Matthew Seyer

@forensic_matt

DIGITAL FORENSICS - where every bit counts.

Colorado, USA
Vrijeme pridruživanja: travanj 2010.

Tweetovi

Blokirali ste korisnika/cu @forensic_matt

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @forensic_matt

  1. 3. velj

    It's no GUI, but, it does allow you to reformat and filter JSONL on the fly! Use it with the listener tools to make output a little easier to read! What does it look like when a file is wiped with tool x? Get binaries here:

    Poništi
  2. proslijedio/la je Tweet
    Prikaži ovu nit
    Poništi
  3. proslijedio/la je Tweet
    28. sij

    I updated my APFS 010 hex editor template for my students doing APFS research. Will be beneficial for others too. Almost all known structures are in there now including encryption ones.

    Prikaži ovu nit
    Poništi
  4. 27. sij

    The event, usn, and mft listeners are now all in one spot and better than ever! Get them all here:

    Poništi
  5. 26. sij

    More major thanks to ! He helped me restructure some listening back end things so in the near future I will be able to pass values in real time to a GUI tool!! Beats seeing the JSON values fly by on the CLI.

    Poništi
  6. proslijedio/la je Tweet
    22. sij

    Super grateful for the opportunity to speak about chaos with one of my favorite humans and partner in crime(fighting), ! Also live music & DFIRfit shenanigans with , , , , &

    Poništi
  7. proslijedio/la je Tweet
    22. sij

    This Friday 1/24/20 the live at Noon CST (UTC -6) with talking about Unfurl and talking about automation workflows and the Magnet User Summit 2020 !

    Poništi
  8. proslijedio/la je Tweet
    16. sij

    Honored to be a part of the advisory board and to get to work with some of those who will be sharing their work. The CFP for the Summit is open:

    Poništi
  9. 15. sij

    Added USN monitoring to trigger when an MFT entry gets touched to allow for real-time MFT entry watching. The more I do this the more I realize how interdependent all these components are. In this example, I create a hardlink and see the MFT changes.

    Poništi
  10. proslijedio/la je Tweet
    14. sij

    PSA: just got even faster on 0.6.5. Especially if you are running it under windows (3x increase for `evtx_dump`)! Linux is also faster by 30-40%!

    Poništi
  11. proslijedio/la je Tweet
    10. sij

    Friday wisdom: Find friends that want to geek out on the sort of stuff that everyone else says "um, so what" about.

    Poništi
  12. 10. sij

    Thanks and for the good time! If you want to play with the MFT comparison tool as featured, you can find it here: Special shout-out to . He makes cool things possible.

    Poništi
  13. 7. sij

    Want to play with the listen_mft tool? Get the compiled binary here: What attributes changed when I used Python to change the file handle's timestamps? It does require vcruntime140... sorry. Will get static compiling one of these days.

    Poništi
  14. proslijedio/la je Tweet
    7. sij

    This Friday 1/10/20 at Noon CST (UTC -6) the with all your goodness.

    Poništi
  15. 6. sij

    When doing MFT entry comparison. Separating the attributes by type.attribute_id does a better job at showing when an attribute of a certain type gets deleted/created and its new values. Next up? Use USN monitor to monitor MFT entry. Right now its user invoked.

    Poništi
  16. 5. sij

    The MFT entry comparison tool is getting there! Changes in attributes before and after a rename was performed. Still lots to do, but I already like it. Better formatting next.

    Poništi
  17. proslijedio/la je Tweet
    5. sij

    Updated spotlight_parser to read iOS databases today!

    Prikaži ovu nit
    Poništi
  18. 4. sij

    I'm planning to make a MFT differencing tool. It will allow you to view differences in MFT attribute values as you interact/make changes to the file/entry. 's mft lib + Win API for the win.

    Poništi
  19. 3. sij

    I have been enjoying getting to know the Windows API creating my monitors. USN is great! But, it doesnt contain full paths. How do I enumerate them on the fly? I use DeviceIoControl + FSCTL_GET_NTFS_FILE_RECORD!

    Poništi
  20. 2. sij

    Added the ability to listen to events remotely using EVT_RPC_LOGIN. EvtOpenSession allows you to use the Windows event log api functions on a remote machine. Fun for seeing what actions generate what events without needing to run locally!

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·