The Forensic Lunch with David Cowen and Matthew Seyer

The Forensic Lunch! The twice a month podcast devoted to Digital Forensics and Incident Response!
RSS Feed Subscribe in Apple Podcasts
The Forensic Lunch with David Cowen and Matthew Seyer






All Episodes
Now displaying: August, 2015
Aug 25, 2015

Anuj Soni, discussing webshells and attacker tools
Jason Trost, discussing the Modern Honey Net project he's working on at Threatstream
Matt Bromiley talking about the work we are done to extend the MHN reporting by integrating elastic search and Kibana to visualize the data

Show notes:
Anuj Soni:
Twitter: @asoni
• My SANS Webcast on web shells:
• The upcoming FOR610 course in Monterey:
• My bio and instructor page:
- Webacoo

Jason Trost:
Twitter: @jason_trost
Threatstream Github:
Jason's Github:
Modern Honey Network:

Matt Bromiley:
Twitter: @505forensics
MHN Visualization Series:

Lee Whitfield:
Twitter: @lee_whitfield
Forensic 4cast awards nomination:
Facebook Threatexchange:

Aug 25, 2015

This weeks guests:
Kyle Maxwell - Threat Intel and Honeypots
Lenny Zeltser - Malware Reversing, attacker tools and capturing malware

To join the community MHN project discussion on this show email us at

Aug 25, 2015

The first forensic lunch of the new year!
We had an open chat with a discussion of honeypots with Ken Pryor

Aug 25, 2015

More about Shellbag research with Eric Zimmerman and other topics!

Aug 25, 2015

This week we had:
Matt Bromiley, @505forensics, talking about NoSQL injection attacks and forensics to detect them. You can read more about it on his blog

Matt Harrigan, @mattharrigan, of PacketSled, @packetsled, talking about his network visualization tool that is soon to have a free version released. You can sign up for the beta and get this into your hands at

Aug 25, 2015

This time we have the winner of our current SANS DFIR Super Sunday Funday Forensic Contest! We will walk through all the levels revealing how they were done and how they were solved.

Aug 25, 2015

We are broadcasting live from HTCIA International Conference with:
Sumuri Carbon
Andres Velazquez talking about Forensic in Latin America
Membership director for HTCIA talking about the organization
Latest updates on the Triforce from Matthew and I!

Aug 25, 2015

Andrew Case talks about the release of his new book and discusses his research on memory forensics

Lee Whitfield talks about Facebook Messenger and other recent events.

Aug 25, 2015

Forensic Lunch this week with:
Blazer Catzen, talking about File system tunneling and metadata misadventures
Cindy Murphy, talking about smart phone forensics and being Cindy Murphy

Aug 25, 2015

The SANS DFIR Summit, our favorite talks and what makes it stand out as a conference

Dave Hull's, @davehull project Kansa

An in depth discussion of Volume Shadow Copies discssuing: How to identify how much shadow copies are active on a volume (without VSS Admin) Evidence of Automatic vs Manual VSC deletion What different tools show for how many VSCs exist What you can and can't implictily trust How to validate what you see

More about what forensic tools should provide to an examiner at a minimum

And BBQ Summit talk!

As discussed the show may change after next week and the weekly shows are no longer required to meet my year of blogging. I'd like to hear your thoughts of what would make show more valuable to. Topics I'd like to hear from you on include but are not limited to:

Frequency, should we keep it once a week or go to twice a month / once amonth

Topics, Are we covering what is important to you? Should we add anything else?

Format, Do you enjoy the guests or us talking more?

Time of day/Day of week, Is there a better time we could be doing this so more of you can watch it live

Let me know in the comments below or email me, we do the show for you not us!

Aug 25, 2015

We had a great Forensic Lunch today. We didn't have any official guests this week , just Matthew, You and I talking about what was interesting to us this week. We talked about:

1. The SANS DFIR Summit

2. The For 408 class I am currently assisting with

3. The research into USB Device history that is leading to a race for application development between Eric Zimmerman and myself

Here are the links to he USB device lookups I found:

Official list of Vendors from (requires you to convert from decimal to hex to match in the registry)

The Linux USB driver list of known USB Vendors and Products:

4. A good discussion about programming in DFIR and the movement towards common output formats and moving data between tools.

Aug 25, 2015

Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware.

Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened

For those listening here are our conference recommendations:

Large conference: CEIC

Mid size but vendor sponsored: PFIC

Mid size but independent : HTCIA

Small and very technical: SANS DFIR Summit and OSDFCon

Aug 25, 2015

Today we had: Austin Colby from Black Bag talking about whats new with Blacklight, Macqusition and much more. You can find out more at Steve Whalen, @sumurillc, talking about whats new at Sumuri including Paladin, Recon and others. Steve also talked about his new project Mission: No More Victims Sheryl Falk, @sherylfalk, talking about her talk at CEIC all about Data Breaches Matthew and I talking all about the official release of the Triforce! You can go here and find out all about it and buy your own license at

Aug 25, 2015

Live from CEIC talking about the best talks of the day and special guests!

Aug 25, 2015

Suzanne Widup, @suzannewidup, talking about her talk at CEIC on the DBIR and her new book
Ken Mizota, @kenm_encase, the product manager for Encase investigation products talking about whats new v7 and the upcoming v8
David Dym, @dave873, talking about his talk on SQLite forensics

Aug 25, 2015

Live from ADUC join us as we talk about what's going on here and what new information is being revealed

Aug 25, 2015

Mari DeGrazia, @maridegrazia, talking about her research into the Thunderbird email client, its variations and the tool she has put out to work with it. You can read her post about this on her blog as well as grab the tool here:

Hal Pomeranz, @halpomeranz, talking about his research into Encrypted iTunes backups. How to extract out whats contained within them and when they were made, very cool stuff. Here are the links Hal mentioned:

Stack overflow discussion of the manifest.mbdb file:

Link to download Hal's tool here:

Lucas Zaichkowsky, @LucasErratus, from AccessData talking about his work there and a new reveal of their unified cybersecurity/response/forensics platform. Very cool stuff that I didn't realize they were already viewing. I'll have to get a better understanding of this technology!

Aug 25, 2015

We had a very interesting forensic lunch today. Lee Whitfield, @lee_whitfield and Suzanne Widdup, SuzanneWidup, joined us and your comments in an open discussion. We discussed an article linked by Brian Moran located here: all about how some malware researchers are accessing bad guy forums using Heartbleed.

We also got linked to a great case brief by Jason Alvarado, US v Jarrett, you can read here: that is all about an anonymous vigilante in Turkey who provided evidence to the FBI about a pedophile. Who in the end got the evidence thrown out of court as the vigilante was not a government agent and the evidence was inadmissible.

All in all a very interesting 45 minutes of discussion, we also talked about my beard, and I hope you agree this experiment was semi-successful. I plan to try this again and hopefully more of you will participate!

Aug 25, 2015

Shelly Giesbrecht, @nerdiosity, talking about her upcoming talk at the SANS DFIR Summit called '10 Ways To Make Your SOC More Awesome', learn more about the event here and you can hear a leadup to it on a SANS Webinar here:

We also talked a bit about the National Collegiate Cyber Defense Competition where I am currently leading the red team before I had to run back to the fun! Also no audio issues!

Aug 25, 2015

Santiago Ayala, @darthsaac, talking about his career in DFIR leading up to his nomination for a Forensic 4cast award nomination as Digital Forensic Examiner of the year! Listen to what Santiago has to say to see if you want to vote for him!

Lee Reiber, @celldet, talking about a couple things:
His upcoming trainings at the AccessData Users Conference on MPE+ , mobile forensics and python scripting with MPE+:
His upcoming talk at the SANS DFIR Summit called Peeling the Application Like an Onion which focuses on analysis of mobile applications, check out more here
and a good discussion on mobile forensics in its current state and where things are headed.

Chris Pogue, @cpbeefcake, talking about a couple things:
His upcoming talk at the SANS DFIR Summit called The Life Cycle of Cybercrime which focuses on the complete life of a case from where it starts to how law enforcement gets involved locally and globally, check out more here
All about Sniper forensics, his team at Trustwave and the difficulties of doing DFIR around the world.

Aug 25, 2015

Anthony Di Bello from Guidance Software talking about CEIC. CEIC is our industries biggest conference and we will be there. If you are interested go here and follow them on twitter @encase

David Dym talking about his upcoming talk on SQLite forensics at CEIC and the early release of a new tool called SQLiteDiver which comes in GUI and CLI forms. You can download SQLiteDiver here: and you can see Dave talk about it and SQLite forensics at CEIC!

Aug 25, 2015

Dave Hull from Microsoft, you can follow Dave on Twitter @davehull , his blog and on github
You should come to the SANS DFIR Summit and see him there as well!

Vico Marizale and Joe Sylve from 504ensics came back for their 3rd week of commitment! @vicomarziale and @jsylve. You should get involved with their new registry timestamp project by emailing them to get their tool and start helping to discover unknown registry timestamps!

Aug 25, 2015

Vico Marziale from 504ensics, discussing their memory differencing project amongst other topics
Lee Whitfield discussing the upcoming deadline for Forensic 4cast award nominations and the trouble with time machines

Aug 25, 2015

Vico Marziale, @vicomarziale Talking about the research being done at 504ENSICS Labs and specifically into the OSX Spotlight index.

You can get a copy of spotlight inspector here:

You can read the 504ensiecs blog here

You can see the rest of their website and tools here:

Nasa Quba & Kausar Khizra - Talking about their research on Windows 8 File History!

You can see Nasa & Khizra at the SANS DFIR Summit this june go into depth into this research during an hour presentation on the topic!
Go here to learn more:

To contact Nasa & Khizra their linkedin page is here:

Aug 25, 2015

We had another great Forensic Lunch today, I hope you will consider making time in your Friday to watch it live someday as I think its just way more fun live. This week we had in order of appearance:

Jake Williams, @malwarejake, talking about the results of the SANS Endpoint Security survey and the positions they are looking to hire at the Mayo Clinic for those of you looking for senior DFIR positions!

You can also train with jake next month in Orlando and elsewhere, go here to see the classes he's teaching

SANS/Guidance Endpoint Security Survey Webcast -

Alissa's Memory Forensics Class - Orlando,

Jake's Log Management and Forensics Class - Orlando,

Jake and Alissa's Memory Forensics vLive class -

Brian Baskin, @bbaskin, talking about his research, blog (ghetto forensics), books (here is an amazon link), and his work at DC3 where they are looking for people interested in DFIR with a clearance who live in the Baltimore area! Reach out to him if you are interested.

Vladimir Katalov, @vkatalov, the CEO of Elcomsoft talking about upcoming research regarding iCloud key chain recovery from network traffic, Blackberry 10 backups, accessing cloud storage and which gpus work well for long term password cracking. You can go to elcomsoft's website here and these are my favorite tools they sell:

Elcomsoft Phone Password Breaker, great for cracking encrypted phone backups and accessing iCloud backups!

Elcomsoft iOS Toolkit,, great for low level working in iOS forensics.

Elcomsoft password cracking bundle,, a nice collection of there password cracking tools

1 2 3 Next »