-
Recent Posts
- Talking about RFC 9424 – Indicators of Compromise (IoCs) and Their Role in Attack Defence
- PowerShell Basic Introduction (Security Version)
- Improving Technical Interviews
- AnyDesk Forensic Analysis and Artefacts
- Log4J/Log4Shell Video Glossary
- HatsOffSecurity on YouTube
- How to Create a Good Security CTF
- NoScript Plugin Forensic Investigation – Firefox/ToR Browser
- Keybase.io Forensics Investigation
- When is Index.dat not Evidence of Browsing
Categories
- anydesk
- Attack
- Browser Forensics
- Brute force
- Chrome
- Competition
- Competitions
- Containment
- Content Delivery Manager
- Cookies
- Cryptography
- CTF
- Cyber
- Cyber Security Challenge
- Decoding Time
- Encrypted Traffic
- Firefox
- Forensic Readiness Plan
- General
- Google Analytics
- Google Chrome
- Google Rapid Response
- Group Policy
- GRR
- Hardening
- Heartbleed
- Identification
- Incident Response
- Internet Explorer
- Interviews
- Introduction
- IoCs
- Jump Lists
- Keybase
- Link FIles
- Linux Forensics
- Memory Forensics
- Microsoft Edge
- My Two Cents
- Network Analytics
- Network Forensics
- pass the hash
- PCAP Analysis
- Pen Testing
- PowerShell
- Preparation
- Protocol
- ReadyBoost
- Research
- Safari
- SANS
- Shared Folders
- Shellshock
- SMB
- SSH
- TOR
- Uncategorized
- USB Forensics
- Windows Forensics
- Windows Registry Forensics
- Windows Registry Forensics
- Windows Spotlight
- Windows XP
- Wireshark
CyberLinks
- Follow Hats Off Security on WordPress.com
Tag Archives: artefact locations
HTTP Cookies – Part 3 – Chrome Cookies
Chrome Location Windows 7 onwards: %LocalAppData%\Google\Chrome\User Data\Default Unlike Internet Explorer (and like Firefox) Chrome does not use individual text files, but instead uses a SQLite database. In order to view this you will need a SQLite browser (easy to get … Continue reading
Posted in Browser Forensics, Chrome, Cookies
Tagged artefact locations, basics, browser forensics, chrome, hats off security, Windows 10, windows 7, windows 8.1, Windows8
Leave a comment
HTTP Cookies – Part 2 – Firefox
Firefox Location Windows 7 and onwards %AppData%\Mozilla\Firefox\Profiles\<profile.name>\cookies.sqlite Unlike Internet Explorer (and like Chrome) Firefox does not use individual text files for storing cookies, instead it uses a SQLite database. In order to view this you will need a SQLite browser … Continue reading
Posted in Browser Forensics, Cookies, Firefox
Tagged artefact locations, browser forensics, cookies, firefox, hats off security, Windows 10, windows 7, windows 8.1, Windows8
Leave a comment
HTTP Cookies – Part 1 – Internet Explorer and Microsoft Edge
Finding Internet Explorer/Edge Cookies (Windows 7-10… possibly Vista, but who uses Vista?!) Microsoft introduced a cool new way of finding your cookies. From the Run prompt or any Explorer window type “shell:cookies” and you will be taken to the Cookies … Continue reading
Removing Cookies
Do you know how many cookies are tracking you? Have you tried to clear the cookies only to find some things not quite gone? Well I have a product for you!… just kidding, it sounded like an advert, so I … Continue reading
Posted in Browser Forensics, Cookies
Tagged artefact locations, browser forensics, cookies, hats off security
Leave a comment
USB Forensic “Roadmap”
As I have been researching and investigating USB Forensics I put together a “Roadmap” for my own personal reference. I made it using Maltego Case File and refer to it every now and then when I am attempting to remember … Continue reading
Posted in Cyber, Research, USB Forensics, Windows Forensics
Tagged artefact locations, hats off security, USB, windows 7, Windows Registry Forensics, Windows8
Leave a comment
Windows XP Restore Points
I know XP is going the way of the Dodo, which is why I wanted to write this post. As blogs and posts update and keep up with the latest versions of Windows I find it harder and harder to … Continue reading
Mounted Devices Key
Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading
Research: Decoding LanmanServer\Shares
For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading
Link Files
Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading
Posted in Link FIles, Windows Forensics
Tagged artefact locations, basics, hats off security, link files, windows 7, Windows8
Leave a comment
Jump Lists
What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading