Skip to main content


Showing posts from November, 2018

TeraCopy: A Forensic Analysis (Part 2)

In the part one we went over the details found in the "main.db" file for TeraCopy. Here we will review what the History folder looks like. It can be found in here:
Each individual job that was run will get it's own History DB file. The naming convention as previously shown 
The DB file contains 15 columns as shown below:

Source - File/Folder name source
Offset- Start index position of the file/folder name from the source folder location
State - The state of the operation per file/folder  0 - Added 1 - OK 2 - Verified 3 - Error 4 - Skipped 5 - Deleted 6 - Moved
Size - Size of the file in bytes
Attributes - properties of the individual files (source)

IsFolder - self explanatory 0 - No 1 - Yes
Creation, Access, Write - Shows the created, access, and modified dates of the file/folder in Julian format
SourceCRC - Hash of the file (MD5 by default)
TargetCRC - Verification hash post operation completion (not on by default)

TeraCopy: A Forensic Analysis (Part 1)

TeraCopy is a great file transfer tool that I have been using for years because it was always faster than the Windows built in copier, allowed for pausing/resuming as well as many other features Microsoft lacked in Win7 (Win10 has added some of those). The other big thing that it was helpful with was that TeraCopy would keep all the original date/time stamps of the documents regardless if you used copy or move which was very helpful for keeping the forensic validity intact.

For information on the interface, you can find screenshots and descriptions here.

A recent case took me down the path of seeing if a user had stolen documents after they left the company for a possible competitor. My first instincts were to look at the usual locations: USB history, Recent folder and LNKs, shellbags, and Outlook/webmail. I noticed some activity that a USB drive was plugged in a week prior to the users departure date as well as some shellbag activity showing some folder structuring into what that USB…

BSidesDE 2018 Recap

I had the pleasure of going to one of my local BSides conferences down in Delaware this weekend. It's my third year going to this specific one and to me the talks keep getting better and better each year. Below are just a few takeaways from the talks I went to. A full list of talks can be found here.

Bryan Inagaki kicked things off with the keynote. He stressed having a good work life balance which is always welcomed from my perspective (TAKE THAT PTO).
[Talk Link]

Next up was @nightwatchcyber showing off some research on some Android bugs that he has disclosed to Google. It was interesting to see how you can be location tracked through your wifi signal. [Talk Link]
Brandon Keath discussed ethical hacking and some simple tools and techniques you can use to get started. [Talk Link]
Robert Simmons (@MalwareUtkonos) spoke on how you can group malicious files into families and how some AV providers use the same scanning engines. He also went through some tools for analysis. [Talk Link]