Insights

An Adventure in Cached Windows Domain Password Recovery

An Adventure in Cached Windows Domain Password Recovery

Who in DFIR doesn’t like a good challenge?

 

We had a case recently in which modifications made to a Windows XP Registry, and the impact of those changes on the environment of a particular domain account, were quite important. Digital forensics practitioners on the other side of our case developed their findings on this issue by virtualizing a forensic image obtained from the computer and logging into it with a local account, rather than the domain account in question. Why?

[…]

Collecting Quick Look Data From a Live macOS System

Collecting Quick Look Data From a Live macOS System

After reading about how to manually analyze Quick Look data, we’re sharing with you a method to collect Quick Look data on a live macOS machine so you can test and validate cached data yourself!

Check out our walkthrough video and the steps following:

Arsenal Quick Look Cache Parsing Video

[…]

Quick Look Cache Parsing

Quick Look Cache Parsing

In our intellectual property theft investigations, our clients will often ask us about specific file names they care about, especially when data theft or destruction is suspected. Often these files are keys to the kingdom: proprietary engineering plans, customer lists, or confidential financial information.

[…]

Unique Windows Registry data in Fast Boot hibernation and hive transaction logs

Unique Windows Registry data in Fast Boot hibernation and hive transaction logs

I was asked to take a recent flurry of Tweets and turn them into an Insights post with more detail. So, here goes!

We have spent some time at Arsenal looking at particularly important Windows Registry keys which are sometimes only found, in their most recent state, within Fast Boot hibernation and/or Registry hive transaction logs. In other words, these are important Registry keys that you may not find in their most recent state within active hives. We focused on important keys because it makes the situation more relatable to our colleagues in digital forensics. In this Insights post, we are further focusing on the following key from the SOFTWARE hive:

Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

[…]

Integrating Arsenal Image Mounter Source Code and APIs

Integrating Arsenal Image Mounter Source Code and APIs

Arsenal Image Mounter was born when we found existing disk image mounting technology lacking during the development of our premier digital forensics tool Registry Recon. Since we now have quite a bit of experience being in a position where a powerful disk image mounter would take our project to the next level, we offer the Arsenal Image Mounter source code and APIs to commercial projects with an appropriate license and to open source projects royalty free.

[…]

Case Study in Successful Dash Cam Video Repair

Case Study in Successful Dash Cam Video Repair

In late December 2017 I was alerted to someone looking for help to repair a damaged video from a dash cam, a video which may have captured a horrible accident.

[…]

Arsenal Consulting’s President Selected to Open the OverDrive Hacking Conference

Arsenal Consulting’s President Selected to Open the OverDrive Hacking Conference

Attendees Will Learn About Electronic Evidence Tampering that Evaded Detection by Digital Forensics Experts

Mark Spencer, President of Arsenal Consulting (ArsenalExperts.com) has been selected to open the OverDrive hacking conference in Spain with the most recent version of his award-winning presentation “High Stakes Evidence Tampering and the Failure of Digital Forensics” on April 18. The OverDrive conference is focused on enhancing the camaraderie of the worldwide hacker community by connecting people involved in many different aspects of computer security.

[…]

Windows Hibernation Infographic

Windows Hibernation Infographic

Why did we design the Windows hibernation infographic?

You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.

[…]