Monday, August 27, 2018

Security Onion is what #SIEM @securityonion #dfir #infosec

It’s been a while since I have written a post. I need to write something so I figured I’d write about what takes up most of my days… Honestly, a lot has happened in my personal life. I got married, purchased a house and I’m expecting a baby. So it doesn’t take much imagination to guess where my free time has gone.

I have also branched out beyond disk based forensics to SIEM (or Security Information and Event Management) using a production called Security Onion. I have a networking and Linux background so the concepts weren’t at all foreign to me.  It took a while to getting my head around it though. The layers of integrated products built on top of Security Onion took a lot more time to learn than I expected. What I learned was that when you are new to it you will fail, repeatedly at first.

What drew us in were a couple of things we needed. #1 it’s free, #2 it scales and #3 it uses Logstash/Elastic/Kibana so it’s flexible and json friendly.

Security Onion has been around a long time, nearly 10 years based on the first blog post on the Security Onion blog back in 2008… But, what really made it interesting to us was the impending switch to Logstash/Elastic/Kibana.

Since I started the implementations it has moved from experimental to production with Kibana. With the full switch away from Elsa to Kibana it has allowed flexibility that you expect from Elastic. Also helpful, new releases come out regularly… I find that to be a sign of a strong and active community behind the project.

The documentation is decent if you understand the product well. The google groups are only modestly helpful however and a lot of the learning requires trial and error along with a strong Linux, Syslog, networking and Elastic understanding.

Anyway, if you are doing Security Onion stuff and want to connect feel free to ping me on Twitter. I am still learning and can use all the help I can get. If there is a Slack group out there let me know!


by Dave via EasyMetaData

Tuesday, November 28, 2017

Mounting images in macOS (mac4n6)

Sarah Edwards (mac4n6) has a nice quick write up with the latest techniques for mounting various disk images when you are using a macOS computer. I’ve dealt with many of these issues including core storage and encrypted FileVault disk images. It’s great to see more info out there!

Link to mac4n6 article

by Dave via EasyMetaData

Tuesday, October 31, 2017

FindUSBMC updated – v20171030

I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below.


Here’s where you can get version v20171030

Change log

# v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned.
# v20171030 – Add code to allow gzip to ignore crc errors in gzip



by Dave via EasyMetaData

Tuesday, October 17, 2017

Update to for #macos #USBMSC parsing #dfir

FindUSBMSC is a script to parse the system logs on macos. It looks for USBMSC storage device plugins and links them back to the product information. This release includes some important fixes and improvements.

# v20171016 – Logic cleanup. Improve pid and vid parsing. Added list of unique devices. Added options parser.
# v20171017 – Add option to parse any file or just system log files. Useful for carved logs.

You can download the latest v20171017 from the following locations: or

by Dave via EasyMetaData

Monday, August 28, 2017

Visual Studio registry artifacts – part 2 – MRU Items #DFIR

Welcome back to a review of Visual Studio registry artifacts. In Part 1 I discussed “Find & Replace” as well as the Visual Studio 2017 registry hive that is separate from the NTUSER.DAT (HKLU). In this post I want to briefly show you that Visual Studio keeps its own Most Recently Used Item lists. Below you can see two categories, the “MRUItems” that capture activity throughout Visual Studio and another MRU under “SourceControl\History\…\ItemMRU”.

MRUItems – Most Recent Used Items

These lists can show you a variety of MRUItems. Granted my testing on the variety of items that are captured is limited here are a number of items I have observed”

  • Modules such as “xamarin”
  • Access to source code repositories including hosted TFS and GIT repositories
  • NuGet repositories






Below the “Items” shows access to various source code repositories







SourceControl MRUs

The source control MRU’s can be found in “\Visual Studio\<VS #>\SourceControl\TeamFoundation\History\…\ItemMRU”. This MRU does basically what the name implies, it shows user access to Source Code repositories. Specifically it shows user access to Team Foundation source code repositories. There are a couple of repository type, Team Foundation Server (TFS) and Git. The TFS can be a local server or a hosted account on









This information is rather specialized but it’s yet another place to look for user activity in your review of a system. I hope you find this information helpful.


by Dave via EasyMetaData

Wednesday, August 2, 2017

Visual Studio registry artifacts – part 1 – find & replace #dfir

When you use Visual Studio it leaves a lot behind that is valuable to an investigator. A valuable trove of information may exist. We are going to review briefly the “Find and Replace” history that gets left behind.

Find and Replace


Registry location

“…\Software\Microsoft\VisualStudio\<version #>\Find”

Below you can my see Find history.









Why is it there? When you open the “ctrl+f” find window you can see text you searched for and it’s likely just pulling from the list of key’s in the registry. Notice above “listBoxControl1” shows up in the registry and the drop-down in Visual Studio 2015.








Where to find the “Find & Replace” history

I have not found any differences to the the way the history was stored in 2017 vs 2015 other than it is outside the standard user hive in Visual Studio 2017. See below that 2017 keeps it’s own registry hive!

Visual Studio 2015 and prior

The history for “Find & Replace” is kept in “C:\Users\<username>\NTUSER.DAT”


Visual Studio 2017

In Visual Studio 2017 Micros*ft moved the registry entries off into a separate regf (hive) called “privateregistry.bin”. I’m guessing this change is for cross platform compatibility?

The hive path in my configuration is “C:\Users\<username>\AppData\Local\Microsoft\VisualStudio\15.0_3baffadb\privateregistry.bin”



*My configuration for testing is Visual Studio 2017 on Windows 10 Pro.

Wrapping up

When reconstructing user activity it’s important to think through all the possible sources of useful information. A lot of people write code these days and Visual Studio is a popular tool due to it’s great IDE and it is free to use. The possible scenario’s for why a user was using Visual Studio are numerous, from writing malicious software to source code re-use. Hopefully this helps in the quest to answer “what were they up to” next time you are looking.

*For registry analysis I recommend RegistryExplorer.



by Dave via EasyMetaData

Saturday, June 24, 2017

MetaDiver 3.1.2 released

MetaDiver 3.1.2 has been released! The latest is available for download.

v3.1.2 (build 1635)
-bugfix to button for mapping gps for pictures
-update settings mapping db default templates
-remove old “Type” column mapping from shortcuts
-cleanup tika logging for no metadata. Moved from error to debug log and removed error on individual null fields causing false positives.




by Dave via EasyMetaData