Incident Response – EasyMetaData

MetaDiver 3.1.1 is released

By DaveJune 16, 2017apache tika, C#, coding, Computer Forensics, Discovery, doc, docx, Early case assessment, elastic search, email, eml, eml, exiftool, Incident Response, information security, infosec, MetaData, metadata, MetaDiver, msg, pdf, pst, pst, xlsx#eca, dfir, infosec, metadata

The latest version of MetaDiver is available for download. Download: Metadiver 3.1.1 Numerous improvements from previous release. Using the latest version is highly recommended! Changelog v3.1.1 (build 1623) -bugfixes to paging in Review window -fix to keyword search not pulling back hits in some cases -prevent empty line in keywords on save -performance optimizations -resized

Disk Access in Python with libtsk (by HECF Blog)

By DaveFebruary 25, 2015Electronic Discovery, ewf, forensic image, Forensics, Incident Response, libtsk, Mac, python, raw, The Sleuth Kit

If you have ever been looking for a way to access your computer disk without having to deal with user permissions and constrains the operating system enforces then this is the series to read. David Cowen is working on an excellent series called “Automating DFIR” (Digital Forensics Incident Response) on his blog “Hacking Exposed Computer

Quick #PowerShell to find certificates with #Superfish

By DaveFebruary 19, 2015Incident Response, Malware, PowerShell

Right now a lot of IT admins are running around looking at laptops for a nasty cert that comes pre-installed from a certain manufacturer. You can read what all the uproar is about from the article below. My PowerShell needed a little refresh so this was a fun exercise. Here is a quick way

Kerberos service password reset script available from Microsoft

By DaveFebruary 16, 2015Incident Response, Kerberos, PowerShell

Microsoft blog has posted a link to PowerShell script for resetting the password to the Kerberos krbtgt service on active directory to deal with the golden ticket issue. Just make sure the password gets changed twice. Post: http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ PowerShell Script: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Here’s a script to the Kerberos Golden Ticket Check script from Microsoft to help

New version of ShadowKit v1.7 Released!

By DaveAugust 21, 2014Discovery, Electronic Discovery, Forensics, Incident Response, ShadowKit, Volume Shadow Copy, VSC, VSS

I’ve made a few changes to ShadowKit to address feedback from users! (I know, finally) The changes that have been made are (changelog): *Exporting no longer uses numeric folders (0,1,2,x). Files are exported directly to the folder you have chosen for the exported files. *Fixed the Export Complete Dialogue so that it is now always

Unleashing IIS Log Analysis – Part 2 of Series

By DaveApril 28, 2014Forensics, IIS, Incident Response, LogParser, MetaData, metadata, Microsoft SQLServer

Welcome to part two of Unleashing log file analysis. In the last post I talked about the power of using LogParser to transform your Windows Event Logs. In this post I want to talk about using LogParser to transform your IIS Logs! So a quick recap from Part 1 of why I think LogParser is

Unleashing Eventlog Analysis with LogParser – Part 1

By DaveApril 25, 2014Databases, event logs, Forensics, Incident Response, Microsoft SQLServer

We all have to work with event logs on a regular basis. There are a lot of ways to tackle event logs and today I want talk about using LogParser with Event logs. LogParser isn’t new, it’s been around for years but I haven’t heard of many people using it in there investigations. This is

EasyMetaData

Powerful access to data

Category Archives: Incident Response