Wednesday, September 26, 2018

Edge browser about:config

Recently I became curious what you can configure in Edge browser. In this short post I’m going to talk about the about:config in MS edge browser. The options are limited but helpful.

Privacy over VPN?

  • WebRTC What is WebRTC? It is an API for JavaScript to do lots of things. You can check a box to hide your local IP address over WebRTC connections. You can simply check this box. If you are on VPN this may help to reduce the exposure of your computers IP address in Edge and Windows Apps utilizing Edge.
  • Make sure “Allow Adobe Flash localhost loop-back is unchecked. Unchecked should be the default.
  • Turn on “View Source” to look at the page source like you can in Firefox.

by Dave via EasyMetaData

Edge browser about:config

Recently I became curious what you can configure in Edge browser. In this short post I’m going to talk about the about:config in MS edge browser. The options are limited but helpful.

Privacy over VPN?

  • WebRTC What is WebRTC? It is an API for JavaScript to do lots of things. You can check a box to hide your local IP address over WebRTC connections. You can simply check this box. If you are on VPN this may help to reduce the exposure of your computers IP address in Edge and Windows Apps utilizing Edge.
  • Make sure “Allow Adobe Flash localhost loop-back is unchecked. Unchecked should be the default.
  • Turn on “View Source” to look at the page source like you can in Firefox.

by Dave via EasyMetaData

Monday, August 27, 2018

Security Onion is what #SIEM @securityonion #dfir #infosec

It’s been a while since I have written a post. I need to write something so I figured I’d write about what takes up most of my days… Honestly, a lot has happened in my personal life. I got married, purchased a house and I’m expecting a baby. So it doesn’t take much imagination to guess where my free time has gone.

I have also branched out beyond disk based forensics to SIEM (or Security Information and Event Management) using a production called Security Onion. I have a networking and Linux background so the concepts weren’t at all foreign to me.  It took a while to getting my head around it though. The layers of integrated products built on top of Security Onion took a lot more time to learn than I expected. What I learned was that when you are new to it you will fail, repeatedly at first.

What drew us in were a couple of things we needed. #1 it’s free, #2 it scales and #3 it uses Logstash/Elastic/Kibana so it’s flexible and json friendly.

Security Onion has been around a long time, nearly 10 years based on the first blog post on the Security Onion blog back in 2008… But, what really made it interesting to us was the impending switch to Logstash/Elastic/Kibana.

Since I started the implementations it has moved from experimental to production with Kibana. With the full switch away from Elsa to Kibana it has allowed flexibility that you expect from Elastic. Also helpful, new releases come out regularly… I find that to be a sign of a strong and active community behind the project.

The documentation is decent if you understand the product well. The google groups are only modestly helpful however and a lot of the learning requires trial and error along with a strong Linux, Syslog, networking and Elastic understanding.

Anyway, if you are doing Security Onion stuff and want to connect feel free to ping me on Twitter. I am still learning and can use all the help I can get. If there is a Slack group out there let me know!

-Dave


by Dave via EasyMetaData

Tuesday, November 28, 2017

Mounting images in macOS (mac4n6)

Sarah Edwards (mac4n6) has a nice quick write up with the latest techniques for mounting various disk images when you are using a macOS computer. I’ve dealt with many of these issues including core storage and encrypted FileVault disk images. It’s great to see more info out there!

Link to mac4n6 article

http://ift.tt/2zt6Nsx


by Dave via EasyMetaData

Tuesday, October 31, 2017

FindUSBMC updated – v20171030

I’ve updated FindUSBMSC to allow it to handle corrupted gzip files. You can find the latest version on my GitHub page at the link below.

Download

Here’s where you can get version v20171030

Change log

# v20171026 – Fixes issue with gzipped logs not being processed due to wrong variable being returned.
# v20171030 – Add code to allow gzip to ignore crc errors in gzip

 

Enjoy!


by Dave via EasyMetaData

Tuesday, October 17, 2017

Update to FindUSBMSC.py for #macos #USBMSC parsing #dfir

FindUSBMSC is a script to parse the system logs on macos. It looks for USBMSC storage device plugins and links them back to the product information. This release includes some important fixes and improvements.

# v20171016 – Logic cleanup. Improve pid and vid parsing. Added list of unique devices. Added options parser.
# v20171017 – Add option to parse any file or just system log files. Useful for carved logs.

You can download the latest v20171017 from the following locations:

http://ift.tt/2gLBnpY or

http://ift.tt/2ig9CcH


by Dave via EasyMetaData

Monday, August 28, 2017

Visual Studio registry artifacts – part 2 – MRU Items #DFIR

Welcome back to a review of Visual Studio registry artifacts. In Part 1 I discussed “Find & Replace” as well as the Visual Studio 2017 registry hive that is separate from the NTUSER.DAT (HKLU). In this post I want to briefly show you that Visual Studio keeps its own Most Recently Used Item lists. Below you can see two categories, the “MRUItems” that capture activity throughout Visual Studio and another MRU under “SourceControl\History\…\ItemMRU”.

MRUItems – Most Recent Used Items

These lists can show you a variety of MRUItems. Granted my testing on the variety of items that are captured is limited here are a number of items I have observed”

  • Modules such as “xamarin”
  • Access to source code repositories including hosted TFS and GIT repositories
  • NuGet repositories

 

 

 

 

 

Below the “Items” shows access to various source code repositories

 

 

 

 

 

 

SourceControl MRUs

The source control MRU’s can be found in “\Visual Studio\<VS #>\SourceControl\TeamFoundation\History\…\ItemMRU”. This MRU does basically what the name implies, it shows user access to Source Code repositories. Specifically it shows user access to Team Foundation source code repositories. There are a couple of repository type, Team Foundation Server (TFS) and Git. The TFS can be a local server or a hosted account on visualstudio.com

 

 

 

 

 

 

 

 

This information is rather specialized but it’s yet another place to look for user activity in your review of a system. I hope you find this information helpful.

 


by Dave via EasyMetaData