single question, I’ve learned about candidates who:

  • Started charities or volunteer organizations
  • Recovered from life-altering injuries with sheer determination
  • Launched businesses or open-source projects
  • Organized DJ events or found creative ways to bring people together
  • Crypto currency entrepreneurs 
  • Provided extensive care for parents or siblings
  • …and so much more

These stories give me a glimpse into who they really are, beyond the resume bullet points, GPAs, and certifications. I see the personal drive that shapes them—an indicator of whether they’ll be hungry for success and eager to learn everything we have to teach.

So, do yourself a favor. The next time you sit down to interview someone, step away from the standard list of questions and ask this one. You’ll open a window into who they are, and gain insights you’d never uncover otherwise. You’ll see the person behind the application—and that is the "one simple trick".

Read More
test kitchen

Daily Blog #733: Test Kitchen building cloud tools with cursor

 


 

Hello Reader,

 Today I did another non scheduled test kitchen where I walked through building a simple cloud tool to find logs in AWS. Then we attempted to expand to Azure, Google Cloud and other types of logs but did a bit too much at once before testing. I hope you find this informative!

 

 

 

Read More
krebs

Daily Blog #732: Multiple Identity Provider Disorder

 


 

Hello Reader,

This summer, we encountered a fascinating incident that highlights a surprising gap in how some third-party services handle authentication. Brian Krebs later covered the underlying issue in his post “Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services,” but our investigation was already finished by then. Let’s dive in.

The Scenario

Imagine your company has a third-party service provider where employees can create their own accounts. This service also supports authentication through multiple identity providers—like Google, Apple, or Facebook—to make logging in easier.

However, there’s a catch: in some cases, the third-party service will treat an identity-provider-based login as if it were the same account an employee created manually—even if they never actually linked their account to that identity provider.

How this Exploit Worked

  1. Manual Account Creation
    A user signs up for a third-party website using their company email address and even enables multi-factor authentication (MFA).

  2. Multiple Identity Providers
    The third-party site allows users to log in via providers like Google. Ideally, this is meant for convenience instead of creating an account manually.

  3. Domain Hijack
    A threat actor finds a loophole that lets them register the same email address on Google Workspace—even though the domain actually belongs to someone else. (See Krebs’s article for how they bypass Google’s verification.)

  4. Unintended Access
    Once the attacker has set up that Google Workspace email, they sign in to the third-party service using Google. Because the service trusts Google’s authentication, it grants the attacker access to the real user’s account—MFA included.

Why This Shouldn’t Work

  • Identity Provider Verification
    Google (or any identity provider) should confirm domain ownership before allowing someone to create email accounts for that domain. Attackers found a way around this requirement.

  • Third-Party Account Linking
    The third-party service should recognize that the user’s existing account isn’t linked to Google. However, many services fail to confirm whether an account was created manually vs. through an identity provider, resulting in the user’s legitimate account being “taken over.”

Our Investigation

In the logs, we noticed a user’s account authenticating via Google—odd, since that user’s company uses Microsoft 365. After reaching out to Google, we learned that the domain had recently been set up on Google Workspace, which led to a small set of logs confirming a brand-new account. Initially, we thought the third-party website might have suffered a larger breach. Then Brian Krebs’s coverage explained exactly how attackers managed to bypass Google’s email verification, confirming our findings.

Things to look for

  • If you’re investigating an incident and see a user “miraculously” authenticating—especially if it’s not a straightforward case of stolen tokens—check the identity providers the third-party service supports.

This case was a stark reminder that even well-known platforms can be manipulated if there’s a loophole in domain or email verification procedures.


Read More
Subscribe to: Posts ( Atom )