LightNews LightNews
banner
beercow.bsky.social
@beercow.bsky.social
410 followers 190 following 59 posts
"Distrust and caution are the parents of security." - Benjamin Franklin

https://malwaremaloney.blogspot.com
Posts Replies Media Videos
Reposted
beercow.bsky.social
Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
malwaremaloney.blogspot.com/2025/11/oned...
OneDrive updates
What's new in OneDriveExplorer OnedDriveExplorer v2025.11.07 now includes a dedicated parser for Microsoft.FilesOnDemand....
malwaremaloney.blogspot.com
November 7, 2025 at 2:54 PM
beercow.bsky.social
Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
malwaremaloney.blogspot.com/2025/11/oned...
OneDrive updates
What's new in OneDriveExplorer OnedDriveExplorer v2025.11.07 now includes a dedicated parser for Microsoft.FilesOnDemand....
malwaremaloney.blogspot.com
November 7, 2025 at 2:54 PM
beercow.bsky.social
Adding a parser for Microsoft.FilesOnDemand.db to OneDriveExplorer. Yet another source to rebuild the user’s OnDrive. More to come. #DFIR
October 16, 2025 at 3:43 AM
beercow.bsky.social
Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...
MALoney (It's in the name): OneDrive Quick Access
What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...
malwaremaloney.blogspot.com
October 16, 2025 at 3:42 AM
beercow.bsky.social
Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
malwaremaloney.blogspot.com/2025/10/oned...
MALoney (It's in the name): OneDrive Quick Access
What is Quick access? Quick access makes it simple to find your frequently used storage locations, inclu...
malwaremaloney.blogspot.com
October 8, 2025 at 9:37 PM
beercow.bsky.social
In case you missed it. New release of OneDriveExplorer. It has a dedicated parser for MicrosoftListSync.db (offline mode). #DFIR

malwaremaloney.blogspot.com/2025/09/oned...
MALoney (It's in the name): OneDrive. Let's take this offline
At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced...
malwaremaloney.blogspot.com
September 30, 2025 at 2:27 AM
beercow.bsky.social
That time of year again when everybody starts abbreviating cybersecurity awareness month as CSAM. 21 pages deep of google searches for that term and not a single mention of cybersecurity awareness month. Go figure.
September 23, 2025 at 9:48 PM
beercow.bsky.social
OneDrive Evolution has been updated to v25.162.0820.0001. That’s 692 versions OneDriveExplorer now handles. SafeDelete.db has been updated to schema v9. Enjoy!

malwaremaloney.blogspot.com/p/onedrive-e...

malwaremaloney.blogspot.com/p/safedelete...
MALoney (It's in the name): OneDrive Evolution
Below is a collapsible indented tree depicting the contents of a OneDrive Profile. Each rectangle represents a file or directory and is lab...
malwaremaloney.blogspot.com
August 22, 2025 at 10:16 PM
beercow.bsky.social
Appears OneDrive snuck a new sync client in. Works with personal accounts at the moment. It’s WebView2. You can find data in the following locations:
AppData\Local\Microsoft\OneDrive\OD4
AppData\Local\Microsoft\OneDrive\Logs\OD4
Where are my browser forensics experts at? #DFIR
August 11, 2025 at 6:29 PM
beercow.bsky.social
Updated OneDrive Evolution. You can now compare two versions of OneDrive and see what has changed. #DFIR

malwaremaloney.blogspot.com/p/onedrive-e...
August 7, 2025 at 3:02 AM
beercow.bsky.social
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log Fixed ODL bug fix FileUsageSynce bug fix
github.com
June 25, 2025 at 12:04 AM
beercow.bsky.social
Today we learned Fishrocket (the one with the doughnut) has cancer. It’s an aggressive form of mast cell tumors. Treatment usually involves removing them but there are too many. They prescribe prednisone because they itch. Has diabetes so can’t give him prednisone. Poor guy.
June 20, 2025 at 12:19 AM
Reposted
malmoeb.bsky.social
1/ I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.
June 19, 2025 at 8:33 AM
beercow.bsky.social
Another interesting forensic artifact in OneDrive. UXDatabase.db
June 18, 2025 at 7:30 PM
beercow.bsky.social
Updates on the OneDrive sync client.

malwaremaloney.blogspot.com/2025/06/week...
MALoney (It's in the name): Weekly Update 6/6/2025
OneDrive Evolution OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there ...
malwaremaloney.blogspot.com
June 6, 2025 at 8:24 PM
beercow.bsky.social
New folder and databases in the OneDrive sync client. Not sure what feature they are tied to yet. More to come. #DFIR
June 5, 2025 at 2:02 AM
beercow.bsky.social
New laptop, new stickes. 😜
June 3, 2025 at 2:14 AM
beercow.bsky.social
Found a few bugs that would cause crashes in OneDriveExplorer around ODL and FileUsageSync. Update available.

github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log Fixed ODL bug fix FileUsageSynce bug fix
github.com
May 30, 2025 at 7:36 PM
beercow.bsky.social
Finally caught up. Updates to OneDrive Evolution and database schemas.

malwaremaloney.blogspot.com/2025/05/oned...
MALoney (It's in the name): OneDrive Evolution and Schema Updates
OneDrive Evolution Updates OneDrive Evolution has been updated to v25.093.0514.0001 OneDrive Evolution SyncEngine Schema Updates  Schemas 34...
malwaremaloney.blogspot.com
May 23, 2025 at 7:16 PM
beercow.bsky.social
Been a little while. Was busy adding support for Microsoft.FileUsageSync.db to OneDriveExplorer. Update brings in data on files shared via email, Teams, SharePoint and more. Thank you Heather Barnhart for the bug report on search function issues. #DFIR

malwaremaloney.blogspot.com/2025/05/oned...
MALoney (It's in the name): OneDriveExplorer now supports Microsoft.FileUsageSync.db
Recently, I have been focused on adding support for Microsoft.FileUsageSync.db. See my previous post on Microsoft.FileUsag...
malwaremaloney.blogspot.com
May 13, 2025 at 11:50 AM
beercow.bsky.social
Original post: infosec.exchange/@13reak/1143...
April 15, 2025 at 9:17 PM
beercow.bsky.social
Hmmmm. What are we up to here? 🤔
March 11, 2025 at 10:53 PM
beercow.bsky.social
Interesting thing with OneDrive Offline Mode for web. You can get the last two modification times of a file. Could come in handy. #DFIR
March 7, 2025 at 8:16 PM
beercow.bsky.social
I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.

https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html
MALoney (It's in the name): OneDrive Microsoft.FileUsageSync.db
I recently started to look into the Microsoft.FileUsageSync.db . The database can be found in %localappdat...
malwaremaloney.blogspot.com
February 21, 2025 at 5:53 PM
beercow.bsky.social
I am OneDrive.
February 21, 2025 at 1:39 PM