askclees1711

Chrome Visited Links

TL;DR: The visited_links table provides information about how a user gets to a specific site. It may also contain records even if a user clears their history (prior to July 22nd 2024) but only if they selected the “All Time” range for deleting history. It also appears that any records that were not deleted areContinue reading “Chrome Visited Links”

Converting NSRL RDS Deltas

TL;DR You can convert Delta files into database that can be imported into tools that support that formatDownload the program hereSet the input file to the “RDS_*_delta.zip” file and specify and output folderClick Convert and wait for it to finishThere should be a file with the same name as the zip file but with aContinue reading “Converting NSRL RDS Deltas”

Importing NSRL V3 hashsets into legacy tools

TL;DR NSRLConvert can change the new SQLite NSRL hashsets into a plain list of MD5 hashes. The program is available here and can be used with the following syntax: NSRLConvert.exe {databasename} {outputfile}Example:NSRLConvert.exe RDS_2022.12.1_modern_minimal.db MD5.txt In Detail This last example will convert the Modern Minimal database to a list of MD5 hashes, 1 hash per line.Continue reading “Importing NSRL V3 hashsets into legacy tools”

Decrypting Mega Preferences (Part 2)

The first post seemed to gain a lot of attention from people, with someone from a Police force contacting me to help with one of their cases, so I’ve spent a little time making the script into more of a finished product than a POC. The new script can be found here and is nowContinue reading “Decrypting Mega Preferences (Part 2)”

Decrypting Mega’s megaprefences Sqlite Database

It seems like almost and age since I last published anything on here, I’d like to say its due to a global pandemic causing issues, but mostly its just due to amount of work and a lack of interesting problems to solve for a little while. Luckily this all changed yesterday…… Background One of myContinue reading “Decrypting Mega’s megaprefences Sqlite Database”

SQLite Databases at hex level

My recent post on “Timelining using SQLite Write Ahead Logs” highlighted how much background information is required to deal with SQLite databases. This post is going to give a more in-depth overview of the structure of the SQLite 3 file format. It should take you from knowing very little about SQLite databases to being able toContinue reading “SQLite Databases at hex level”

Timelining using SQLite Write Ahead Logs

Todays question is: Can we tell when records have been deleted from an SQLite database? TL;DR – We can provide some time and date information in very particular circumstances using the WAL log file. It can be very time consuming! Quick warning – This article will assume some knowledge of SQLite databases. I will probablyContinue reading “Timelining using SQLite Write Ahead Logs”

When VM’s go wrong

Welcome to the first (hopefully of many) posts to the new blog. This post is based around an issue that was raised to me that they couldn’t virtualise an exhibit for a case they were working on. I will mention a number of tools in this post and I want to add I don’t haveContinue reading “When VM’s go wrong”

New Blog!

Hi and welcome to the first post of my new blog! I’m hoping this will be the first of many posts, although this will be the only one where nothing forensic/investigative will be posted. I’ve worked in Digital Forensics/Investigations for a number of years and over this time I’ve created new tools and encountered someContinue reading “New Blog!”