About This Blog

By

Thank you for stopping by my blog! I am Damien Attoe an avid Digital Forensics Practitioner, Researcher and Teacher.  

My DFIR Career

I started my Digital Forensics career in 2010, where I was fortunate enough to get an internship at NW3C while I was in college. Since then, my passion for digital forensics has grown exponentially. From 2012 - 2017 I worked as a forensic consultant at AccessData (now Exterro), before moving to my current employer Spyder Forensics at the beginning of 2018. 

For the bulk of my career I focused on corporate investigations and eDiscovery, but over the past few years I have transitioned into a part-time trainer for Spyder where I teach the Advanced Database Forensics and Dark Web Forensics courses. That being said, I still manage a professional services team and do investigations for a select few clients. 

While I have been in the background for 15 years just watching things going on in the industry, I decided that 2025 was the year that I wanted to be a contributor vs a watcher. I created this blog as an area where I can post my own personal research and other insights that I believe might be useful to the DFIR community.

Blog Content

Over the years I have done a lot of different types of examinations, but my main area of focus for the last 5 years has been Database Forensics and Artifacts associated with the use of Dark Web applications. Expect to see a lot of database related content like SQLite, LevelDB etc... and privacy related apps.

Just to be clear: This is a PERSONAL blog and doesn’t not necessarily represent the opinions of my employer.

Whilst I enjoy deep diving into artifacts to figure out the inner workings of an application, I understand that there are varying levels of technical expertise. I want this blog to be place where all can take some new knowledge and apply it to their examinations, so I will attempt to present it in a way that everyone regardless of experience can learn.

During my research I will primarily use open-source tools, or python scripts that I write to convey concepts and ultimately produce a meaningful output. I will upload any code or queries that I write to the Digital4n6withDamien repository on the Spyder Forensics GitHub which is where I upload some of the code I developed at work. I got permission to do so, so It’s easier than managing 2 GitHub accounts.

Disclaimer: Just because something is published online doesn’t make it accurate. You should ALWAYS validate the accuracy of the information I provide, and if I get something wrong, please don’t hesitate to reach out to me on social media and let me know so I can correct it.

What you won’t find here:

  • I will not be posting any research conducted in-house at Spyder Forensics. That material goes into courses, presented at conferences or published on the Spyder Forensics articles page. 
  • I will not endorse, criticize or compare any commercial tools. All tools have their strengths and weaknesses, but the purpose of my content is to educate and go beyond the tool's capabilities. 
  • I will not post or share any material related to techniques, exploits, or other mechanisms that could undermine law enforcement's ability to combat crime or put the general public at risk of compromise.



Popular posts from this blog

The Duck Hunters Guide - Android Cheat Sheet

By
Image
This cheat sheet contains the locations of forensic artifacts associated with the DuckDuckGo Android Browser.  It will be periodically updated as research is conducted History.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Browsing History App.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Open Tabs Bookmarks/Favorites com.duckduckgo.app.settings_activity.settings.xml Location:  data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Automatic Clearing Settings com.duckduckgo.app.fire.unsentpixels.settings.xml Location:   data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Datetime when data was last cleared tabPreviews Cache Folder Location:  data\data\com.duckduckgo.mobile.android\cache\ Artifacts:  Open Tab Preview Files Closed Tab Preview Files faviconsTemp  Cache Folder Location:  data\data\com.duckduckgo.mobile.android\cache\ Artifact...
Read more

The Duck Hunters Guide - Blog #5 - Bookmarks & Favorites (Android)

By
Image
In this installment of the Duck Hunters Guide I am going to talk about the artifacts associated with Bookmarks and Favorites in the Android version of the DuckDuckGo web browser. Favorite sites are bookmarks that user has favorited. The favicon for a favorited site will show on a tile on a new browser tab to enable quick navigation to the URL. The main artifact for Bookmarks and Favorites is the app.db sqlite database. app.db location:  data\data\com.duckduckgo.mobile.android\databases\ This database has a lot of tables, including tables called bookmarks, bookmark folders and favorites. One would think that these tables would contain all the information about Bookmarks and Favorites; however, they are empty.  In actual fact the Bookmark and Favorite information goes into the entities table and the relations table. Entities Table The entities table contains the core information for Bookmarks and Folders. entityId - Type 4 UUID (Random) unique identifier title - Title for the Bo...
Read more

SQBite Beta Release

By
Image
On Friday 28th March I uploaded the Beta Code for SQBite to Spyder Forensics Github. This version was a major update from the Alpha code that I released earlier this year, with new features and a completely different output format which is a lot easier to work. Note: In the initial release there were a few bugs that were identified which I fixed in beta 2, a few more in Beta 3 and another in Beta 4. Just a reminder: The purpose of this tool is not to reinvent the wheel for forensics on SQLite databases, but to be used for validation, and as an educational tool for  my Advanced Applied Database Forensics class that I teach at Spyder Forensics (My employer). There is a lot more information about the records that is output than you would typically see in your main forensic tools. For example, the first 7 columns for a record in the output is not the record content but information about the record and where it is physically located. The latest version of the tool can be downloaded fro...
Read more