When you get a group text and fix the name and picture for them.

A couple OneDrive updates this week. https://malwaremaloney.blogspot.com/2025/12/onedrive-updates.html

Fixed a bug in DeXRAY for Windows Defender files. 🙂

https://www.hexacorn.com/blog/2025/12/03/dexray-v2-36/

Fixed a bug in DeXRAY for Windows Defender files. 🙂

https://www.hexacorn.com/blog/2025/12/03/dexray-v2-36/

Not that kind of consent. The UAC kind of consent. Take a dive into how UAC works and some of the things it doesn’t tell you. Also a new utility to solve some of these issues.
https://malwaremaloney.blogspot.com/2025/11/lets-talk-about-consent.html

When launching a program as admin, consent.exe runs with a parent process of svchost. If successful, consent.exe exits and the new process is launched with explorer as its parent. If not, we can’t always tell what was trying to be ran. Until now. https://github.com/Beercow/ConsentMonitor

When launching a program as admin, consent.exe runs with a parent process of svchost. If successful, consent.exe exits and the new process is launched with explorer as its parent. If not, we can’t always tell what was trying to be ran. Until now. https://github.com/Beercow/ConsentMonitor

Into the unknown and down rabbit holes we go.

Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
https://malwaremaloney.blogspot.com/2025/11/onedrive-updates.html

Weekly update. New features in OneDriveExplorer, Onedrive Evolution and schema updates. #DFIR
https://malwaremaloney.blogspot.com/2025/11/onedrive-updates.html

Adding a parser for Microsoft.FilesOnDemand.db to OneDriveExplorer. Yet another source to rebuild the user’s OnDrive. More to come. #DFIR

Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
https://malwaremaloney.blogspot.com/2025/10/onedrive-quick-access.html

Did a little digging in Microsoft.FileUsageSync.db. Found some information to piece together OneDrive Quick Access. #DFIR
https://malwaremaloney.blogspot.com/2025/10/onedrive-quick-access.html

In case you missed it. New release of OneDriveExplorer. It has a dedicated parser for MicrosoftListSync.db (offline mode). #DFIR

https://malwaremaloney.blogspot.com/2025/09/onedrive-lets-take-this-offline.html

That time of year again when everybody starts abbreviating cybersecurity awareness month as CSAM. 21 pages deep of google searches for that term and not a single mention of cybersecurity awareness month. Go figure.

OneDrive Evolution has been updated to v25.162.0820.0001. That’s 692 versions OneDriveExplorer now handles. SafeDelete.db has been updated to schema v9. Enjoy!

https://malwaremaloney.blogspot.com/p/onedrive-evolution.html

https://malwaremaloney.blogspot.com/p/safedelete-schema-v9.html

Appears OneDrive snuck a new sync client in. Works with personal accounts at the moment. It’s WebView2. You can find data in the following locations:
AppData\Local\Microsoft\OneDrive\OD4
AppData\Local\Microsoft\OneDrive\Logs\OD4
Where are my browser forensics experts at? #DFIR

Updated OneDrive Evolution. You can now compare two versions of OneDrive and see what has changed. #DFIR

https://malwaremaloney.blogspot.com/p/onedrive-evolution.html

Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

https://github.com/Beercow/OneDriveExplorer/releases/tag/v2025.05.30

@FritzAdalis my daughter thought of it when she was little. We wanted to name the other one Mouse Missile but our son went a different direction. He’s 14 just wish there was something we could do for the itching. That doughnut comes off and he is licking and chewing at his skin.