After extracting data from Google Chrome last month, next on our journey into the eye-opening world of Windows forensics it’s time to retrieve the user’s Firefox history to see which websites they’ve been visiting in Mozilla’s browser.
Web browsing data can tell an analyst a lot about what happened on a system before they got their hands on it. Here’s how to extract the history of the most popular browser – Google Chrome – with a new Python module for our forensics tool.
This month’s new module for the MCAS Windows Forensic Gatherer queries the Windows Security event log to gather information on the user’s logon and logoff activities, helping us to determine exactly when they were using the system.
Splunk is a powerful tool, but with so many available functions and hit-and-miss coverage on forums it can sometimes take some trial and error to get queries right. Here’s what I pieced together to perform a count on a subset of events and group the data by two fields…