Pages

Friday, August 2, 2013

Daily Blog #39: Web 2.0 Forensic Part 4

Hello Reader,
      I finally got fiddler installed, its windows only and available here http://fiddler2.com/get-fiddler, and it is much improved over the last time I used it! It even has a ajax and xml decoder built in now which is a pretty huge improvement. In this post we are going to focus on what network data is actually being transmitted between the web client and the web 2.0 web application so you can see the raw data that your browser will be parsing and storing in memory/pagefile/hiberfil. Note that if you want to do this time of testing at home you will need a SSL proxy like fiddler in order to capture the traffic, a network sniffer will just see encrypted traffic.

This is what the request for an inbox view looks like in gmail:
POST https://mail.google.com/mail/u/0/?ui=2&ik=21fc62e736&rid=mail%3Ai.7728.0.1&view=cv&th=1403b5ce42ebf543&th=140395ee6229f7d4&th=1403631f3703e936&th=140344ed98e4eaa3&th=140303866b4ce541&prf=1&_reqid=167197&nsc=1&mb=0&rt=j&search=inbox HTTP/1.1
Host: mail.google.com
Connection: keep-alive
Content-Length: 0
X-Same-Domain: 1
Origin: https://mail.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
X-Chrome-Variations: CM21yQEIhLbJAQiptskBCIaEygEIt4XKAQ==
Referer: https://mail.google.com/_/mail-static/_/js/main/m_i,t,it/rt=h/ver=zDJLUK9Vw_8.en./sv=1/am=!Lt4ru3nDBdL0RMHSG0tdRQM1xOP0KmwcZtPFWYZIAZLMmkQ7GBAA95rDr4ZmlpWnYLsjYcfQ/d=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
 Cookie Removed

This the header of the response:
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Set-Cookie: Cookie Removed 
Domain=mail.google.com; Expires=Thu, 15-Aug-2013 23:39:57 GMT; Path=/mail; Secure; HttpOnly
P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/bin/answer.py?answer=151657 for more info."
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 01 Aug 2013 23:39:57 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 46023
Server: GSE
This is the raw data that is transmitted containing the inbox mail data that you can recover and tools like IEF automatically recover for you:
)]}'
[[["v","zDJLUK9Vw_8.en.","8","dd1cc0830f5f7b2d"]
,["di",710,,,,,[]
,[]
,,,[]
,[]
,[]
]
,["cs","1403b5ce42ebf543","1403b5ce42ebf543",1,,,1375387947676000,"1403b5ce42ebf543",["1403b5ce42ebf543"]
,[]
,[]
,[["1403b5ce42ebf543",["^all","^i","^smartlabel_group","^unsub"]
]
]
,,,[]
,[["","examplegooglegroup@googlegroups.com"]
]
,,,[]
,[]
,,,"Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic","[DFIR] Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic"]
,["ms","1403b5ce42ebf543","",4,"examplegooglegroup@googlegroups.com","","examplegooglegroup@googlegroups.com",1375385478000,"Today's Topic Summary Group: http://groups.google.com/group/examplegooglegroup...",["^all","^i","^smartlabel_group","^unsub"]
,0,1,"[DFIR] Abridged summary of examplegooglegroup@googlegroups.com - 1 Message in 1 Topic",["1403b5ce42ebf543",["Abridged Recipients \u003cexamplegooglegroup@googlegroups.com\u003e"]
,[]
,[]
,["examplegooglegroup@googlegroups.com"]
,"The complete message was located here ",[[]
,[0]
,"",[]
]
,0,[[]
,[["Abridged","examplegooglegroup@googlegroups.com"]
]
After this each message inbox entry and message preview will be listed in sequence and the response ends with:
]
,-1,,,,"google.com",,[]
,[]
,0,""]
,["ce"]
,["e",18,,,45978]
],'fce167f9fb9f05f']

Tomorrow let's talk about whats contained in these fields and what a good regular expression to recover the data, heck maybe a foremost rule to automate the recovery for you. Or you can do what I do and get a copy of IEF rather than try to keep up with all the changes that are made to their data formats.

WA Supreme Court: Insurer can be held liable for agent's actions

In a case that�s been closely watched by the insurance industry, Washington�s State Supreme Court on Thursday affirmedthat insurers are liable for the illegal actions of their agents.

�The ruling is a big win for consumers,� said Insurance Commissioner Mike Kreidler, whose decision the case was challenging. �If you allow someone to do business on your behalf, it only stands to reason that you can be held responsible for what they do.�

The case involved violations of the state�s insurance laws in 2006 and 2007 by an insurance agency appointed by Chicago Title Insurance Company. That agency, Land Title Co. of Kitsap County, Inc. repeatedly offered illegal inducements to get business. The violations included illegally �wining and dining� real estate agents, builders and mortgage lenders with free meals, donations for a golf tournament, monthly advertising, and Seattle Seahawks playoff game tickets.

Although Land Title was Chicago Title�s exclusive agent in the Washington counties at issue in the case, Chicago Title argued that it was not responsible for its agent�s actions. In a consent order signed in 2009, the company agreed to pay a $48,334 fine if it did not prevail in court.

�Chicago Title�s arguments were contrary to a century of insurance law,� said Kreidler. �In order to effectively regulate insurers and protect consumers, it�s important to hold insurers responsible for the actions of their agents.�

Title insurance practices have long been a concern to Kreidler, whose office in 2005 scrutinized 18 months of employee expense reports and ledgers for the largest title companies in King, Pierce and Snohomish counties. The examination found many cases in which the companies were providing gifts, golf tournament sponsorships, parties, ski trips, sports tickets, meals and other inducements to get business.

�Few people shop for title insurance, although they certainly can,� said Kreidler. �It tends to be included in the large stack of documents that homeowners are handed to sign. So title companies and others in the industry are positioned to steer business to particular insurers.�


New rules took effect in March 2009, clearly outlining what can be given. There are limits on advertising, donations to trade associations, meals, training, leasing workspace and gifts.

Six fireplaces in this 1920's Virginia-Highland Craftsman


1017 Highland View is for sale right now. It began its life in high style and at 90+ years all that style is still there. It's loving owners didn't mess it up while updating the kitchen, bathrooms, and decor. The interior design is effortlessly outstanding. I think would look just as good empty.

If you see an open house on certain streets, you must go.

I'll demonstrate with its six elaborate fireplaces in 4 designs.

 
This is the entry room with a classical mantel with chimney breast, built-in bench and stair with unashamed, expensive floral wallpaper. Who dares wallpaper these days?

IMG_2734-2013-07-28-Highland-View-Cllassical-fireplace-2
The parlor on the right has a matching fireplace but without a chimney breast.

Matching fireplaces tie entry and parlor into a single visual space: modern right, craftsman left, florals left, horizontals right.

IMG_2735-2013-07-28-Highland-View-Louis-XVl-fireplace-red
The dining room mixes antiques and modern with this Louis XV curvey fireplace on a chimney breast. This is un-whimpy decor, minimal on its own terms. A pro designer can go sparse in a room like this or pile it on.

That's the three downstairs, now for the three upstairs.

IMG_2736-2013-07-28-Highland-View-Craftsman-fireplace-1-panel-mirror
The master - I think - all three bedrooms are grand. Look at all that yummy woodwork. The dark fireplace makes a statement in here. The furniture harmonizes with the dark wood, tying things together.

IMG_2737-2013-07-28-Highland-View-Craftsman-fireplace-2
Curves with shag and Eames: Bravo. Do try this at home with professional help.

IMG_2738-2013-07-28-Highland-View-Craftsman-fireplace-3
Same fireplace design but on a breast, art pulls colors from the marble.

I wish  you could turn around to see what's behind me because I'm not showing you everything.

IMG_2732-2013-07-28-Highland-View-Stained-Glass-window-on-stair-landing


If you visit an open house on certain streets, you'll probably find an architecture tourist.

Thursday, August 1, 2013

Daily Blog #38: Web 2.0 Forensics Part 3

Hello Reader,
        This post is a bit late in the day but that happens sometimes when you are onsite and can't sneak away for some blog writing. In the last two posts we've discussed where to find JSON/AJAX fragments and how Gmail stores message data within them. Today we will discuss how these artifacts are created and what you can and cannot recover from them.

What you can recover
Much like other web artifacts we can only recover what was sent by the server and viewed by the custodian. This includes:

  • the content of emails read
  • the names of contents of attachments accessed
  • what was contained on each mailbox folder viewed (such as the inbox, sent, saved)
    • For some webmail clients (such as gmail) you can also see the a preview of the email messages contained in the mailbox even if they did not read them as the data is precached.
    • Whether the message had been read
    • If the message had an attachment
  • a list of all the mailbox folders the custodian had in use
  • contacts
  • for gmail specifically google talk participants 
  • for gmail specifically a list of all the circles they are in.


What you can't recover
If the data was never sent from the server and viewed it won't be in cached form anywhere except live memory. The list of things you can't recover includes:


  • The text of emails sent from the custodian unless they viewed a preview of the message, checked their sent mail or read a reply to the message. 
  • The content of attachments sent via email, though you can match up the file by name to files on their system as the attachment successful method will be sent from the server to the browser.
  • The full contents of mail folders if all the pages containing messages were not viewed
  • The contents of all webmail read, over time the data will be overwritten in the pagefile and the shadow copies will expire as well as the hiberfil will be overwritten on the next hibernation.

The examples i'm showing here are for webmail, there are other ajax/json services out there (facebook, twitter, etc..) that are popular. I'm focusing on webmail because in my line of work its a popular method for exfiltration of data and discussing plans that they don't want saved in company email. I will see about expanding the series to other types of web 2.0 applications likey after my html 5 offline caching research with Blazer Catzen is complete.

Tomorrow we continue the web 2.0 forensic series, hopefully with an earlier posting time.

Life Post-Uni�How I got my job!

I was recently asked on Twitter if I could do a post about my life after uni and how I got my job etc and so I thought, why not!

I know how difficult it can be after university, having spent pretty much your whole life studying and then not knowing what to do and even if you want to carry on in the career you studied for at university, so this post is going to be a little about what I did and my tips for getting a job you want!

My Story
University:

249924_10150641796770545_1709772_n

269996_10150727877190545_2997454_n 248296_10150629336985545_4329590_n ^ My plaque in Tate Modern





< At my graduation!

I graduated from university in 2011 with a Photography degree.  Uni holds some of the best memories of my life and I had an incredible time, studying something that I had real passion for and loved doing.  Doing an arty subject such as photography might be seen by some as a lazy subject but it was tough, as any subjects are!  As well as dissertations, classes and essay work we studied a lot of conceptual photography & art, had to develop concepts and ideas for projects, hold exhibitions for our work (3 a year) as well as give presentations about our work. 

Half way through my degree I started my blog.  I�ve always had a big passion in makeup (I worked as a colour coach (makeup artist) at The Body Shop for 5 years whilst studying) and I wanted to start writing about my favourite products and sharing my thoughts on the matter.  I�m not an incredibly social person so it wasn�t a problem juggling social and work/blogging life, I just got on with it and enjoyed it.  I also landed a job as a photography intern at Tate Modern.  I was one of their official photographers for their events and workshops for 2 years and even got to exhibit one of my photographs in the Tate. 

Again � this meant that I didn�t have time to party but I was allowed to photograph in the Tate after hours � I didn�t care! 

(If you google image search my name then a couple of my photography shots come up � even one of a nude male model at a lifedrawing class I photographed for the Tate)!

After University:
WEDDING1
WEDDING3
563903_10151960059915545_900105162_n
A few examples of my wedding photography!

After university I moved back home with my parents in Essex (a tough thing for any wild creature to do after 3 years of freedom) and started the dreaded job hunt.  I still wanted to work in photography and landed a freelance photography job for a very popular classical music company, documenting their projects over a period of around 5 months. 

I also started photographing weddings for a little bit of income and I LOVED it.  I have photographed three in total (I don�t really have time anymore).  It�s hard work � shooting for 8 hours solidly (only breaking when the guests are eating) but it filled me with complete joy being a part of someone's special day.  (I�m going to pop some of my wedding photographs up on fromkatiewithlovee.blogspot.com so stay tuned for that)!

I also started applying for internships and small jobs, mainly art based.  I landed a job as a freelance Styling, Hair and Makeup researcher for a fantastic online brand where I spent my days researching my favourite photographers and makeup artists for an online database.  Around 6 more freelancers were hired at the same time and we worked together, however I was called back a few weeks later to do more (by myself) as they loved how hardworking I was. (Not boasting at all, but if you are passionate and hardworking enough then it does pay off).

Around the same time, I also saw an online application for a blogger to have a meeting with a new start up beauty company.  I went along to the meeting and put in my honest thoughts and opinions about what a beauty website should be like (from a bloggers perspective) and they too called me back to do a weeks more work with them.  (This site has now launched and is called BaoBella.com - a lot of the website is based on my ideas and input so check it out!)

How I got my full-time job:
gleamlife
My first full-time job

After months of doing freelance jobs like those above, I saw a friend (gh0stparties, you babe) tweet about an internship she knew that was going.  I tweeted her, got the details and applied.  I went in for the interview and got the internship with Gleam.  I interned for 5 months and was then made into a full time employee with a brand spanking new job title in January.  I have been working at Gleam ever since and ADORE IT.  The opportunities it has given me are fantastic and I learn more and more every day (I�m even getting the hang of how to work out percentages, despite being horrendous at maths).  I also get to spend my days with great people and help to manage YouTubers who I have been fans of for a long time, so I count myself very lucky!

Motivational Speech:
I know how difficult it can be to job hunt and how at times it�s depressing, and your self-confidence then drops too because of it, but my best advice is to keep busy.  Take every little opportunity that is thrown at you and do it;  say yes!  There have been lots of other things I haven�t mentioned in this post � like the fact that I also taught drama to children ages 8-12 for a year (the year that I was jobless after uni) and also act for the same theatre company whenever a job comes up (I love acting and went to a stage school growing up).  These extra  little bits and bobs on my CV have shown that I am reliable, enthusiastic, committed and passionate about the creative industry.

I�m sorry about how long this post is � but I hope it has been interesting and helped (inspired?) a few of you out there?  Do let me know if you have any questions and I will try and answer them to the best of my ability!

xxxx

Wednesday, July 31, 2013

Agent charged with theft and forgery; collected commissions for fictitious customers

A former Vancouver insurance agent has been charged with theft and forgery for allegedly collecting about $15,000 in commissions by creating fictitious applicants for insurance policies.
Julie Anne Goss, 43, an independent agent for AFLAC, was arraigned last week in Clark County Superior Court.
The scam came to light after the owner of a restaurant in Battle Ground, Wash. told AFLAC that she�d received premium bills for two �employees� that had never worked there. 
AFLAC investigated, and it turned out that Goss wrote dozens of policies for 15 people that either weren�t employees at the named businesses or apparently didn�t exist. In other cases, she wrote policies for real employees, but they said they hadn't applied for the coverage.
In each case, Goss stood to get a commission for the policy. All told, the investigator found, between August 2010 and January 2011, Goss wrote 91 fraudulent insurance policies and collected more than $15,000 in commissions for them.
The company canceled its contract with Goss in March 2011 and reported the matter to our Special Investigations Unit. After investigating further, we revoked Goss� insurance license in January 2012. The charges against her were filed in late June.
If you suspect insurance fraud and you live in Washington state, please report it.

Tuesday, July 30, 2013

Daily Blog #37: Web 2.0 Forensics Part 2

Hello Reader,
             Sunday Funday is always fun for me for two reasons. One it gets me two blog posts out of one so I get more time to get work done and two I like getting a general feeling of what level of understanding exists on certain artifacts. So while you get a prize, that I strive to make worth your effort, I get to see what I can continue to help you learn by writing additional blog posts to fill those gaps. With that said we are continuing the web 2.0 series today that I realized was needed from the IEF Sunday Funday challenge two weeks ago.

Json Data Structures

Json data structures are fairly easy to find, they are structure name pairs that are exchanged between the web server and the web client, for instance the Gmail server and the Chrome browser. In this example the Chrome browser would then parse the data to generate the view that you see.

Here is what a message summary from your Gmail inbox looks like:

Index data for gmail
["140303866b4ce541","140303866b4ce541","140303866b4ce541",1,0,["^all","^i","^o","^smartlabel_notification"]
,[]

Email from/subject/message preview and date
,"\u003cspan class\u003d\"yP\" email\u003d\"mail-noreply@google.com\" name\u003d\"Gmail Team\"\u003eGmail Team\u003c/span\u003e","\u0026raquo;\u0026nbsp;","Welcome to the new Gmail inbox","Hi David Meet the new inbox Inbox tabs put you back in control with simple organization so that you",0,"","","10:35 am","Tue, Jul 30, 2013 at 10:35 AM",1375198584460000,,[]
,,0,[]
,,[]
,,"3",[0]
,,"mail-noreply@google.com",,,,0,0]

Here is what a full message loaded and what the email header looks like:








 



 

 




 

   



 

   





    Gmail Team

    <mail-noreply@google.com>

   

 

 















10:35 AM (36 minutes ago)






img class="f T-KT-JX" src="images/cleardot.gif" alt="">
















































to me 
































This is followed by the  body of the message.In addition on each page you have a listing of all the labels, email counts, circles and more data that is preloaded to each page providing you with a large amount of data on your custodians activities but also providing for a large amount of duplicates.

Tomorrow we will go into the important fields and their meanings and I'll provide a regex for carving them out. Recovering webmail used to be simple, just find a javascript library known to the service and carve out the html before and after it, now with JSON/Ajax services like Gmail we get fragments of emails and possibly entire messages but we either have to manually carve them or use a tool like IEF to do it for us.

I start with IEF and let find the fully formed messages and then go back myself to find partials knowing the users email address.

See you tomorrow! Leave comments or questions below if your seeing data differently. I'm going to install fiddler on my system tonight to show how the data looks as its being transmitted.

Smokey Eyes (First Date) � Tutorial!

I was feeling super inspired a couple of weekends ago and decided to film myself getting ready (for a date, ooo-err) and made it into a tutorial for you guys!  Admittedly, this is nothing special makeup wise � I wear this look daily to work and find it really quick and easy to do; it just consists of a bit of eyeliner, flawless base and smokey under-eye shadow.

Watch the video below to see how I created this look!
 
MKAEUPbefore and afterFACEOFTHEDAY 
tutorial2

Tutorial!

Products Used:
Kiehls Ultra Light Daily Defense SPF 50
Urban Decay Primer Potion
Benefit Stay Flawless Primer
Sleek Ink Pot Gel Eyeliner in Dominatrix
HD Brows Kit (matte black shadow to help pro-long the gel liner)
Cover FX Total Cover Cream Foundation with the Real Techniques Buffing Brush
Avon Supershock Gel Eyeliner in Black
Urban Decay Brow Box
HD Brow Kit (Taupe shadow under the eye)
MAC Studio Finish Concealer in NC15 with the Real Techniques Deluxe Crease Brush
Rimmel Stay Matte Powder
Japonesque Eyelash Curlers
YSL Babydoll Mascara
MAC Blush in Strada
Zoeva Contour Brush
MAC Sushi Kiss Lipstick

I really hope you guys enjoy this!  I�m quite embarrassed about going totally eye makeup free (don�t think I�ve EVER done that before on this blog) but I think it adds to the before & after look!  If you are short of time but want to try this look, swap the gel liner for a liquid liner in a pen form, it�s a lot quicker!

Do let me know if you would like to see any more tutorials from me in the future!

xxxxx

Monday, July 29, 2013

Daily Blog #36: Sunday Funday 7/28/13 Winner!

Hello Reader,
                This Sunday Funday I thought was easier than the last and we had several submissions both post on the blog and submitted anonymously but only one was done before the deadline of Midnight PST. o congratulations go out to Jonathan Turner who while not having the most complete answer of all the ones submitted, that goes to Harlan Carvey this week, as he was the only one who submitted his answer before the cutoff!

I got a lot of answers after, do you need me to change the rules to give you more time to play? I thought 24 hours (I try to post at Saturday midnight CST) was enough time, but you need more time to play I can change the rules to let more people participate. I'm hoping as these contests continue we will continue to get great prizes to give away that will tip you over the 'should I try this one' cliff.

Here was the challenge:
The Challenge:     I'm going to step down the difficulty from last week, I may have been asking for a bit much on a Sunday. So this weeks question is going back to basics:
For a Windows 7 system:
Your client has provided you with a forensic image of a laptop computer that was used by an ex-employee at their new employer, it was obtained legally through discovery in a litigation against them. You previously identified that the employee took data when they left where on the system would you look for the following:
1. The same external drive was plugged into both systems
2. What documents were copied onto the system
3. What documents were accessed on the system

Here is Jonathan's answer:
1) The manufacturer, model, and serial number of USB keys plugged into a system are stored in the registry at HKLM\SYSTEM\Control\(CurrentControlSet|ControlSet001|ControlSet002)\Enum\USBSTOR. Comparing these keys on the two systems should show any common devices.
2) The created timestamp on the above registry key can be used to filter a timeline of file creation times to determine what files were added to the system around the time it was plugged in. These files could contain metadata about where they were originally created as well as other interesting information that can be manually collected.
3) Documents accessed on the system should show up in jump lists and (potentially) shellbag information stored in the users' ntuser.dat hive.

 Here is Harlan's answer:
Sorry this is late, but I was at a couple of events yesterday starting at around 2pm...I'm not sending it in so much as a submission, but more to just provide my response...

*1. The same external drive was plugged into both systems

This type of analysis starts with the Enum\USBStor keys.  I would locate the subkey that contained the device identifier for the external drive in question, and see if there is a serial number listed.  If not, that's okay...we have other correlating information available.  If there is a serial number pulled from the device firmware, then we're in luck.  

Beneath the device serial number key, I can get information about when the device was first plugged in, from the LastWrite time to the LogConf key, as well as the Data value (FILETIME time stamp) from the \Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 subkey.  I would correlate this time with the value in the setupapi.dev.log file, as well as with the first time for that device that I found in the Windows Event Log (for device connection events).    I could then get subsequent connection times via the Windows Event Log, as well as the final connection time from the NTUSER.DAT hive for the user, via the MountPoints2 key (for the device, given the volume GUID from the MountedDevices key) LastWrite time value.  

To be thorough, I would also check beneath the \Enum\WpdBusEnumRoot\UMB key for any volume subkeys whose names contained information (device ID, SN) about the device in question.

Getting the disk signature for the specific external drive can be difficult on Win7, using just the System hive file, as there is very little information to correlate the Enum\USBStor information to the information in the contents of the MountedDevices key.  However, further analysis will be of use, so keep reading.  ;-)

The "\Microsoft\Windows NT\CurrentVersion\EMDMgmt" key in the Software hive contains a good deal of information regarding both USB thumb drives and external drives; the subkeys will be identifiers for devices, and for external drives, you'd be interested in those that do NOT start with "_??USBSTOR".  The subkey names will have an identifier, as well as several underscores (""); if the name is split on underscores, the first to the last item, if there is one, will be the volume name, and the last item will be the volume serial number, listed in decimal format.  This final value changes if the device is reformatted, but it wouldn't make any sense to copy files to the device, reformat, and then connect it to the target device, so we can assume that this information won't change between the two systems.

I could then use this information to correlate to LNK files in the Windows\Recent and Office\Recent folder within the user profile, as well as LNK streams within the user's *.automaticDestinations-ms Jump Lists.

At this point, I will have a drive letter that the external drive was mapped to, so I can then return to the MountedDevices key in the system hive, and by accessing available VSCs, locate one in which the drive letter was available for the ext. drive.  This will provide me with the disk signature of the device itself, as well as the volume GUID.

At this point, I have device identifier, the device serial number, the volume serial number, potentially the disk signature, and the time(s) of when the external drive had been connected to the laptop.  I can then use this information to correlate to the other system.

*2. What documents were copied onto the system

I would create a timeline of system activity, correlating file creation dates on the system with times when device was connected to the system, based on the time-based information provided in the response to #1 above. 

*3. What documents were accessed on the system

The shellbags artifacts likely won't server you much use this time, as on Win7, they tend to not contain the same sort (and volume) of information as they do on WinXP.  However, I would start by looking at the shortcut/LNK files in the user's profile (Windows\Recent and Office\Recent), as well as Jump Lists.  This information also helps us identify the application used to access the documents (Office, Adobe, etc).  I would also, for clarity sake, verify this information via Registry MRUs, even though some of them (ie, RecentDocs) will not contain full path information.  However, now that we have information about the applications used (from the Jump Lists, after performing any required AppID lookups), I would be sure to examine any available application-specific MRUs.

Harlan gave a great answer but didn't get in on time, so the winner of a Specialist Track ticket to PFIC is Jonathan Turner. There is still more to be said on this topic though. I use specific operating systems for a reason as artifacts change between them and there are still artifacts and scenarios not clearly being shown even in both of these answers. When I'm done with the web 2.0 series I'll go into depth on it.

In the mean time, do you want to go to PFIC? I still have more tickets to give away next week. If two answers make it in on time that are both great (or I change the rules based on your feedback to extend the time), I can give away more than one! Tomorrow we resume the web 2.0 series and I hope you follow along as it continues to give me the motivation to keep these up daily! Only 316 more blogs before the year is up!

Poker Training Software free download latest version

Poker training software is the best software I have ever used. It is the teacher for those who wants to learn how to play Texas Holdem Poker. This poker training software will make you a real champion of Poker game and then you can beat your friends easily.
The best thing about this software is that it is very easy to use and even a child can use it. This software is the reason that you see manysmall kids these days are getting expert in poker. So you also try this software and become a champion of Holdem Poker!
 
 

In Case the Falcons Tear Down Friendship Baptist

It's been in the news so I went see Atlanta's Friendship Baptist Church. If the powers chose the "south" site for the new Falcons Station, Friendship is a goner. But maybe they'll chose the "north" site. I took pictures of the cornerstones, just in case.

 
It's beautiful. The institution itself has been REAL important for a long time though the buildings aren't particularly old.

IMG_2699-2013-07-26-Friendship-Baptist-Church-Atlanta-historical-Plaque-placed-April-2002
The 2002 "Listed in National Register of Historic Places" plaque doesn't necessarily mean it's safe.

IMG_2698 2013-07-26-Friendship-Baptist-Church-Atlanta sign
It's not in perfect condition, but it is in immaculate condition.

 IMG_2693 2013-07-26-Friendship-Baptist-Church-Atlanta
The gulch swallows it up. It's in such an open area, it doesn't have much visual impact until you get close.


View Larger Map
The church is picturesque but the setting isn't. Friendship is a buffer between the Georgia Dome, the railroad gulch, Castleberry Hill, and the Atlanta University Center.

IMG_2694 2013-07-26-Friendship-Baptist-Church-Atlanta
Go see.

IMG_2701-2013-07-26-Friendship-Baptist-Church-Atlanta-Cornerstone-1862-date
The 2002 bronze plaque plaque (2nd picture in this post) says 1866; this stone says 1862.

 IMG_2702-2013-07-26-Friendship-Baptist-Church-Atlanta-Cornerstone-placed-1968
This is the 1968 cornerstone. This one says "1862" too.

IMG_2700-2013-07-26-Friendship-Baptist-Church-Atlanta-Cornerstone-list-of-pastors
The pastor's cornerstone says 1862.

This deserves more study but I was having a look around. Northside at Martin Luthor King is an "amen corner" with four churches.

IMG_2687 2013-07-26-Mount-Vernon-Baptist-Church-Atlanta-MLK
Mount Vernon Baptist Church would be a goner if they pick the south site but they aren't talking with the press so we don't hear much about it.

IMG_2690-2013-07-26-Central-United-Methodist-Chruch-Atlanta-Mitchell-Street-detail
Central United Methodist Chruch is on the west side of Northside Drive. I presume it's not at risk from the stadium.

IMG_2692 2013-07-26-West-Mitchell-CME-Church-Atlanta
The West Mitchell CME Church is also safe. Pardon me for taking a picture of the back side. You can't always tell with moderns.

Go see.

Friday, July 26, 2013

Introducing Balthazar!

I don�t know about you, but whenever I see a blogger posting about their pet (whether it be a kitten, bunny rabbit, dog or even hedgehog) I am immediately filled with delight and happiness and sigh a big fat �awwhhh� out loud.  Now, my mum and sister are allergic to cats and dogs (I would love nothing more than a little kitten running around at home) so for my whole life we have always had little hamsters!  I�ve never done a post on hamsters before but thought I�d introduce you to the current cutest member of the Snooks family!

BALTHAZAR1
BALTHAZAR2
image(5)
BPJxx9HCUAAjEyp.jpg large
Having a staring contest (excuse the bare, no makeup face!)

Ladies and gents, I introduce you to Balthazar, the light of my life!  Balth is coming up to two years old now so is turning into a little old girl, but she is still as energetic and loving as ever.  Whenever I�m feeling down I just look to Balthazar and she instantly makes me happy.  I�m the trainer of Snooks family hamsters and am always given the job of holding the hamsters first and teaching them not to bite, but Balth has been the only hamster we�ve ever had that has never bitten, ever!  She loves cuddles and I like to feed her food whilst holding her (bonding sessions).

She had to have a little operation a few months ago as she had a little lump that kept growing on her ear, so a vet removed it and she has been happy (but silly looking) ever since and was so brave, running all over the place once she came round from the anaesthetic. 

Our last little hamster was called Bishmael, who was equally as loved and adorable. You can watch a video of Bish and I here -

The last Snooks hamster�Bishmael!

There we have it!  I hope you enjoyed (and squealed �awwh�) at this post.  I�d love to know if you have any little pets, tweet me a photograph! @katesnooks

Do you have a little hamster? What�s your favourite pet to have?

xxxx