beercow - Network

Hmmmm. What are we up to here? 🤔

Hmmmm. What are we up to here? 🤔

Interesting thing with OneDrive Offline Mode for web. You can get the last two modification times of a file. Could come in handy. #DFIR

Interesting thing with OneDrive Offline Mode for web. You can get the last two modification times of a file. Could come in handy. #DFIR

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be...

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.

https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html

I am OneDrive.

I am OneDrive.

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…Pretty much...

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR

OneDriveExplorer now supports and parses Offline Mode for web....

OneDriveExplorer now supports and parses Offline Mode for web.

https://malwaremaloney.blogspot.com/2025/02/onedriveexplorer-offline-mode-edition.html

https://winbuzzer.com/2025/01/28/flaw-in-microsofts-onedrive-offline-mode-stores-ocr-data-insecurely-xcxwbn/

https://winbuzzer.com/2025/01/28/flaw-in-microsofts-onedrive-offline-mode-stores-ocr-data-insecurely-xcxwbn/

...

https://www.msn.com/en-gb/money/technology/microsoft-onedrive-for-business-allegedly-keeps-ocr-ed-data-in-an-unprotected-format/ar-AA1xXUyl?ocid=entnewsntp&pc=LCTS&cvid=bfb3ccf8c62447bb85c4cbf855defaec&ei=35

There seemed to be enough interest so I decided to do a write up on what I have found about OneDrive Offline Mode. Hate to burn a forensic...

There seemed to be enough interest so I decided to do a write up on what I have found about OneDrive Offline Mode. Hate to burn a forensic artifact but I’m concerned about what Microsoft feels is secure. #DFIR

https://malwaremaloney.blogspot.com/2025/01/onedrive-offline-mode-recallish-vibes.html

Did you know you can run Autopsy Automated Ingest Nodes as a service. This eliminates human interaction and survives reboots. ...

Did you know you can run Autopsy Automated Ingest Nodes as a service. This eliminates human interaction and survives reboots.
https://malwaremaloney.blogspot.com/2025/01/running-autopsy-auto-ingest-in-headless.html

Added new artifact to All Things OnDrive. <UserCid>_import.dat is created when “Save photos and videos from device” is enabled. It...

Added new artifact to All Things OnDrive. <UserCid>_import.dat is created when “Save photos and videos from device” is enabled. It records data on imported photos and videos.

https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives_16.html

Autopsy Hardening Guide: Part 2. This post covers encrypting passwords and securing the web-console of ActiveMQ....

Autopsy Hardening Guide: Part 2. This post covers encrypting passwords and securing the web-console of ActiveMQ.

https://malwaremaloney.blogspot.com/2025/01/autopsy-hardening-guide-part-2.html

Added new artifact to All Things OnDrive. <UserCid>_screenshot.dat is created when “Save screenshots I capture to OneDrive” is...

Added new artifact to All Things OnDrive. <UserCid>_screenshot.dat is created when “Save screenshots I capture to OneDrive” is enabled. It records data on the last screenshot saved.

https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives.html

Part 1 of the Autopsy hardening guid is up. This goes over points to make PostgreSQL and Solr more secure....

Part 1 of the Autopsy hardening guid is up. This goes over points to make PostgreSQL and Solr more secure. #DFIR

https://malwaremaloney.blogspot.com/2025/01/autopsy-hardening-guide-part-1.html

Did a quick update to DFIR_Toolbar. Executable created. Now to work on the Readme. https://github.com/Beercow/DFIR_Toolbar/releases

Did a quick update to DFIR_Toolbar. Executable created. Now to work on the Readme.

https://github.com/Beercow/DFIR_Toolbar/releases

Thought I’d do something fun. Presenting the DFIR_Toolbar. Basically a toolbar that can be anything you want it to be....

Thought I’d do something fun. Presenting the DFIR_Toolbar. Basically a toolbar that can be anything you want it to be.

https://malwaremaloney.blogspot.com/2025/01/dfirtoolbar.html

Python tool that converts Microsoft Defender Antivirus Signatures (VDM) into YARA rules.https://github.com/t-tani/defender2yara

Python tool that converts Microsoft Defender Antivirus Signatures (VDM) into YARA rules.

https://github.com/t-tani/defender2yara

Just a heads up. M$ is OCRing all your images in OneDrive for business in an unsecured database on your desktop/laptop. Happy Friday. #DFIR

Just a heads up. M$ is OCRing all your images in OneDrive for business in an unsecured database on your desktop/laptop. Happy Friday. #DFIR

Out of necessity, today I wrote and compiled my first extension for SQLite. And it worked!

Out of necessity, today I wrote and compiled my first extension for SQLite. And it worked!

Getting a little concerned now about OneDrive. Looks like the Recall no one’s talking about.

Getting a little concerned now about OneDrive. Looks like the Recall no one’s talking about.