This Week's/Trending Posts

Solution Saturday Series

Sunday Funday Series

Forensic Lunch

The Most/Recent Articles

sunday funday

Daily Blog #799: Solution Saturday 4/5/25

 


Hello Reader, 

This week no one managed to submit a full answer as I did ask for all three major clouds. The closest with Chris Eng who did a full review of Azure and found times that were much faster than the last time I checked! It does look like I need to go back and do my own tests and write them up here.


The Challenge:

For the main cloud providers (AWS, Azure, Google Cloud) determine how long it takes from you performing the action the log being available for the following actions:

1. Logging in successfully

2. Failing to login

3. Changing a users permissions

4. Deleting a user

5. Creating a user 

The Winning Answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/02/David-Cowen-Sunday-Funday-Cloud-Log-Delays.html


Read More
replit

Daily Blog #798: Forensic Lunch Test Kitchen 4/4/25 - Using Replit!

 


Hello Reader,

Today Evan and I used Replit to create a digital forensic artifact website. While the website itself needs alot of content to be useful the fact that it created, tested, and deployed it within an hour is really impressive considering neither of us had used replit before. 

Here is the website it made:

https://autodavecowen.replit.app/

Here is the video:

 

Read More
snapshots

Daily Blog #797: Azure Snapshot Downloads

Hello Reader,

One of my favorite features in Azure is how easy it is to work with virtual disk snapshots. When you create a snapshot of a virtual disk (VHD), Azure lets you generate a direct download link for the raw disk—no extra steps needed.

Compare that to other cloud platforms:

  • In AWS, I have to use tools like coldsnap

  • In Google Cloud, I need to convert the snapshot into an image first
    But with Azure, it just works.

Want to try it yourself? Here’s how:

 Steps to Export a Snapshot in Azure

  1. Create a Snapshot
    Choose the storage or OS disk you want to analyze.


     

  2. Select "Full Snapshot" otherwise you'll only get recent changes and your forensic tools can't parse it.


     

  3. Click "Export Snapshot"


     

  4. Click "Generate URL"
    Azure will create a temporary, signed URL for direct download that will live for one hour. Want it to last longer just add zeros to the expires time.


     

Use your favorite download tool to grab the file. I usually go with azcopy for speed and reliability.


Also Read: Using AI's to help you with EDR searches


Read More
queries

Daily Blog #796: Using AI's to help you with EDR searches

 


Hello Reader,

I've been exploring an effective new use case with various AI models: using them to generate queries across different Endpoint Detection and Response (EDR) platforms. Depending on the client, I regularly switch between multiple EDR solutions, including CrowdStrike Falcon, SentinelOne, Carbon Black Cloud, Palo Alto Cortex XDR, and Microsoft Defender. While I typically know exactly what I want to search for, remembering each platform’s specific syntax (and unique tables—thanks, Microsoft!) can be challenging without a handy cheat sheet.

To simplify things, here are straightforward prompts and queries to find a specific hash using ChatGPT 4.5 for various EDR platforms:

1. CrowdStrike Falcon

Prompt:

"Write a query for CrowdStrike Falcon to search all hosts for a specific hash."

Query:

event_simpleName=ProcessRollup2 SHA256HashData="<your_hash_here>"

2. SentinelOne

Prompt:

"Write a query for SentinelOne to search hosts for a specific hash."

Queries:

ProcessHash = "<your_hash_here>"

or

SHA256 = "<sha256_hash_here>"

3. Carbon Black Cloud

Prompt:

"Write a query for Carbon Black Cloud to search all hosts for a specific hash."

Query:

SELECT path, hash.sha256, hash.md5, hash.sha1
FROM file
WHERE hash.sha256 = '<your_sha256_here>'
   OR hash.md5 = '<your_md5_here>'
   OR hash.sha1 = '<your_sha1_here>';

4. Palo Alto Cortex XDR

Prompt:

"Write a query for Palo Alto XDR to find a hash across all hosts."

Query:

dataset = xdr_data
| filter action_file_sha256 = "<your_sha256_hash_here>"

5. Microsoft Defender for Endpoint

Prompt:

"Write a query for Microsoft Defender to search hosts for a specific hash."

Queries:

DeviceFileEvents
| where SHA256 == "<your_sha256_hash_here>"

For processes:

DeviceProcessEvents
| where SHA256 == "<your_sha256_hash_here>"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

Next time you're stuck recalling the exact syntax but know precisely what you're looking for, just ask your friendly neighborhood AI assistant for a quick reminder!


Also Read: What did Gemini make up part 2

Read More
google gemini

Daily Blog #795: What did Gemini make up part 2

 


Hello Reader,

In the last post we focused on the made up blog posts Gemini cited. Now let's look at some of the facts it stated in regards to how long these artifacts will exist for. When talking about prefetch files it does well 

"Limited number of files (e.g., 1024 on Win 10/11). Oldest files are deleted on a FIFO (First-In, First-Out) basis."

But when talking about LNK files which have a similar issue (maximum number on a system before deletion) it said:

"Persists until deleted. Timestamps update upon access."

 Another example is the jumplists

"Persists within the user profile. Number of entries/files managed by Windows/apps."

 We know form testing that this maxes out at 2048.

Now, knowing that we've caught two types of errors, would I use AI to help me write up these materials? In short, Yes! Why? Because it's easier for me to review, correct and edit when it got a lot of the other parts right.


Also Read: What did gemini make up?

Read More
halucinations

Daily Blog #794: What did gemini make up?

 

Hello Reader,

In last week's post I posted a document that Google Gemini 2.5 Pro created regarding Windows 11 execution artifacts. This week I want to break down where Gemini just made stuff up or was incorrect. The point here is you still need to check the AI model's work and know how and when to use it in your own work. 

Today let's start with something simple, the blog links referenced. Here's an example:

https://www.google.com/search?q=https://www.hecfblog.com/2019/05/recentapps-registry-key.html 

So we can see Google Gemini decided to embed a google search for what appears to be a valid blog entry from hecfblog.com. Unfortunately this blog post doesn't actually exist.


 

What Gemini did was make up likely url's for each topic, but it didn't actually search the blog to find the right one. So that's just the first example of a mistake, let's see what else waits for us tomorrow.


Also Read: What did Gemini make up part 2

Read More
sunday funday

Daily Blog #793: Sunday Funday 3/30/25

 


Hello Reader, 

Every week I ask myself, what do we not know? This week I want to focus your combined attentions to log delivery delays in the cloud. Each cloud has pros and cons when using it, so lets find out which one gets you failed logins the fastest.

The Prize:

$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 4/4/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

For the main cloud providers (AWS, Azure, Google Cloud) determine how long it takes from you performing the action the log being available for the following actions:

1. Logging in successfully

2. Failing to login

3. Changing a users permissions

4. Deleting a user

5. Creating a user


Also Read: Daily Blog #792: Solution Saturday 3/29/25

Read More
windows

Daily Blog #792: Solution Saturday 3/29/25

Hello Reader,

This week we challenged you to find out what SSH artifacts are left behind on Windows systems that now have native SSH servers and clients. It shouldn't be a surprise that the person who suggested the Windows angle was also the person who won! Congrats to Chris Eng!

 

The Challenge:

 Test what artifacts are left behind from SSHing into a Windows 11 or 10 system using the native SSH server. Bonus points for tunnels.

 

The Winning Answer:

Chris Eng at the OG mini blog:

https://ogmini.github.io/2025/03/25/David-Cowen-Sunday-Funday-SSH-Windows.html

https://ogmini.github.io/2025/03/26/Windows-SSH-Testing-Part-1.html

https://ogmini.github.io/2025/03/27/Windows-SSH-Testing-Part-2.html

https://ogmini.github.io/2025/03/28/Windows-SSH-Testing-Part-3.html


Also Read: Daily Blog #792: Solution Saturday 3/29/25

Read More
Subscribe to: Posts ( Atom )