2019-04-21 -  Tech support scams – which attempt to extort money from vulerable people by exploiting their lack of technical knowledge – are difficult to stop, but I recently discovered a Twitch streamer working to raise awareness of the threat. A few years ago, one of my family members fell victim to...

2019-04-14 -  After extracting data from Google Chrome last month, next on our journey into the eye-opening world of Windows forensics it’s time to retrieve the user’s Firefox history to see which websites they’ve been visiting in Mozilla’s browser. What is the Firefox history and how does it help our investigation? I’m...

2019-04-07 -  When investigating a potentially compromised Windows computer, as well as looking at logs, files, and processes, it’s important to check its current network connections. Here’s how to retrieve that data with netstat and make sense of it. Gathering data with netstat First, open a Command Prompt window and use netstat...

2019-03-15 -  Adding to our growing Python forensics tool for Windows, let’s take a look a any Microsoft Office documents the user has recently opened and when they were first and last opened, and add all of this information to our timeline. What are Office files and how do they help our...

2019-02-15 -  Web browsing data can tell an analyst a lot about what happened on a system before they got their hands on it. Here’s how to extract the history of the most popular browser – Google Chrome – with a new Python module for our forensics tool. What is the Chrome...

2019-01-18 -  This month’s new module for the MCAS Windows Forensic Gatherer queries the Windows Security event log to gather information on the user’s logon and logoff activities, helping us to determine exactly when they were using the system. What is the Windows Security event log and how does it help our...

2018-12-15 -  In a previous post I began building a Python tool that gathers Windows forensic artefacts and parses them into a timeline. In that post I wrote a function that gathers Windows Prefetch application data – this time, let’s take a look at the Recycle Bin. What is the Recycle Bin...

2018-12-08 -  We’re making progress in training the next generation of cyber security professionals, but for young people to take that training and learn the right skills in the first place they need to be aware of the opportunities available to them in the industry. I was asked to attend a SANS Cyber...

2018-11-23 -  Bit by bit, I’m going to build a Python tool to scrape a Windows system disk image for common forensic artefacts and build a CSV timeline from the evidence gathered. In this first post, I’ll parse and add the data stored in Windows Prefetch files. On my recent SANS course...

2018-11-03 -  As I mentioned in my recent post about what I learnt in my first year as a cyber security consultant, I always keep an ebook handy on my phone so I can learn something new on long train journeys. Most recently, this has been Threat Modeling: Designing for Security. While my...