Week 4 – 2016

  1. There were a few software updates this week
    • Paladin updated to version 6.08 with a few bug fixes. The release notes explain that they fixed a sporadic memory leak when imaging/verifying EWF and also removed an option for segmenting forensic images. I’m not entirely sure what the current forensic practices they’re referring too but will have to check it out. I usually segment my forensic images so that they’re easier to transfer around, and if it partially corrupts I’ve had success in recovering data.
      Paladin 6.08
    • X-ways 18.7 was officially released. There have been a number of preview and beta versions over the last couple of months; the most recent update has made a fix to the directory browser cell text regarding GREP expressions and updated the help and user manual to reflect the current version.
      And then SR1 was released a few days after that with some minor bug fixes.
      X-Ways 18.7 Released
    • Internet Evidence Finder updated to version 6.7.4 with some bug fixes that stops the application crashing. A couple of welcome additions include recovering shareaza search terms from unallocated and corrected the dates and times relating to the Chrome Login Data.
    • XRY 6.16.1 has updated with a few new features and improvements including additional chipset/file system decoding and improved logical support for Android devices. Check out the release notes below.
      XRY 6.16.1
    • Cellebrite has updated UFED Physical Analyser, Logical Analyser, UFED Touch and UFED 4PC to version 4.5.1. This is a maintenance update to provide support for the latest versions for a number of messaging apps and resolves an issue relating to SIM logical extractions.
    • Oxygen Forensics released a major update to Oxygen Forensics Detective (version 8.1). The updated version adds a new method of physical extraction/passode bypass for support Samsung devices. They’ve also updated the parsing for a number of messing, social networking and business applications for Android as well as an update to support devices up to iOS 9.2.1
      Oxygen Forensics Detective Update
    • Didier Stevens updated a number of his tools
      • Cut-bytes.py to version 0.0.3 so when searching for a sequence, you can now specify the instance to select.
      • Emldump.py to version 0.0.6 to handle intentionally malformed MIME files
      • Xor-kpa.py to version 0.0.2 with added scanning of the files found within ZIP files.
    • Sarah Edwards has added additional output formats (KML and CSV) to her iOS frequent locations parsing script (now at v1.1). KML is super useful because you can throw it into Google Earth without having to move the data off your forensic box to access the Internet.
      Script Update: Dump iOS Frequent Locations – Now with KML & CSV Output!
  2. Harlan’s latest post is regarding instrumentation and monitoring; this post offers suggestions, based on a couple of other blogs and podcasts, on how to identify threats that are already inside your network.The Need for Instrumentation
  3. Matt at 505Forensics latest post relates to parsing MongoDB databases. The post describes the artefacts that are parsed by the scripts released here. The scripts profile connections to the database as well as what may be going on in the session.
    Parsing MongoDB Logs
  4. The students over at Champlain College have released a paper regarding Mass Multiplayer Online Role Playing Game (MMORPG) chat forensics. The project specifically related to World Of Warcraft, Guild Wars 2 and Planet Side 2.
    MMORPG Chat Forensics
  5. Brent Muir has a great post extolling the virtues of knowing data rather than relying on machine generated report. This is something that has been echoed by a number of different practitioners throughout the years (here and here for example). Brent, rightly so, is encouraging people to question the data presented by, in this case, an automated mobile examination utility to determine if you really are getting everything. At the very least, if you have multiple tools available to you it’s a good idea to run them over the data structures (although I’m yet to find a good comparison tool other than loading everything up in Excel). Quite often I have noticed a number of tools parsing the data they know about, and in some instances not telling you where that data came from (sometimes at all, sometimes you get an offset when a path would be nicer) or skipping over available data structures complete. Understandably we have to rely somewhat on our tools depending on our workload, but I would like to see more tool manufacturers be up front with what data structures they are parsing and known limitations.
    Know Your Data AKA The Limitations of Standard Forensic Suites
  6. Francesco at ZenaForensics posted a the first part of a summary of the talk he did at SANS DFIR Summit Prague 2015. The post explains the Vault/Credential manager within Windows and how to parse/extract the data held within. The post explains the data structure and how to go about viewing the information held within, along with links to valuable scripts
    Windows ReVaulting
  7. Jamie Levy has a walkthrough of examining Null values in the registry from both a static disk as well as a memory dump. She has also included her own tool for extracting the data from the registry to go along with Harlan and Erics. Walkthroughs are always useful for new and old examiners so they’re highly encouraged!
    Registry Value Names Starting with NULL Characters

And that’s week 4! Originally I was only planning on posting summaries of the articles I’ve read, but I’m leaning more towards occasionally adding my own 2 cents for my two readers (Hi Ninja and Monkey!), so hopefully someone gets something useful out of it.

If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s