Best news ever!

Free @appletv this weekend

That’s my weekend sorted 👍

https://www.apple.com/tv-pr/news/2024/12/get-a-free-all-access-pass-to-apple-tv-the-first-weekend-of-2025/

Version 1.6 of #DFIR #parseUSBs is out…

I was interested to see if I could fill in any gaps in assigned drive letters for previous USB connections using LNK data, so this version does exactly that (matching on VSN)

As always, feedback very welcome

https://github.com/khyrenz/parseusbs

🚨 #DFIR Tool update 🚨

I’ve updated my #parseUSBs script (again!) with some big updates:
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem fields in event logs
- Parses alternate S/Ns in event logs
- Parses WPDBUSENUM key

Check it out here:
https://github.com/khyrenz/parseusbs

My #parseusbs #DFIR tool got a small update this week to fix an issue on Linux - now tested on Windows cmd/powershell, WSL (the best!), & Ubuntu

Parse USB connection artifacts from a Windows volume, including registry & event log data (or offline hives)

github.com/khyrenz/parseusbs

Join me in Lisbon in 3 weeks for lots of @sansforensics #FOR500 Windows forensics fun. I’ve discovered some fun new things about USB connection artifacts that I’ll be sharing first at this event, so you’ll want to be around for all that!

Sign up here: https://www.sans.org/u/1yrB

I was just given the best #DFIR news… I passed the #GXFE, was awarded the #GSP as this was the last requirement I needed to meet, and best of all… I’m Analyst #1!!!

You have no idea how happy that made me 🥳🥰

Thank you @certifygiac, you absolutely made my year!

🚨 #DFIR Tool Update Alert 🚨

I’ve updated my script that parses USB Connection artifacts from a mounted Windows volume, to include EID 1006 events from the Windows-Partition-Diagnostic log

Includes connect/disconnect times, VSNs & filesystem type

Check it out: https://github.com/khyrenz/parseusbs

I also updated my blog on this tool: https://www.khyrenz.com/post/automated-usb-artefact-parsing-from-the-registry

Side note: while I was researching volume serial numbers & how to parse them, I noticed that some existing tools aren’t parsing the whole VSN for NTFS drives (only show 4 of the 8 bytes). I contacted the authors of those tools & some updates are incoming #DFIRTeamwork. In the meantime, if you see a 4-byte VSN for an NTFS drive just be aware you’re missing 4 bytes 👍

Theres no better feeling than watching one of your students kill it on stage at a @sansforensics #DFIRSummit!

Dan gave a really cool & interesting talk about drone #DFIR analysis - questions to ask, what data they collect, how to acquire, & deep dived into a DJI Mavic Air 3 & the DJI Fly app 🤘

@sansforensics #DFIRSummit keynote by @robtlee highlighted the rise of #AI and the key to #DFIR moving forwards in the future will be the ability of people to learn & adapt

He gave a list of useful resources to get started & get ahead. Go check them out: https://thegrai.com/wp-content/uploads/2024/08/AI-Resource-Checklist-2.pdf