Clik here to view.
Deleted SQLite Parser Script Update (Now With Added DFIR Rockstar!)
Monkey says: "Knowing DFIR Rockstars has its privileges!" (Mari's picture courteousy of her Google+ Profile)This post aims to build upon Mari DeGrazia'ssqlparse Python script which harvests data from...
View ArticleClik here to view.
How u like Base(64)?
Monkey was having such a great time, no one had the heart to tell him he had the wrong type of base ...A recent blog post by Heather Mahalik (@HeatherMahalik) mentioned that a multiple Base64 decoding...
View ArticleClik here to view.
Extracting Ones BLOBs From The Clutches Of SQLite
SQLite BLOB work used to be an adventure ... Not anymore!Did you know that SQLite databases can also hold binary data? BLOB fields can contain pictures, audio, base64 encoded data and any other binary...
View ArticleClik here to view.
Chunky4n6Monkey!
With some substantial assistance from Boss Rob ... Enter the Chunky Monkey! This post is targeted at those particularly interested in Python programming. If you are looking for a forensic wonder-tool...
View ArticleThoughts on Intern Monkeys
I apologise for the long break between posts. I've been doing some renovation work and my well of ideas seems to have run dry. In an attempt to kickstart some creativeness, I recently contacted some...
View ArticleClik here to view.
Cheeky Season's Greetings
Today I thought I would do a brain-dump of some things/tips I've done/encountered since starting my internship about 6 weeks ago.Hopefully some of it will be useful to others but at the very least it...
View ArticleClik here to view.
Dude, Where's My Banana? Retrieving data from an iPhone voicemail database
This is a complementary post to Mari DeGrazia's post here about what to do when your tools don't quite cut the mustard. In today's post, I'll show how we can write a Perl script to retrieve the...
View ArticleClik here to view.
Creating a Perl script to retrieve Android SMS
This script/post was inspired by Mari DeGrazia after she had to manually parse hundreds of Android SMS messages. Without her prior research and the principles she discusses in her post, there's little...
View ArticleG is 4 cookie! (nomnomnom)
What is it?A Linux/Unix based Perl script for parsing cached Google Analytic requests. Coded/tested on SANS SIFT Virtual Machine v2.14 (Perl v5.10). The script (gis4cookie.pl) can be downloaded...
View ArticleClik here to view.
Determining (phone) offset time fields
Let me preface this by saying this post is not exhaustive - it only details what I have been able to learn so far. There's bound to be other strategies/tips but a quick Google didn't return much (hence...
View ArticleClik here to view.
HTCIA Monkey
Just a quick post to let you know that this monkey (and friends) will be attending HTCIA 2013 from 8-11 Sept in Summerlin, Nevada. So if you're in the neighbourhood, please feel free to play spot the...
View ArticleClik here to view.
Reflections of a Monkey Intern and some HTCIA observations
Inspired by the approaching 12 month point of my internship andthis Lifehacker article, I thought I'd share some of my recent thoughts/experiences. Hopefully, writing this drivel will force me to...
View ArticleClik here to view.
Monkey Vs Python = Template Based Data Extraction Python Script
There seems to be 2 steps to forensically reverse engineering a file format:- Figuring out how the data is structured- Extracting that data for subsequent presentationThe dextract.py script is supposed...
View ArticleClik here to view.
Facebook / Facebook Messenger Android App Parser Script
Poorly drawn parody of the Faceoff movie posterNot satisfied with how your forensic tools are currently presenting Facebook (v3.3 for Android) / Facebook Messenger (v2.5.3 for Android) messages and...
View ArticleClik here to view.
Android SMS script update and a bit of light housekeeping
Knock, Knock ...During recent research into Android SQLite databases (eg sms), Mari DeGrazia discovered a bug in the sms-grep.pl script.Mari's test data was from a Samsung Galaxy S II. It turns out the...
View ArticleClik here to view.
Monkeying around with Windows Phone 8.0
Ah, the wonders of Windows Phone 8.0 ... Failing eyesight, Frustration and Squirrel chasingCurrently, there is not much freely available documentation on how Windows Phone 8.0 stores data so it is...
View ArticleClik here to view.
Android Has Some Words With Monkey
Be advised ... Here thar be Squirrels!The recentNIST Mobile Forensics Webcast and SANS FOR585 poster got monkey thinking about using the Android emulator for application artefact research. By using an...
View ArticleClik here to view.
Squirrelling Away Plists
Just grabbin some acorns ...Plists are Apple's way of retaining configuration information. They're scattered throughout OS X and iOS like acorns and come in 2 main types - XML and binary. Due to their...
View ArticleClik here to view.
Windows Phone 8.0 SMS, Call History and Contacts Scripts
Apparently, you can't trust any old monkey with your Windows Phone ...Following on from our previous Windows Phone post and after some excellent testing feedback, it's time to release some Windows...
View ArticleClik here to view.
"Awesome" Windows Phone 8 Stuff
Mobile Forensics is AWESOME! Teamwork is AWESOME! Researching Windows Phone 8 is ... er, "no comment" ;)Our previous Windows Phone posts here and here described the call history/SMS/contacts areas of...
View Article