Posts

Plaso 20260512 released

By
  Plaso 20260512 released The Plaso team is delighted to announce a new Plaso release, 20260512. This release has a mixture of new features and under the hood improvements. Notable changes Added support for Apple MobileBackup plist ( #4916 ) with thanks to @rizabudi Added support for iOS WiFi Known Networks plist ( #4925 ) with thanks to @CopasAlpha26 Added support for iOS Accounts (Accounts3.sqlite) SQLite database ( #4926 ) with thanks to @studiawan Added support for IMO HD chat SQLite database ( #4927 ) with thanks to @agusgiinarsa Added support for Apple Burner (burners.sqlite) SQLite database ( #4928 ) with thanks to @brokamal and @SanGit56 Added support for Android Native Downloads (downloads.db) SQLite database ( #4929 ) with thanks to @ChristopherGammaWau and @barpeot Added support for Android App Launch (SimpleStorage) ( #4930 ) with thanks to @FathanAbi and @BeefRa Added support for iOS SIM information plist (com.apple.commcenter.data.plist) ( #4931 ) with thanks to @f...
Post a Comment
Read more

“Forensics tools” where are your tests?

By
“Forensics tools” where are your tests? In the context of digital forensics and incident response (sometimes referred to as DFIR) I regularly see claims about the latest “forensics tools”, “forensics data formats” or “court approved tools”. These claims are mere speculation (or hallucinations so to speak) when they are not accompanied with reproducible tests. Digital forensics is the practice to ensure that its findings are reliable enough to influence legal outcomes that affect human liberty and significant financial assets. The transition from "computer equipment" to "forensic evidence" requires a process that is transparent, auditable, and grounded in the scientific method. Key to a scientific finding is that it can be replicated independently. In the context of digital forensics, this requirement is divided into two distinct but related concepts: Repeatability , which refers to the consistency of results when the same examiner uses the same tool on the same samp...
Post a Comment
Read more

Plaso 20260119 released

By
  Plaso 20260119 released The Plaso team is delighted to announce a new Plaso release, 20260119. This release has a mixture of new features and under the hood improvements. Notable changes Changes for compatibility with OpenSearch 2.5 and later ( #4997 ) with thanks to @jaegeral Added support for Firefox 118+ download end time ( /#5019 ) and improvement to AppCompatCache parser ( #5025 ) with thanks to @Spferical Changes to use pyproject.toml ( #5015 ) Changes to Windows EventLogs parameter expansion ( #5023 ) The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for Windows 10 push notification databases ( #4458 ) Continued work on pre-processing and knowledge base ( #4543 ). Move image export to the dfImageTools project ( #1 ). Where/how to get Plaso 20260119? See Plaso's Users' Guide . The development team recommends using Docker to install Plaso without hassle.  If Docker does...
Post a Comment
Read more

Plaso 20250918 released

By
  Plaso 20250918 released This post has been pending for a while, but the Plaso team is delighted to announce a new Plaso release, 20250918. This release has a mixture of new features and under the hood improvements. Notable changes Added motherboard information Windows Registry plugin ( #4953 ) with thanks to @elad-levi-cyberark Changes to image export to map extracted files to artifact definitions ( #4949 ) with thanks to @sa3eed3ed Changes to Google Cloud audit logs parser ( #4923 ) with thanks to @roshanmaskey Changed amcache.hve parser to extract file identifier and application key modification time ( #4942 ) with thanks to @coperni Changes to IIS parser ( #4904 , #4910 , #4911 ) with thanks to @pyllyukko Changes to run plaso as user in Docker ( #4975 ) The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for Windows 10 push notification databases ( #4458 ) Continued work on pre-p...
Post a Comment
Read more

Less is More

By
Image
I found  /usr/bin/lesspipe.sh  and  ~/.lessfilter . ⚠️ This post is in no way detailing a vulnerability or exploit . I am sharing a novel persistence mechanism that I was not aware of until recently. I am writing this post because I do not believe many defenders — SOC, DFIR and system administrators alike — know about this. Not MITRE ATT&CK nor GTFOBins.com include this level of detail in their respective repositories, either. Re-Introducing the less Command The less program, normally located at /usr/bin/less , is a well-known pager that comes prebaked in *nix operating systems. The less program allows a user to view a file via mouse scroll, to regex search, and even list the contents of compressed archives. We’ll talk more about that last part later. Recently I was perusing my environment variables (envar) on my Linux-based system and found this “.sh” file that was just screaming for me to investigate further. env ...skipping LESSOPEN=||/usr/bin/lesspipe.sh %s PAG...
Read more