This Week's/Trending Posts

Solution Saturday Series

Sunday Funday Series

Forensic Lunch

The Most/Recent Articles

log delay

Daily Blog #809: Testing AWS Log latency - CreateAccessKey

 


Hello Reader,

Continuing from yesterday’s post, it's time for another AWS CloudTrail speed test. Today, we're testing the CreateAccessKey event, which occurs when a new Access Key ID is created for an IAM user.

Second Test: AWS CreateAccessKey Event

When I first ran this test, I wasn’t sure which region the log would appear in. Unlike the console sign-in URL, IAM is a global service. That means there’s no region-specific endpoint that clearly indicates where CloudTrail logs will land for IAM activity.

I had a theory that the event would appear in us-east-1—mainly because it's always listed first in AWS’s list of regions. Just to be sure, I switched between us-east-1 and us-east-2 during testing.

Results

Sure enough, after just 90 seconds, the CreateAccessKey event appeared in us-east-1, confirming my suspicion. Just like with the ConsoleLogin event, the delivery was:

  • Faster than the 15-minute SLA
  • Quicker than AWS’s target goal of 5 minutes for critical events

Coming Up

In tomorrow’s blog post, I’ll be testing the log delay for changing account permissions. Stay tuned!

Read More
testing

Daily Blog #808: Testing AWS Log latency - ConsoleLogin




Hello Reader,

In a recent Sunday Funday discussion, I asked about the actual log delay across the major cloud providers. By log delay, I mean the time it takes for an event to appear in a cloud provider’s audit log after it has occurred.

Chris Eng did a solid job documenting this behavior for Azure, but didn’t cover AWS or Google Cloud. So, this post kicks off a new blog series where I’ll be digging into the log delays for those platforms—starting with AWS, and then moving on to Google Cloud.

First Test: AWS ConsoleLogin Event

For this initial test, I focused on the ConsoleLogin event in AWS. This is a CloudTrail-logged event that captures when a user successfully signs into the AWS web console.

The first time I ran the test, I unknowingly logged in through the us-east-2 region but was searching for logs in us-east-1. Since CloudTrail logs are region-specific, this led to confusion. Whether you’re using the Event History view or checking the S3 bucket where logs are stored, you need to ensure you're looking in the correct region if you want to see the expected log appear.

I knew something was off when my stopwatch hit 17 minutes without any sign of the login event—even though AWS provides a 15-minute SLA for log delivery. Once I switched my search to us-east-2, I immediately found the ConsoleLogin event and realized I needed to redo the test.

Results

After logging out and back in (confirming again that my login URL showed us-east-2), I monitored CloudTrail for the event. The ConsoleLogin event showed up within 90 seconds of clicking the “Sign in” button.

That’s not only faster than the 15-minute SLA, but also quicker than AWS’s targeted 5-minute delivery time for critical events.

Coming Up

In tomorrow’s blog post, I’ll test the log delay for API key creation. Stay tuned!

Read More
sunday funday

Daily Blog #807: Sunday Funday 4/13/25

 


Hello Reader, 

This week I'm hoping for more of you to get involved and give Chris Eng some competition. With that in mind I'm going to make this challenge as accessible as possible but still have an outcome that increases the overall knowledge of the field. So let's get started on this week's browser stored credential challenge.

The Prize:

$100 Amazon Giftcard

 
The Rules:

  1. You must post your answer before Friday 4/18/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

It's becoming more common that the first thing an attacker will try to do if they get access to a user's system is extract all of the saved browser passwords. Profile a popular browser password extractor (such as WebBroweerPassView or HackBrowserData) and detail what artifacts are left behind that would reveal their usage on a Windows 11 system. Extra points if you:
a. Try multiple browser password viewing tools
b. Try MacOS as well as Windows

Read More
wsl

Daily Blog #806: Solution Saturday 4/12/25

 


Hello Reader, 

This week Chris Eng comes back again with some research in his own Daily Blogs about WSL. While I think we can all appreciate Chris's winning streak I'm looking for all of you to come out in force this coming week to challenge him for a win!

 

The Challenge:

What artifacts are left behind when running a docker container using Ubuntu WSL (which I believe is the default standard. Bonus points for artifacts that reflect interactions between the container and the host.

 

The winning answer:

Chris Eng / OG Mini Blog

https://ogmini.github.io/2025/04/08/David-Cowen-Sunday-Funday-WSL-Docker.html

https://ogmini.github.io/2025/04/10/WSL-Docker-Part-2.html

https://ogmini.github.io/2025/04/11/WSL-Docker-Part-3.html

Read More
mtt

Daily Blog #805: Mount That Thing!

 


Hello Reader,

If you've ever done forensics on modern linux systems disk images you may have encountered the dread that comes with dealing with lots of LVMs (Logical Volume Management) which none of the commercial forensics tools seem to be able to fully handle, yes even Xways.  Well instead of being full of existential dread of having to export, reimport and handle all of these partitions you can take advantage of the command line kung fu of Hal Pomeranz to automate this process for you!

Hal wrote a tool called MTT or Mount That Thing which .. well it's mounts things! You provide it with the linux disk images and it takes care of finding, identifying and mounting all of the LVMs and partitions within it so the data is accessible.  

Overview of the Script

This script is designed to automate the following operations:

  • Mounting disk images (E01 or raw)

  • Handling LVM volumes

  • Automatically identifying and mounting partitions

  • Exporting mounted partitions into E01 format if desired

  • Safely unmounting and cleaning up devices and volumes when finished

All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity.

Key Features

Mounting Disk Images

  • E01 support: If the image is in Expert Witness format, the script uses ewfmount to extract the raw image and proceed with analysis.

  • Partition detection: For full disk images (e.g., MBR), it uses losetup -P to enumerate partitions and identify associated file systems.

  • LVM support: Detects and activates volume groups, carefully handling potential naming collisions with already mounted LVM volumes.

  • Filesystem recognition: Supports EXT2/3/4, XFS, BTRFS, and FAT file systems, with logic to apply the appropriate mount options for each.

  • Root partition detection: Identifies the likely root partition via fstab or naming heuristics and mounts it first.

  • Command logging: All mount operations are logged to a MOUNTING file within the target directory for reproducibility and audit trails.

Export to E01 Format

When invoked with the -E flag, the script will:

  • Export each mounted partition using ewfacquire

  • Segment the output if required via the -S option (e.g., for 2 GB chunks)

  • Name exports based on their mount point or partition origin to maintain clear context

  • Store exports and logs in an exported/ subdirectory of the target mount path

This is especially useful for archiving or handing off discrete pieces of evidence.

Safe and Comprehensive Unmounting

Using the -U flag, the script will:

  • Unmount all associated filesystems

  • Deactivate volume groups via vgchange -a n

  • Detach all loopback devices with losetup -d

  • Kill any ewfmount processes by unmounting their working directory

This ensures that the analyst can return the system to a clean state after analysis or re-run the script on a new image without residual device conflicts.

Usage Example

Mount and export an image:

./mount_image.sh -d /mnt/evidence -E -S 2147483648 image.E01

Unmount everything cleanly:

./mount_image.sh -U /mnt/evidence

Default behavior places mount artifacts under a mount/ directory, but this can be overridden with the -d flag.

Give it a shot! 

https://github.com/halpomeranz/dfis/blob/master/mtt.sh

Read More
testing

Daily Blog #804: Introducing Puck!


 

Hello Reader,

I'm excited to share some news today—Evan Anderson, who you might recognize from our Vibe Coding livestreams, has just launched a new product: Puck!

Puck (available at puck.tools) is the result of Evan’s 20 years in cybersecurity, including extensive experience in offensive operations and advanced red team deployments. At its core, Puck simulates a threat actor within your network with one simple mission: to get back home.

But let’s be clear—Puck isn’t an automated pentesting framework, a vulnerability scanner, or an attack surface mapping tool. It does just one thing, and it does it exceptionally well: it tests your network's egress controls. Using a wide array of protocols, techniques, and methods—much like a sophisticated command-and-control (C2) tool or real-world threat actor—Puck tries to reach out. If it succeeds, it reports back with the exact methods that worked, alerting you to any changes that may have weakened your defenses.

Puck is especially valuable in environments that require strict segmentation, such as PCI-regulated networks and other high-security zones where internet access is supposed to be tightly controlled. It can be deployed either as a virtual machine or a physical device, running continuously to ensure you're immediately aware of any egress violations caused by network changes.

Check it out at puck.tools—I genuinely think it’s a fantastic tool!


Read More
powerpoint

Daily Blog #803: Getting Chat GPT 4o to make fancy powepoints

 

Hello Reader,

Yesterday, when I shared my presentation, I mentioned that while I conducted all the research myself, I used ChatGPT-4o to create all of the slides.

Why? Because I have absolutely no artistic skills—but I did have all the technical knowledge I wanted to communicate. If you’re like me and want your presentations to look like you hired a professional designer, here’s how I made it happen.

Step 1: Tell It What You Want

I started by describing the scope of the presentation:

Create a slideshow presentation about Windows Hello forensics complete with graphics 
and text.

It should cover how to perform forensics on the Windows 11 Hello security feature.
Include slides on:

- History of Hello  
- The historical forensic challenge of identifying who is at the keyboard  
- A list of Windows Hello authentication methods  
- Where in the registry to find which authentication methods are enabled  
- What the event logs show for:
    - PIN login  
    - Fingerprint login  
    - Facial scan login  
- Where Windows Hello data is stored  
- How the stored data is protected  
- How the data can be accessed  

Also, include any other slides you think would be interesting.



It responded with a detailed outline of the slide contents—a sort of text storyboard. 

Step 2: Ask for the Presentation

So I followed up with: 

Turn this into a PowerPoint presentation with graphics you create for each slide.

 

This generated text-only slides. So I clarified further:

Yes, I would like all of the above as you find them most useful.
Generate all relevant graphics and insert them into the slides. 
Also give it a cyberpunk theme.

 

Step 3: Let It Build

It generated the first image, and I simply told it:

Finish all the slides and provide me the updated PPT with the graphics added in.

 

I had to say “continue” a couple of times to get it to finish the entire deck—but that was it! Afterward, I went in and added relevant technical facts, and the presentation was complete.

Looking back, I probably could have done it all in one prompt if I had been more specific. Still, I’m incredibly happy with the results—and I didn’t need any design skills to get there.
Read More
windows hello

Daily Blog #802: Windows Helllo Forensics presentation

 


Hello Reader,

 Today I gave a presentation on Windows Hello Forensics to the HTCIA Northeast chapter. I wanted to share the presentation here for the attendees and anyone else interested in seeing it all the prior blog posts data in one place. 

If you like the slides I made them using Chat GPT 4o and I'll go through the prompts I used in tomorrows blog!

You can download them here: 

https://docs.google.com/presentation/d/1hDpBJgh6V21diSxY8Lei8gfgshwYnYpW/edit?usp=sharing&ouid=104808728995007755708&rtpof=true&sd=true

Read More
Subscribe to: Posts ( Atom )