LightNews LightNews
banner
beercow.bsky.social
@beercow.bsky.social
410 followers 190 following 58 posts
"Distrust and caution are the parents of security." - Benjamin Franklin https://malwaremaloney.blogspot.com
malwaremaloney.blogspot.com
Posts Media Videos Starter Packs
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 6d
Adding a parser for Microsoft.FilesOnDemand.db to OneDriveExplorer. Yet another source to rebuild the user’s OnDrive. More to come. #DFIR
1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 6d
Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...
MALoney (It's in the name): OneDrive Quick Access
What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...
malwaremaloney.blogspot.com
1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 13d
Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...
MALoney (It's in the name): OneDrive Quick Access
What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...
malwaremaloney.blogspot.com
1 2
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 18d
*but
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 18d
Correct me if I’m wrong bit what you described is Xbox from day one.
1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 22d
In case you missed it. New release of OneDriveExplorer. It has a dedicated parser for MicrosoftListSync.db (offline mode). #DFIR

malwaremaloney.blogspot.com/2025/09/oned...
MALoney (It's in the name): OneDrive. Let's take this offline
At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced...
malwaremaloney.blogspot.com
1 2
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · 28d
That time of year again when everybody starts abbreviating cybersecurity awareness month as CSAM. 21 pages deep of google searches for that term and not a single mention of cybersecurity awareness month. Go figure.
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Aug 22
OneDrive Evolution has been updated to v25.162.0820.0001. That’s 692 versions OneDriveExplorer now handles. SafeDelete.db has been updated to schema v9. Enjoy!

malwaremaloney.blogspot.com/p/onedrive-e...

malwaremaloney.blogspot.com/p/safedelete...
MALoney (It's in the name): OneDrive Evolution
Below is a collapsible indented tree depicting the contents of a OneDrive Profile. Each rectangle represents a file or directory and is lab...
malwaremaloney.blogspot.com
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Aug 11
Appears OneDrive snuck a new sync client in. Works with personal accounts at the moment. It’s WebView2. You can find data in the following locations:
AppData\Local\Microsoft\OneDrive\OD4
AppData\Local\Microsoft\OneDrive\Logs\OD4
Where are my browser forensics experts at? #DFIR
1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Aug 7
Updated OneDrive Evolution. You can now compare two versions of OneDrive and see what has changed. #DFIR

malwaremaloney.blogspot.com/p/onedrive-e...
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 25
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log Fixed ODL bug fix FileUsageSynce bug fix
github.com
1 2
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 20
Today we learned Fishrocket (the one with the doughnut) has cancer. It’s an aggressive form of mast cell tumors. Treatment usually involves removing them but there are too many. They prescribe prednisone because they itch. Has diabetes so can’t give him prednisone. Poor guy.
Reposted
malmoeb.bsky.social
malmoeb.bsky.social @malmoeb.bsky.social · Jun 19
1/ I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.
1 1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 18
Another interesting forensic artifact in OneDrive. UXDatabase.db
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 6
Updates on the OneDrive sync client.

malwaremaloney.blogspot.com/2025/06/week...
MALoney (It's in the name): Weekly Update 6/6/2025
OneDrive Evolution OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there ...
malwaremaloney.blogspot.com
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 5
New folder and databases in the OneDrive sync client. Not sure what feature they are tied to yet. More to come. #DFIR
1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Jun 3
New laptop, new stickes. 😜
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · May 30
Found a few bugs that would cause crashes in OneDriveExplorer around ODL and FileUsageSync. Update available.

github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log Fixed ODL bug fix FileUsageSynce bug fix
github.com
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · May 23
Finally caught up. Updates to OneDrive Evolution and database schemas.

malwaremaloney.blogspot.com/2025/05/oned...
MALoney (It's in the name): OneDrive Evolution and Schema Updates
OneDrive Evolution Updates OneDrive Evolution has been updated to v25.093.0514.0001 OneDrive Evolution SyncEngine Schema Updates  Schemas 34...
malwaremaloney.blogspot.com
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · May 13
Been a little while. Was busy adding support for Microsoft.FileUsageSync.db to OneDriveExplorer. Update brings in data on files shared via email, Teams, SharePoint and more. Thank you Heather Barnhart for the bug report on search function issues. #DFIR

malwaremaloney.blogspot.com/2025/05/oned...
MALoney (It's in the name): OneDriveExplorer now supports Microsoft.FileUsageSync.db
Recently, I have been focused on adding support for Microsoft.FileUsageSync.db. See my previous post on Microsoft.FileUsag...
malwaremaloney.blogspot.com
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · May 11
15 strips would have at least been correct.
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Apr 15
Original post: infosec.exchange/@13reak/1143...
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Apr 13
Ah gotcha. I threw some on the stick table also. It was nice meeting you.
1 1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Apr 13
Did you snag them from CypherCon?
1 1
beercow.bsky.social
beercow.bsky.social @beercow.bsky.social · Mar 11
Hmmmm. What are we up to here? 🤔