Week 5 – 2016 – This Week In 4n6

Tool updates
- Harlan has updated the samparse plugin for regripper. I e-mailed him during the week with a SAM file and a request and he had the plugin updated overnight. The new plugin extracts the values that are created when a user has created or link an account with a Microsoft Live account. As Harlan has mentioned a number of times, if you’re able to provide a description of your problem and sample data it makes a problem much easier to fix. Sometimes that’s not always possible, but when it is you’re much more likely to get a result.
  Updated samparse.pl plugin
- Matt Bromiley has updated his Win10 Prefetch parser to allow for multiple output formats as well as extracting volume information.
  Updated: Windows 10 Prefetch Parser
- Elcomsoft have updated their Phone Breaker tool. This update has some minor bug fixes and is required for decrypting iCloud backups made with iOS 9.3 devices.
  Elcomsoft Phone Breaker 5.20: Direct iCloud Access and iOS 9.3 Support
- Eric Zimmerman has updated bstrings to version 0.9.9.0. This release adds the option to print offsets for hits. The hits also identify whether the string is unicode or Windows-1252 encoded.
  bstrings 0.9.9.0 released
- Minor bug fix for Didier Stevens numbers-to-hex tool to version 0.0.2
  Update: numbers-to-hex.py Version 0.0.2
- Lance Mueller updated an enscript to parse the WiFi profiles that may exist on Windows system to include Windows 10.
  EnCase v7 EnScript to parse WiFi/Network Profiles
Blacklight’s latest blog post is regarding the CellularUsage.db on iOS. This database tracks up to 3 SIM cards including the date/time they were inserted, phone number and subscriber ID. They’ve also been kind enough to include a table that may assist in correlating the time to an event. I’m not sure how often you may come across a device using multiple SIMs but it’s good to know Apple tracks the information.
SIM-Switching on iPhones
TrewMTE posted a blog post about USIM elementary files and service tables. He identifies a number of possible reasons why looking for this data may be important.
Investigation USIM EFs and Service Table
Sean McVey has a post linking us to his article that was published in the Excelcior College Cyber security Journal. The article is a great read about malware fingerprinting and attribution of executables. Sean walks us through the methods of malware analysis, ways to identify an authors “signature”, as well as how to determine the potential origins of the malware with specific references to the “Memory Monitor” malware used in the Target data breach.
Malware Fingerprinting
SANS are looking for media ambassadors for the Threat Hunting Summit in New Orleans 12th to 19th April. The media ambassadors get free attendance (valued at $1595 USD) on the proviso that they make their own way there, pay their accommodation and then to promote the conference pre-summit, share your experiences onsite and your analysis post-summit.
Threat Hunting & Incident Response Summit Social Media Ambassadors
Lenny Zeltser has an interesting post regarding the concept of expertise. It’s good practice to constantly check your understanding of a topic rather than blindly accepting something as fact. The points raised in this post are a really good guideline as to how to work well within any field that requires expertise, not just the DFIR space.
Experts Cannot Help Overstating Their Expertise
Jared Atkinson at Invoke-IR has a couple of posts this week. The first relating to copying locked files with the PowerForensics framework. This post is quite detailed to ensure that anyone without knowledge of PowerShell can follow along. I particularly like that there are multiple ways to achieve the same result.
Copying Locked Files with PowerForensics

The second post is the start of a new “Forensic Friday” series regarding either a forensic topic of interest of PowerForensics functionality. This week relates to the “Get-ForensicFileRecord” cmdlet and shows a few examples of it in use.
Forensic Friday: Get-ForensicFileRecord
Adam at Hexacorn also had two posts this week. The first was part 3 of The art of disrespecting AV (and other old-school controls) and listed the many different engines and sub engines used in modern antivirus software (that he could remember).
The art of disrespecting AV (and other old-school controls), Part 3

The second post takes a more philosophical approach and regards curiosity. My opinion is that curiosity is vital in this business; there’s so much out there from a device/operating system/forensic artifact perspective, and so little in terms of documentation by comparison. Curiosity is absolutely vital when an analyst or responder is confronted with a task that requires an inquiring mind.
Mono no aware (もののあわれ), Panta rhei (πάντα ῥεῖ )
Elcomsoft has posted an article on Forensic Focus regarding the use of 2 factor authentication. The article explains the major vendors (Google, Apple, Microsoft) 2FA methods and the difficulties in getting around them. The TLDR is that 2FA makes cloud extractions difficult without access to the second authentication factor.
Multi-Factor Authentication in Digital Forensics
Clark Walton posted up a review of Cellebrite Certified Logical Operator (CCLO) and Cellebrite Certified Physical Analyst (CCPA) trainings as well as the Cellebrite Certified Mobile Examiner (CCME) certification. The review provides an overview of each of the course that should allow practitioners to get an idea of what they’re signing up for. Considering the way that the world is progressing towards mobile technologies learning more about the extraction process and data analysis can’t hurt and should probably be looked into by those that can afford it (As long as you use their tools, also I have no affiliation with Cellebrite).
Reviews – 2016 – Cellebrite Certified Mobile Examiner Training and Certification
The students at Champlain released their report about OS X Yosemite and El Capitan default file locations. This list is an updated version of the original list posted by Sean Cavanaugh for OS X Lion. It would be great if the new information was added into the original spreadsheet so that there’s a one-stop shop for default locations.
Mac Forensics Report Official Release
This weeks forensic lunch covered a few topics starting with the forensic 4cast awards. This years awards also opened up the new category of “Open Source Forensic Software of the year”. Lee explains that the awards, held at the DFIR Summit in Austin mid year, are for last years (2015) achievements. So go and nominate! Nominations close end of March.
Matt Bromley from 505Forensics was on to talk about his prefetch parser (which was updated this week). I particularly liked the tangent they went on about automating the repetitive tasks so that you can spend more time on analysis rather than extracting the data, or putting it into the right format. Matt also spoke about his next project, MS-SQL database forensics – examining different artefacts we get from them, and processes, methodologies and tools we can use to analyse that data.
Lastly Matt and David discussed some of the changes in Windows 10 that examiners should know about. The critical point was that creating a file on a system creates a link file. The guys had starting doing some research regarding forensic analysis techniques regarding how these files are created and this will definitely be useful in data exfiltration examinations. (On a side note, Windows 10 is becoming an automatic update on Windows machines, so shortly many people will be forced into upgrading). From Davids list of Windows 10 artefacts at the end, it definitely sounds like the operating system is ripe for research; anyone looking for projects should have a look at what artefacts are created from what interactions and document it! Easier said than done I know.
Forensic Lunch 2/5/16

And that’s all for Week 5! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.