Hasty Scripts: Summarizing Installed Applications on Encrypted VMs

Virtual machines are everywhere, no longer just confined to the corporate environment. It is not unheard of for consumers to use virtualization software on their personal devices these days. Examination of these VMs does not differ much from normal host investigations. Tools, like FTK Imager, support common virtualized HDDs and can be used to preserve and review them. But what happens when a VM is encrypted and password-protected? Compound the issue with an uncooperative custodian and it may be time for more creative solutions. Thankfully, VMware, a popular virtualization program, can create an artifact on the host operating system that gives us insight into what applications are installed on the VM.

Continue reading “Hasty Scripts: Summarizing Installed Applications on Encrypted VMs”

Hasty Scripts: Summarizing Installed Applications on Encrypted VMs

Hasty Scripts: Box Edit Log Parser

How often are you tasked with reviewing large data sets in less than ideal (or even terrible) formats? Everyone has likely had to review logs containing many tens of thousands of lines at one point or another. We may not have time or budget (or patience) to review every line in a text editor. What do you do?

Continue reading “Hasty Scripts: Box Edit Log Parser”

Hasty Scripts: Box Edit Log Parser

Cloud Forensics: Box Part 1

Cloud storage, like email before it, has gained wide acceptance and general adoption by consumers. Whether that is Google Drive, Amazon Drive, iCloud, Dropbox, or OneDrive, there are abundant options from which to choose from. One reason these services have become popular is the ease at which you can share and access important files on any device. That same benefit, however, can be used with malicious intent to extradite data from corporate or protected environments. In this post, we will explore the Box cloud service on Windows and discuss artifacts created as a by-product of its usage.

Continue reading “Cloud Forensics: Box Part 1”

Cloud Forensics: Box Part 1

Legal Review: What Programs were Run?

The Legal Review series answers questions often posed about evidence with high-level descriptions of forensic artifacts.

What programs were run on the machine? This is a common question that is relevant in most investigations. Application execution gives insight into the normal usage of a particular computer. Just as importantly, examining forensic artifacts associated with application usage can also reveal abnormal behavior. Knowing what a user did regularly or even immediately leading up to their departure from a company can be telling. Did they use a wiping utility to cover their tracks? Did they use cloud software to extract intellectual property? For our purposes, we will discuss this in the context of Windows operating systems and the prefetch and userassist artifacts.

Continue reading “Legal Review: What Programs were Run?”

Legal Review: What Programs were Run?