Investigating Universal Analytics

Two common questions when investigating web browsing are: how long did a user spend on a website, and what actions did they take while on it We have a number of methods of approximating what the user did and how much time they spent on a page, but browser histories just weren’t designed to comprehensively record all that information. Chrome visit […]

Load Balancer Cookie Decoder

Load Balancer Cookies

I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing his process of figuring out how to decode the cookie and finished it off by releasing a Python script that automates his process. It’s always interesting […]

Alexa, Tell Me Your Secrets

The Amazon Echo is a nifty little device that you communicate with via speech – you can ask it to do various tasks and it verbally replies. You preface each command with the trigger word – either “Alexa”, “Amazon”, or “Echo”. The Echo uses the Alexa Voice Service to handle the verbal interactions and Alexa really […]

Upgrading Python’s SQLite

SQLite and Python in DFIR SQLite databases are being used in more and more applications, and thus forensic examiners are increasingly running across them in investigations.  Python seems to be one of the languages of choice for the DFIR community, and so SQLite and Python often intersect.  I’ve developed two open source tools, Hindsight and […]

Hindsight v1.5.0 released + GUI!

Hindsight v1.5.0 Graphical User Interface

I am very excited to announce that Hindsight v1.5.0 is here! Graphical User Interface The core Hindsight functionality continues to see incremental improvements, along with quite a few internal changes to support new features that will appear in subsequent releases. However, the major change is that there is now a graphic interface available for Hindsight, thanks […]