Daily Blog #770: Forensic Lunch Test Kitchen 3/7/25

 

Hello Reader, 

Tonight Evan and I took an express train to the coast and brought a Jimmy Buffet inspired web interface to Margarita shotgun with one prompt and two fixes. Here is the prompt:

 "create a web interface as you proposed earlier to allow the user to be able to configure, run, manage and monitor the tool. This should not require nodejs or react, things like flask and bootstrap or htmx would be better. I want the server and front end to be self contained within the script and while it can add additional libraries it should not require additional programs/servers/framework or systems to be installed outside of just python modules. The interface should be modern, resiazble, sortable on any fields displayed and have an overall theme of Jimmy Buffetts classic tale of wasting away again in margartivalle. Thematic elements of shotguns, limes, margatitas, salt shakers and phrases like its five oclock somewherfe are encouraged. If you cannot generate the art images ascii art is acceptable. Quotes from Jimmy Buffet are desriable and welcome in the interface. The http server and web mode should start if someone runs the script without options, it should then return a text string telling them the localhost url to visit to view the page. "

and with that the Claude 3.7 model in Cursor actually did generate a full Margaritaville themed web dashboard for a tool that never had one! Next week we will actually test the tool to see if works! Tomorrow though stay tuned to see who won this week's Sunday Funday Challenge!

 

 

Read More

Daily Blog #769: Forensic Lunch Test Kitchen

 

Hello Reader,

 Tonight Evan and I used Cursor with the Clause 3.7 model to bring back to life the popular tool Margarita Shotgun ( GitHub - ThreatResponse/margaritashotgun: Remote Memory Acquisition Tool ) ! We got it to update the code to modern python 3 (the code hasn't been updated in 7 years) , suggest improvements and add a new interactive UI using the rich library... and it worked! Tomorrow night we will have a test environment in AWS to see what else needs to be fixed.

 

Read More

Daily Blog #768: HTCIA Boston April 8, 2025

 

Hello Reader,

I'll be at the HTCIA Boston meeting on April 8, 2025 along with my colleagues Adam Hart, Kaya Overholzer speaking on some fun topics. 

 

Adam is going to be speaking on Ransomware forensics and negotiations

Kaya is going to be speaking on ATM Jackpotting

and I'll be talking about Windows Hello Forensics. 

 

I hope to see some of you there!

Read More

Daily Blog #767: Forensic Lunch Test Kicthen - unit tests and documentation

 

Hello Reader,

Tonight we got Claude 3.7 and GPT 4.5 to write unit tests and documentation for our tool, also our tool is now on Github! Check it out!

 https://github.com/dlcowen/CloudTrailLogExplorer

Watch the stream here:

 

Read More

Daily Blog #766: Surviving the breach Episode 0

 

 

Hello Reader,

 Erik and I have recorded an 'episode 0' which is an introduction episode to the podcast. Next we will put up Episode 2 which is called 'When to fire your IR team'. Here is a link to episode 0 and I hope you like it!

 

 You can listen to it here:

Libsyn Directory

Read More

Daily Blog #765: Sunday Funday 3/2/25

 

Hello Reader,

It's Sunday! This week's challenge is all about Microsoft 365! I know many of you are routinely searching and reviewing Microsoft 365 UAL logs so let's see what you know!

The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 3/7/25 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 

The Challenge:

 

What log entries are left behind when the following scenarios occur:

 

1.  A user searches their own mailbox

 

2. A user searches their own onedrive

 

3. An administrator searches their own mailbox

 

4. An administrator searches their own one drive

 

5. An administrator searches someone else's mailbox

 

6. An administrator searches someone else's onedrive

 

Read More

Daily Blog #764: Solution Saturday 3/1/25

 

Hello Reader,

  No winner this week, I think sometimes I'm the only person who is digging into these weird topics. That's ok though I'll just do the testing myself and document it in future posts!

The Challenge:

 On a Windows 11 or Windows 10 system:

1. Make sure windows search is enabled

2. Create files with unique phrases such as "This is the smoking gun"

3. Make sure the files are indexed and present in the windows search db

4. Delete the document and determine what the trigger method is and the timing for the contents to be deleted from the search database

Bonus: Determine if the deleted records are recoverable

 

Read More

Daily Blog #763: Forensic Test Kitchen trying Chat GPT 4.5!

 

Hello Reader,

Tonight we continued our exploration of Claude 3.7 in our creation of our CloudTrail downloading tool and even took a detour to Chat GPT 4.5 which solved our issues! Watch below and see how our models interpret our rules files.  

Read More