New Year, New

2019 is here and the new year brings something with it I’ve wanted to do for a while: re-launch my blog! It has a new look and a new home at I’ve had some big changes in my life: I became a father and I began working at Google on their Digital Forensics team. […]

Investigating Universal Analytics

Two common questions when investigating web browsing are: how long did a user spend on a website, and what actions did they take while on it We have a number of methods of approximating what the user did and how much time they spent on a page, but browser histories just weren’t designed to comprehensively record all that information. Chrome visit […]

Load Balancer Cookies

Load Balancer Cookie Decoder

I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing his process of figuring out how to decode the cookie and finished it off by releasing a Python script that automates his process. It’s always interesting […]

Upgrading Python’s SQLite

SQLite and Python in DFIR SQLite databases are being used in more and more applications, and thus forensic examiners are increasingly running across them in investigations.  Python seems to be one of the languages of choice for the DFIR community, and so SQLite and Python often intersect.  I’ve developed two open source tools, Hindsight and […]