week 6
- Software Updates:
- Eric Zimmerman added a few new switches to bstrings (now at version 1.0) to allow a user to specify an ASCII/unicode character range and code page. You are also now able to supply a file mask i.e. *.exe.
bstrings 1.0 released! - CRU has updated their write blocker testing utility to version 1.0.1.0. This update has fixed the bug in the reporting feature so that each test creates a new report.
Writeblocking Validation Utility - X-ways was updated a couple of times. It’s now at 18.7 SR-3. The fixes mainly related to bugs in previous versions.
18.7 SR-3
- Eric Zimmerman added a few new switches to bstrings (now at version 1.0) to allow a user to specify an ASCII/unicode character range and code page. You are also now able to supply a file mask i.e. *.exe.
- Richard Burnell has posted a thorough review of Lima Forensic Case Management (Laboratory edition) on Forensic Focus. The review begins with an overview of the features and then proceeds with a few use cases (with pictures, which definitely helps). Also as a side note, HTCIA members get a free copy of Lima Personal to play around with but as Richard explains, this version lacks the features he needs to run his small lab completely. (I haven’t checked it out but this may be a solution for him, or at the very least a place where changes can be suggested/implemented to suit small businesses; if you have a problem, chances are someone else does too)
Reviews – 2016 – Lima Forensic Case Management, Laboratory Edition - Passware has written a small article for Forensic Focus regarding a new feature in the latest version of Passware released December last year (2016.1). This new feature allows for dictionaries to be stored on a network share, allowing multiple instances of password to use the same file concurrently; saving examiners from having to transfer large datasets onto each computer they crack passwords with
Using Large Dictionaries for Password Cracking in a Network Environment - Eric Zimmerman has released a new LNK parsing tool. Eric’s rationale behind the new tool is that a number of other tools will produce their output but drop the extraneous information that they don’t understand. This new tool claims to parse LNK files more completely and by Erics own admissions, provide a significant amount more data than other tools. If you combine this with an OLE dumping tool (like this one) then you can even parse the LNK artefacts found within jump lists. Looking forward to trying this out and seeing what extra information it will uncover.
Introducing LECmd! - Magnet has written a post about the portable case feature of IEF. This feature can be very useful if you have to provide extractions to clients so that they can go through the data themselves and generate their own reports.
Case Collaboration with Magnet IEF: How to Create a Portable Case - The students at Champlain College have produced three short posts this week regarding the Amazon Echo, Wearable Tech and Cloud Forensics. The first post, regarding the Amazon Echo, introduces the device and notes the project goals for the semester. The final report on this project will be posted in May 2016.
INTRO TO AMAZON ECHO FORENSICS
The second post relates to data stored on wearable devices, particularly the Apple Watch Sport, FitBit Flex, and Samsung Gear S2. The team has just begun their research phase and will be updating us on their progress and data extraction methods in the future.
INTRODUCTION TO WEARABLE TECH
The third relates to some preliminary research into Cloud Forensics covering the big four – Dropbox, OneDrive, Google Drive and iCloud.
INTRODUCTION TO CLOUD FORENSICS - Jared Atkinson at Invoke IR has another forensic friday post. This weeks covers the Get-ForensicUsnJrnl cmdlet in his PowerForensics utility.
Forensic Friday: Get-ForensicUsnJrnl - Oxygen Forensics has a post up promoting their dongle exchange program. If you send them a competitor’s USB dongle with a valid key code they will send you a copy of Oxygen Forensic® Detective with 12 months of updates.
Replace your Mobile Forensic Tool with Oxygen Forensic® Detective - SANS has a couple posts up this week. This first promoting the Threat Hunting & Incident Response Summit & Training in New Orleans, LA with a chance to win free entry! All you have to do is post a photo to twitter showcasing a bit of Valentines Day love, and SANS with the hashtag #ThreatHuntingSummit.
SANS #ThreatHuntingSummit Valentine Twitter Contest The annual incident response survey is also now online. This survey assists SANS in exploring the evolution of incident response, as well as the tools and tactics being used now and into the future. As an added incentive, every entrant goes into a draw to win a $400 Amazon gift card.
SANS third annual incident response survey is now online - Harlan Carvey has two posts up this week. The first was titled contained a series of links relating to presentations, education and training, tools and books. I liked the section regarding different example forensic images. It’s always good if you have no experience (at all, or in specific artifacts) to find the various forensic images around the place and conduct some sort of examination. It’s also good to test out new tools with a known dataset. Harlan also appears to be excited about the new cover art; as a side note Syngress has been messing with my OCD for years, each book is similar but slightly different. Maybe this change will help.
Links
The second post related to Harlan sharing a story from one of his former jobs performing security assessments. This specific story related to War Dialling.
From Trenches - Heather Mahalik wrote a post to assist examiners in identifying the firmware of a locked iOS device. She also links to the two cheat sheets produced by Dylan Dorow that would be of use to anyone that comes across locked iOS devices.
CAN’T CRACK INTO THAT IOS DEVICE? - Igor Mikhaylov and Oleg Skulkin at WeAre4n6 have written a comprehensive article on forensic analysis of flash-friendly file systems, which is the file system for the “userdata” partition of a Motorola Moto G smartphone. As someone who has recently been struggling with piecing together phone extractions that don’t parse with commonly available tools articles like this are always great to have available.
Forensic analysis of Flash-Friendly File System (F2FS) - Microsoft has also updated the Edge Browser to fix a flaw that allowed analysts to identify URLS accessed using InPrivate Browsing.
Latest Windows 10 update makes Microsoft Edge InPrivate browsing private
And that’s all for Week 6! If you think I’ve missed something, or want me to cover something specifically let me know at randomaccess3+thisweekin4n6 at gmail dot com.
This Week In 4n6 