When you get a group text and fix the name and picture for them.

When launching a program as admin, consent.exe runs with a parent process of svchost. If successful, consent.exe exits and the new process is launched with explorer as its parent. If not, we can’t always tell what was trying to be ran. Until now. https://github.com/Beercow/ConsentMonitor

Into the unknown and down rabbit holes we go.

Appears OneDrive snuck a new sync client in. Works with personal accounts at the moment. It’s WebView2. You can find data in the following locations:
AppData\Local\Microsoft\OneDrive\OD4
AppData\Local\Microsoft\OneDrive\Logs\OD4
Where are my browser forensics experts at? #DFIR

Today we learned Fishrocket (the one with the doughnut) has cancer. It’s an aggressive form of mast cell tumors. Treatment usually involves removing them but there are too many. They prescribe prednisone because they itch. Has diabetes so can’t give him prednisone. Poor guy.

Another interesting forensic artifact in OneDrive. UXDatabase.db

New laptop, new stickes. 😜

Hmmmm. What are we up to here? 🤔

Interesting thing with OneDrive Offline Mode for web. You can get the last two modification times of a file. Could come in handy. #DFIR