Posts

Plaso 20230717 released

By
  Plaso 20230717 released The Plaso team is delighted to announce a new Plaso release, 20230717. This release has a mixture of new features and under the hood improvements. Notable changes Support for Windows AppCompat PCA (Program Compatibility Assistant) log ( #4560 ) and Apple Unified Logging ( #4557 ) files with thanks to @Fryyyyy Support for Microsoft OneDrive log ( #4148 ) files with thanks to @sydp Support for PowerShell transcript log ( #4168 ) files with thanks to @FabFaeb Support for Siemens WinCC log ( #4585 ) files with with thanks to @rgayon Support for Firefox Cookie SQLite schema version 10 ( #4665 ), MSIE webcache cookies ( #4682 ), Chrome cache version 3 ( #4694 ) and changes to Chrome history parser to extract visit count ( #4644 ) with thanks to @chb2mn Changes to CUPS IPP parser to support no-value type ( #4671 ) Support for iOS data usage SQLite parser plugin ( #4672 ) and plist plugin parser for com.apple.identityservices.idstatuscache.plist ( #4673 ) with thanks
Post a Comment
Read more

What’s in a (file) path?

By
  What’s in a (file) path? Background For the experienced reader this might seem a very basic topic, however file paths are things we easily take for granted. I rarely come across DFIR articles that discuss (file) paths, though they are key to many file systems and data formats. There are numerous edge cases that make it challenging to ensure reproducibility [ 1 ] of paths in tooling. This article will cover several of these edge cases and possible ways of handling them.
Post a Comment
Read more

Plaso 20230226 released

By
Plaso 20230226 released The Plaso team is delighted to announce a new Plaso release, 20230226. This release has a mixture of new features and under the hood improvements. Notable changes Several improvements for IIS 10 log ( #4566 ), Automatic Destination ( #4568 , #4570 ), Custom Destination ( #4569 ) and PLS recall ( #4572 ) format edge cases. Added bloom (filter) database hash tagging analysis plugin ( #4527 ), with thanks to @xmco and @william-billaud . Removed various legacy/backwards compatibility components, like the text prepend option ( #4255 ). First steps of moving Plaso storage to an independent Python module named acstore . The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone .  Upcoming changes in future releases Support for PowerShell transcript log ( #4168 ) files with thanks to @FabFaeb  Support for Windows AppCompat PCA (Program Compatibility Assistant) log ( #4560 ) and Apple Unified Logging ( #4557 ) files with thanks to
Post a Comment
Read more

Power Automate

By
Image
Power Automate Authored by Godwin Attigah, copied with permission. Background Power Automate allows users to build flows with robotic process automation (RPA). Power Automate is powered by Microsoft Flow and Power Apps . The desktop version of the software-as-a-service (SaaS) is now available on all Windows 11 devices as a Windows Store Application.
Post a Comment
Read more

Plaso 20221229 released

By
Plaso 20221229 released The Plaso team is delighted to announce a new Plaso release, 20221229. This release has a mixture of new features and under the hood improvements. Notable changes The sources.conf configuration file has been moved to formatter configuration ( #4287 ). Updated the maximum worker limit to 99 ( #4312 ). Event generation has been split from event data extraction and can be configured using timeliner.yaml. Unified single-line and multi-line text parsers. Changes to the located parser with thanks to @sydp ( #4395 ). Added support for Safari Downloads.plist with thanks to @chb2mn ( #4486 ). Fix for an issue that did not surface before the 20221227 release with thanks to @william-billaud ( #4526 ). The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone .  Upcoming changes in future releases Additional improvements to Windows EventLog resource extraction and message formatting ( #4259 ). Various legacy/backwards compatibility co
Post a Comment
Read more

DFIR for good

By
December is typically the time of year we think of donating to charity. There are many ways we can help others, including with DFIR. The following is one of such tales authored by Assen Tasheff and copied with permission. Once upon a time Once upon a time there was a humanitarian aid organization. They had a limited budget to spend on commercial software therefore Linux was their operating system of choice. For DFIR they relied on a custom toolset that leveraged the Sleuth Kit (TSK) [ 1 ] in an EDR (live-response) solution. All was well. The EDR solution functioned flawlessly for years until the day came that their hardware needed to be upgraded. This hardware upgrade also forced the organization to upgrade their version of Linux. This is where the organization was confronted with (Linux) Logical Volume Manager or LVM. As a result their custom developed EDR solution stopped working. Although the organization could now enjoy faster hardware, they were left without a functioning DFIR sol
Post a Comment
Read more