Profile avatar
beercow.bsky.social
"Distrust and caution are the parents of security." - Benjamin Franklin https://malwaremaloney.blogspot.com
33 posts 390 followers 183 following
Regular Contributor
Posts 25 Comments 8

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive. https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html

submitted 1 day ago • 0 comments

I am OneDrive.

submitted 2 days ago • 0 comments

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc… Pretty much everything except the body. More to come. 🤔 #DFIR

submitted 4 days ago • 0 comments

OneDriveExplorer now supports and parses Offline Mode for web. https://malwaremaloney.blogspot.com/2025/02/onedriveexplorer-offline-mode-edition.html

submitted 8 days ago • 0 comments

https://winbuzzer.com/2025/01/28/flaw-in-microsofts-onedrive-offline-mode-stores-ocr-data-insecurely-xcxwbn/

submitted 24 days ago • 0 comments

https://www.msn.com/en-gb/money/technology/microsoft-onedrive-for-business-allegedly-keeps-ocr-ed-data-in-an-unprotected-format/ar-AA1xXUyl?ocid=entnewsntp&pc=LCTS&cvid=bfb3ccf8c62447bb85c4cbf855defaec&ei=35

submitted 25 days ago • 0 comments

There seemed to be enough interest so I decided to do a write up on what I have found about OneDrive Offline Mode. Hate to burn a forensic artifact but I’m concerned about what Microsoft feels is secure. #DFIR https://malwaremaloney.blogspot.com/2025/01/onedrive-offline-mode-recallish-vibes.html

submitted 26 days ago • 1 comment

Did you know you can run Autopsy Automated Ingest Nodes as a service. This eliminates human interaction and survives reboots. https://malwaremaloney.blogspot.com/2025/01/running-autopsy-auto-ingest-in-headless.html

submitted 32 days ago • 0 comments

Added new artifact to All Things OnDrive. <UserCid>_import.dat is created when “Save photos and videos from device” is enabled. It records data on imported photos and videos. https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives_16.html

submitted 37 days ago • 0 comments

Autopsy Hardening Guide: Part 2. This post covers encrypting passwords and securing the web-console of ActiveMQ. malwaremaloney.blogspot.com/2025/01/auto...

submitted 40 days ago • 0 comments

Added new artifact to All Things OnDrive. <UserCid>_screenshot.dat is created when “Save screenshots I capture to OneDrive” is enabled. It records data on the last screenshot saved. https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives.html

submitted 44 days ago • 0 comments

Part 1 of the Autopsy hardening guid is up. This goes over points to make PostgreSQL and Solr more secure. #DFIR https://malwaremaloney.blogspot.com/2025/01/autopsy-hardening-guide-part-1.html

submitted 47 days ago • 0 comments

Did a quick update to DFIR_Toolbar. Executable created. Now to work on the Readme. https://github.com/Beercow/DFIR_Toolbar/releases

submitted 49 days ago • 2 comments

Thought I’d do something fun. Presenting the DFIR_Toolbar. Basically a toolbar that can be anything you want it to be. https://malwaremaloney.blogspot.com/2025/01/dfirtoolbar.html

submitted 51 days ago • 0 comments

Python tool that converts Microsoft Defender Antivirus Signatures (VDM) into YARA rules. https://github.com/t-tani/defender2yara

submitted 71 days ago • 0 comments

Just a heads up. M$ is OCRing all your images in OneDrive for business in an unsecured database on your desktop/laptop. Happy Friday. #DFIR

submitted 78 days ago • 2 comments

Out of necessity, today I wrote and compiled my first extension for SQLite. And it worked!

submitted 78 days ago • 0 comments

Getting a little concerned now about OneDrive. Looks like the Recall no one’s talking about.

submitted 80 days ago • 0 comments

OneDrive offline mode got pushed out to me today. All I have to say about the db is 😮👀. Going to be a game changer. Lots of digging to do. #DFIR

submitted 80 days ago • 0 comments

Work on Microsoft Teams Forensics: hexseven.pl/articles/mic... #DFIR #BlueTeam

submitted 87 days ago • 2 comments

See you Miami. Back to colder weather we go.

submitted 91 days ago • 0 comments

I released Lyman the other day but didn’t explain whatbit was. https://malwaremaloney.blogspot.com/2024/11/what-is-lyman.html

submitted 93 days ago • 0 comments

I would like to introduce Lyman. A tool to aid in the creation of “mapping” cstruct files for OneDriveExplorer. https://github.com/Beercow/Lyman

submitted 94 days ago • 0 comments

Just released OneDriveExplorer v2024.11.20. Mainly bug fixes. https://github.com/Beercow/OneDriveExplorer/releases/tag/v2024.11.20

submitted 94 days ago • 0 comments

ODE update. Centers around the ODL logs. Better parsing of v3 logs. Distinguishes which key was used to decrypt the log entries. This helps to identify the difference between vault and general logs. Last update before #DFIRCON https://github.com/Beercow/OneDriveExplorer/releases/tag/v2024.11.12

submitted 102 days ago • 0 comments