askclees1711

Importing NSRL V3 hashsets into legacy tools

TL;DR NSRLConvert can change the new SQLite NSRL hashsets into a plain list of MD5 hashes. The program is available here and can be used with the following syntax: NSRLConvert.exe {databasename} {outputfile}Example:NSRLConvert.exe RDS_2022.12.1_modern_minimal.db MD5.txt In Detail This last example will convert the Modern Minimal database to a list of MD5 hashes, 1 hash per line.Continue reading “Importing NSRL V3 hashsets into legacy tools”

Decrypting Mega Preferences (Part 2)

The first post seemed to gain a lot of attention from people, with someone from a Police force contacting me to help with one of their cases, so I’ve spent a little time making the script into more of a finished product than a POC. The new script can be found here and is nowContinue reading “Decrypting Mega Preferences (Part 2)”

Decrypting Mega’s megaprefences Sqlite Database

It seems like almost and age since I last published anything on here, I’d like to say its due to a global pandemic causing issues, but mostly its just due to amount of work and a lack of interesting problems to solve for a little while. Luckily this all changed yesterday…… Background One of myContinue reading “Decrypting Mega’s megaprefences Sqlite Database”

SQLite Databases at hex level

My recent post on “Timelining using SQLite Write Ahead Logs” highlighted how much background information is required to deal with SQLite databases. This post is going to give a more in-depth overview of the structure of the SQLite 3 file format. It should take you from knowing very little about SQLite databases to being able toContinue reading “SQLite Databases at hex level”

Timelining using SQLite Write Ahead Logs

Todays question is: Can we tell when records have been deleted from an SQLite database? TL;DR – We can provide some time and date information in very particular circumstances using the WAL log file. It can be very time consuming! Quick warning – This article will assume some knowledge of SQLite databases. I will probablyContinue reading “Timelining using SQLite Write Ahead Logs”

When VM’s go wrong

Welcome to the first (hopefully of many) posts to the new blog. This post is based around an issue that was raised to me that they couldn’t virtualise an exhibit for a case they were working on. I will mention a number of tools in this post and I want to add I don’t haveContinue reading “When VM’s go wrong”

New Blog!

Hi and welcome to the first post of my new blog! I’m hoping this will be the first of many posts, although this will be the only one where nothing forensic/investigative will be posted. I’ve worked in Digital Forensics/Investigations for a number of years and over this time I’ve created new tools and encountered someContinue reading “New Blog!”