Arsenal Recon

Arm yourself with our tools & eliminate blind spots in digital forensics! ArsenalRecon.com #DFIR

We've seen some fascinating use of AI chatbots in our casework, some of which we've exposed with LevelDB Recon. Are you exposing everything possible from LevelDBs & not just scratching the surface? ArsenalRecon.com #DFIR

A *lot* going on here - Arsenal Image Mounter connected to two drives in a PALADIN-booted Surface Pro 5 over a network via AIM Remote Agent, launching a virtual machine from the Storage Spaces "disk", & accessing secrets after Windows authentication & DPAPI bypasses. #DFIR

LevelDB Recon v1.0.0.53 released today with a new "parsed view" option which automatically determines value data format (support for JSON currently) & displays it in a more user-friendly manner. Thanks to @mattiaep for the suggestion! ArsenalRecon.com #DFIR

@DC3Forensics Please let your digital forensics practitioners know, & have them browse through our feed if they want to see examples of why proper analysis of Windows swap is important.

If you are teaching Windows #DFIR at @IACIS, @NCFI_Official, @sansforensics, etc. & want to help your students analyze swap much more effectively than they are now, let us know & we can send you educational support slides. ArsenalRecon.com

@Craig__Bowling @SUMURIForensics Forensic Email Intelligence (metaspike.com/forensic-email…) has helped us quite a bit when dealing with email attacks... especially when we are analyzing massive volumes of email involving multiple targets.

Recently asked by a young, aspiring DF/IR practitioner: 'What are some of your current favorite tools?' My toolkit is large, but here's my current top 10: 1. Sumuri RECON (Mac and iOS forensics) – @SUMURIForensics 2. Magnet AXIOM (Windows, iOS, and Android forensics) – @MagnetForensics 3. Cyber Triage (automated DFIR for incident response with artifact scoring) – @cybertriage 4. X-Ways Forensics (Windows forensics ) – @XWaysSoftware 5. KAPE (Kroll Artifact Parser and Extractor) – @EricRZimmerman 6. Digital Detective (NetAnalysis for browser artifacts) – @DigitalDetectiv 7. Arsenal Recon (advanced disk mounting, hibernation/registry analysis, and evidence exploitation) – @ArsenalRecon 8. Magnet Verakey (full file system extractions for iOS/Android) – @MagnetForensics 9. FEX (Forensic Explorer for Windows forensics) 10. Elcomsoft Phone Breaker (iCloud acquisitions) – @elcomsoft These all get heavy daily use in my workflow. What's in your toolkit?

Have you ever analyzed a Windows computer aggressively (i.e. beyond scratch-and-sniff)? How did you handle swap? Have you used Swap Recon? Check out the latest testimonial from someone that has. ArsenalRecon.com #DFIR

Congratulations Ravi!

Digital forensics casework with extremely high stakes drives our research & development at Arsenal. Please spend a few minutes to think carefully about this slide & how it relates to your past, present, & future casework. ArsenalRecon.com #DFIR

Two more screenshots as you ponder the current state of #DFIR education involving Windows swap.

If you're involved in digital forensics, especially as an educator, study these screenshots. What do you see? How does this impact existing articles & curriculum involving Windows swap? What if this CTF was built on a more recent build of Windows 11? ArsenalRecon.com #DFIR

Are you running search terms & signatures against raw Windows swap & getting a very limited view of what actually exists there? Check out these statistics from running @nextronsystems THOR against raw swap & then decompressed blocks specifically. ArsenalRecon.com #DFIR

Swap Recon v1.0.0.16 just released with a fix for a bug that could result in a false positive block being detected towards the end of a swap file & improved performance during final merge of decompressed output. ArsenalRecon.com #DFIR

@RedHatPentester You got our attention with this question. How do you properly analyze Windows swap (B) to accomplish the goal?

During a forensic investigation, an examiner analyzes a Windows system suspected of being used for “private browsing” activities. The suspect claims that no browsing evidence can exist because the browser was always used in private/incognito mode. Which of the following artifacts is MOST likely to still contain recoverable evidence of the suspect’s web activity? A. Browser history database files, because private browsing permanently stores URLs for forensic use 
B. The Windows pagefile (pagefile.sys), because memory data may be written to disk during system operation 
C. DNS cache entries, because private browsing disables all DNS resolution 
D. Browser cookies directory, because private browsing encrypts cookies instead of deleting them

@KevinPagano3 Thanks, let's figure out when we'll be in the same place so you can get one!

@ArsenalRecon that's sweet!

Hunt Obscurity #DFIR

@vmreyes1 Thank you! We don't attend many industry events, but we'll be at the IACIS training conference in Orlando May 5-7 with a small number of these coins if you want one.

@ArsenalRecon That’s a very nice coin 🪙🔥🔥

This swap came from what will soon be a publicly-accessible WoA disk image (to be used in one or more CTFs) our intern has been building for a couple months.

An important #DFIR story in three screenshots… (1) Searching Windows 11 on Arm (WoA) swap for “longitude” (2) Processing WoA swap (containing modern compression) with Swap Recon (3) Searching Swap Recon output for “longitude” ArsenalRecon.com

Check out the latest Swap Recon (v1.0.0.15) processing Windows on Arm swap (modern compression format) from a Surface Pro 11… ArsenalRecon.com #DFIR