's Avatar

@beercow

"Distrust and caution are the parents of security." - Benjamin Franklin https://malwaremaloney.blogspot.com

412
Followers 186
Following 68
Posts 06.11.2024
Joined
Posts Following

Latest posts by @beercow

Preview
Releases · Beercow/XstReader XstReader is an open source viewer for Microsoft Outlook’s .ost and .pst files (also those protected by unknown password). You can view and inspect all content and export messages and attachments (...

Made an update to XstReader. It was unusable with larger ost files. It now loads large ost files in seconds making it usable again. Have a pull request in but not counting on it being accepted due to inactivity. Let me know what you think. #DFIR

github.com/Beercow/XstR...

06.03.2026 03:02 👍 0 🔁 0 💬 0 📌 0
Post image

When you get a group text and fix the name and picture for them.

22.12.2025 14:23 👍 1 🔁 0 💬 0 📌 0
Preview
MALoney (It's in the name): OneDrive Updates OneDrive Evolution OneDrive Evolution has been updated to OneDrive Version 25.228.1120.0001 OneDrive Evo...

A couple OneDrive updates this week. malwaremaloney.blogspot.com/2025/12/oned...

07.12.2025 04:02 👍 0 🔁 0 💬 0 📌 0

Fixed a bug in DeXRAY for Windows Defender files. 🙂

www.hexacorn.com/blog/2025/12...

07.12.2025 04:02 👍 0 🔁 0 💬 0 📌 0

Fixed a bug in DeXRAY for Windows Defender files. 🙂

www.hexacorn.com/blog/2025/12...

03.12.2025 21:47 👍 0 🔁 0 💬 0 📌 0
13Cubed XPlat Bundle and T-Shirt giveaway.

13Cubed XPlat Bundle and T-Shirt giveaway.

📢 I partnered with @13cubed.bsky.social for another giveaway! 🎁

🏆 1 winner will receive a 13Cubed Investigator T-Shirt + the XPlat Bundle Complete

👕 5 winners will receive 13Cubed Investigator T-Shirts

To Enter: Like, Comment, and Repost

#DFIR #DigitalForensics #IncidentResponse

01.12.2025 20:06 👍 10 🔁 9 💬 9 📌 1

Woot!

01.12.2025 23:24 👍 0 🔁 0 💬 0 📌 0
Preview
MALoney (It's in the name): Let's Talk About Consent User Account Control (UAC) is one of Windows’ core security features, designed to prevent applications from silently gaini...

Not that kind of consent. The UAC kind of consent. Take a dive into how UAC works and some of the things it doesn’t tell you. Also a new utility to solve some of these issues.
malwaremaloney.blogspot.com/2025/11/lets...

20.11.2025 20:12 👍 0 🔁 0 💬 0 📌 0
Post image Post image

When launching a program as admin, consent.exe runs with a parent process of svchost. If successful, consent.exe exits and the new process is launched with explorer as its parent. If not, we can’t always tell what was trying to be ran. Until now. github.com/Beercow/Cons...

20.11.2025 04:20 👍 2 🔁 1 💬 0 📌 0
Post image Post image

When launching a program as admin, consent.exe runs with a parent process of svchost. If successful, consent.exe exits and the new process is launched with explorer as its parent. If not, we can’t always tell what was trying to be ran. Until now. github.com/Beercow/Cons...

20.11.2025 04:20 👍 2 🔁 1 💬 0 📌 0
Post image

Into the unknown and down rabbit holes we go.

19.11.2025 03:35 👍 0 🔁 0 💬 0 📌 0
Preview
OneDrive updates What's new in OneDriveExplorer OnedDriveExplorer v2025.11.07 now includes a dedicated parser for Microsoft.FilesOnDemand....

Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
malwaremaloney.blogspot.com/2025/11/oned...

07.11.2025 14:54 👍 1 🔁 2 💬 0 📌 0
Preview
OneDrive updates What's new in OneDriveExplorer OnedDriveExplorer v2025.11.07 now includes a dedicated parser for Microsoft.FilesOnDemand....

Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
malwaremaloney.blogspot.com/2025/11/oned...

07.11.2025 14:54 👍 1 🔁 2 💬 0 📌 0

Adding a parser for Microsoft.FilesOnDemand.db to OneDriveExplorer. Yet another source to rebuild the user’s OnDrive. More to come. #DFIR

16.10.2025 03:43 👍 1 🔁 0 💬 0 📌 0
Preview
MALoney (It's in the name): OneDrive Quick Access What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...

Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...

16.10.2025 03:42 👍 0 🔁 1 💬 0 📌 0
Preview
MALoney (It's in the name): OneDrive Quick Access What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...

Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...

08.10.2025 21:37 👍 2 🔁 1 💬 0 📌 0

*but

04.10.2025 02:27 👍 0 🔁 0 💬 0 📌 0

Correct me if I’m wrong bit what you described is Xbox from day one.

04.10.2025 02:27 👍 0 🔁 0 💬 1 📌 0
Preview
MALoney (It's in the name): OneDrive. Let's take this offline At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced...

In case you missed it. New release of OneDriveExplorer. It has a dedicated parser for MicrosoftListSync.db (offline mode). #DFIR

malwaremaloney.blogspot.com/2025/09/oned...

30.09.2025 02:27 👍 2 🔁 1 💬 0 📌 0

That time of year again when everybody starts abbreviating cybersecurity awareness month as CSAM. 21 pages deep of google searches for that term and not a single mention of cybersecurity awareness month. Go figure.

23.09.2025 21:48 👍 0 🔁 0 💬 0 📌 0
Preview
MALoney (It's in the name): OneDrive Evolution Below is a collapsible indented tree depicting the contents of a OneDrive Profile. Each rectangle represents a file or directory and is lab...

OneDrive Evolution has been updated to v25.162.0820.0001. That’s 692 versions OneDriveExplorer now handles. SafeDelete.db has been updated to schema v9. Enjoy!

malwaremaloney.blogspot.com/p/onedrive-e...

malwaremaloney.blogspot.com/p/safedelete...

22.08.2025 22:16 👍 0 🔁 0 💬 0 📌 0
Post image Post image

Appears OneDrive snuck a new sync client in. Works with personal accounts at the moment. It’s WebView2. You can find data in the following locations:
AppData\Local\Microsoft\OneDrive\OD4
AppData\Local\Microsoft\OneDrive\Logs\OD4
Where are my browser forensics experts at? #DFIR

11.08.2025 18:29 👍 0 🔁 1 💬 0 📌 0
Post image

Updated OneDrive Evolution. You can now compare two versions of OneDrive and see what has changed. #DFIR

malwaremaloney.blogspot.com/p/onedrive-e...

07.08.2025 03:02 👍 0 🔁 0 💬 0 📌 0
Preview
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub Change Log Fixed ODL bug fix FileUsageSynce bug fix

Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...

25.06.2025 00:04 👍 2 🔁 1 💬 0 📌 0
Post image

Today we learned Fishrocket (the one with the doughnut) has cancer. It’s an aggressive form of mast cell tumors. Treatment usually involves removing them but there are too many. They prescribe prednisone because they itch. Has diabetes so can’t give him prednisone. Poor guy.

20.06.2025 00:19 👍 0 🔁 0 💬 0 📌 0
Post image

1/ I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

19.06.2025 08:33 👍 0 🔁 1 💬 1 📌 0
Post image

Another interesting forensic artifact in OneDrive. UXDatabase.db

18.06.2025 19:30 👍 0 🔁 0 💬 0 📌 0
Preview
MALoney (It's in the name): Weekly Update 6/6/2025 OneDrive Evolution OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there ...

Updates on the OneDrive sync client.

malwaremaloney.blogspot.com/2025/06/week...

06.06.2025 20:24 👍 0 🔁 0 💬 0 📌 0

New folder and databases in the OneDrive sync client. Not sure what feature they are tied to yet. More to come. #DFIR

05.06.2025 02:02 👍 1 🔁 0 💬 0 📌 0
Post image Post image

New laptop, new stickes. 😜

03.06.2025 02:14 👍 0 🔁 0 💬 0 📌 0