Week 21 – 2016


  • Last week I mentioned that Magnet updated IEF to version 6.7.8. From the release notes this update is mainly bug fixes.
  • CRU has updated their WriteBlocking Validation Utility to version The new version reformats the test reports, updates the help file, allows for pausing tests, adds support for drives larger than 2.2TB and addresses various bug fixes.
  • TZWorks updated a number of their tools in the May release of their package build last week.
    • Updates to the shell parsing library which affected a number of different tools.
    • Updated ntfswalk to allow targeting hash matches under a specific size as well as introducing an experimental feature for increased control over the multi-threading.
    • Improved hive detection for the registry tools.
    • Various bug fixes to the tools
      May 2016 build (package)

  • Susteen updated SecureView to version 4.2.1 providing better iOS acquisition, improved reporting, various design changes and bug fixes.
  • Rekall was updated to version 1.5.1. The update includes new windows plugins allowing inspection of the PFN database and an improved scanning framework.
    Release 1.5.1 Furka
  • Didier Stevens updated his pecheck python script to version 0.5.1. This version offers more info about the overlay.
    Update: pecheck.py Version 0.5.1

  • Paul Sanderson has updated Forensic Browser for SQLite to version 3.1.0 that comes with a number of bug fixes and a couple of minor feature improvements such as allowing to copy fo a screenshot to a file or clipboard and “better handling of errors when decoding corrupt blobs in structured storage manager”.
    New release 3.1.0

  • X-Ways Forensic 18.8 and 18.9 updated twice during the week to SR-5. Both updates were a series of bug fixes.
    X-Ways Forensics 18.8 SR-5
    X-Ways Forensics 18.9 Preview 5


  • Cellebrite announced three new Analytics products: Desktop, Workgroup and Enterprise. These three products are designed to automate the analytical tasks and identify relationships between data extractions from phones, cloud services, apps and CDRs.
    Introducing Cellebrite’s Advanced Digital Analytics Platform
  • CRU released the Ditto DX, which is the next version of their Ditto forensic duplication and imaging device. There’s a few changes in this new model
    • A light bar that provides visual feedback.
    • Changes to PCI/e expansion slot to add support for RAID controller cards and better support for m.2 SSD drives
    • USB3 destination ports.
    • Add-on modules for destination (as opposed to just target).
    • Added Ethernet and USB ports in the control panel at the top, as well as moving the “stealth” switch.
      Ditto DX Forensic FieldStation

  • Susteen, makers of SvStrike, released their new products APEX Physical Explorer and Passcode Breaker.
    APEX, or Advanced Physical Explorer, allows users to review phone extractions (taken from APEX or other sources) and examine the resultant data. It appears to come with the usual features; image carving, SQL database parsing, reporting, support for various file formats etc. A couple of the points caught my eye, physical extraction of locked LG phones and “Natural Application viewing for increase App Data support”. I’m not sure if other tools provide physical support for locked LG phones but the developers thought it was worth mentioning specifically.
  • Susteen also released a physical device called the Passcode Breaker which appears to be a mechanical arm with a stylus attached. This would allow users to automate the manual process of entering in passcodes. The tool is government only and cpin-art-3d-image-maker-78eosts $11,995 USD to purchase, or $295 per phone if you want to send them to Susteen. It’s interesting to see that they built such a large device as opposed to creating a smaller “on-screen” device that contains a series of “mini styluses” for each part of the screen that operates similar to one of these metal 3D image maker toys.
    The downside of my suggestions is that you would probably need to create one that’s bigger than most phones and then program the size of the screen into the device.
    Susteen Launches New Physical Explorer And Passcode Breaker


  • MSAB has just launched an online training portal for customers, which includes on-demand tutorials, recordings of webinars and details of future live online training.
    Introducing Online Training Portal and Software Updates

  • James Wiebe will be hosting a webinar to demo the new Ditto DX on Tuesday, June 1, 2016 at 1 PM Pacific Time.
    Meet Ditto® DX: Your New Partner in Crime

  • There are a couple of articles up on Forensic Focus this week:
    • Scar at Forensic Focus has posted a recap of the Forensics Europe Expo which is a conference that covers all aspects of forensics but this year had an increased focus on cybercrime and digital forensics.
      Forensic Europe Expo – Recap
    • There is also an interview with Vladimir Katalov, Co-Founder and CEO, ElcomSoft covering what the company does, and its plans for the future. Katalov explains that at ElcomSoft, as with many companies, their top priority is customers’ demands. The company also monitors the social pipes and mailing lists to identify where other tools are falling short. Katalov also said that he thinks “cloud forensics is the future of mobile forensics”. I think this is becoming the case overall, rather than just specifically mobile. It definitely seems that devices are access points to your data, which allows you to easily and seamlessly access your data from anywhere.
      Interviews – 2016 Vladimir Katalov, Co-Founder and CEO, ElcomSoft

  • Brett Thorson has posted the Bsides Cincy talks on Youtube. A couple of the talks caught my eye however I haven’t been able to watch them yet.
  • Brett Shavers shared his slides from his “Behind The Keyboard” talk at Enfuse along with a few thoughts.
    The presentation covers a number of ways that people can make themselves anonymous online, and how they’ve slipped up. By identifying the ways that people can avoid detection we can start to identify ways to catch them.
    And in the thoughts section: “When an examiner can integrate data recovered from ‘the box’ with information collected from ‘outside the box’, using any tool and investigative method available, we have a competent and effective digital forensics investigator, not just a tool user”. I particularly like this quote because having data from that outside source really adds credibility to your argument. For example comparing the call charge records to the call log or SMS database on a phone can be used to show that the times on the extraction are accurate or need to be adjusted)
    Behind the Keyboard – Enfuse 2016 Presentation download

  • Sarah Edwards at mac4n6 released the slides for her SANS webcast on iOS Location Forensics. The recording should be up shortly. The presentation covers both native iOS location services as well as a few apps such as Waze and Runkeeper.
    New Presentation – iOS Location Forensics

  • David Cowen has been busy with a couple Forensic Lunches from Enfuse 2016. (Warning: lots of text here)
    • The first unfortunately was a little bit difficult to hear, live shows on the road are difficult! But I soldiered on at 1x speed (AKA snail pace) to try hear as much as I could.
      The first guest was Rob Batzloff from Guidance Software covering App Central and a bit of a discussion about the release on Encase Forensic 8. Guidance have focused on improving on Encase 7 (rather than doing a complete 180 as in the 6 to 7 update). They’re bringing back old school search (thankfully) as well as making usability improvements. Enscript Developers will be happy that the Enscript language won’t be changing again for this update. I’m interesting in seeing the new “Pathways” feature that streamlines the common steps you will do during an examination. Rob did ask for feedback about the feature, asking whether we want Guidance to develop the pathways or allow people to develop their own. I think that it’s a good idea to allow for both and add them to App Central, integrating the most used ones.
      Next up was James Wiebe talking about the Ditto DX but unfortunately it was very difficult to hear, but I imagine much of what he covered can be seen on the product release page I posted above, and also on the webinar this week.
      Forensic Lunch, Live from Enfuse! Day 1 5/24/16
    • The second Forensic Lunch covered Day 2 of Enfuse and thankfully they fixed the sound.
      The first guest was Paul Shomo from Guidance software. Paul discussed information governance and forensic research. Paul explained that the paranoia of sharing information doesn’t make sense because there will always be artefacts that relate to usability features that can be used to assist an examination. Mathews comment that “people are timid to step out there because it’ll come back to haunt them” is one that I can relate to. I can see why some people get frustrated with this kind of thinking though (which I’m definitely prone to), because they’re happy to make the determination on the stands at court, but aren’t going to share the information in case they pass on something that’s incorrect, which may affect multiple investigations outside of their own.

      The next guests were Jake Williams and Heather Mahalik discussing their happenings in SANS; both Heather’s new GIAC Advanced Smartphone Forensics (GASF) Certification, coming out at the end of August and Jake’s Threat Intelligence course. Also, Heather mentioned her book has been released early.

      Lastly Ashley Hernandez and Jeff Hedlesky from Guidance Software expanded on the Day 1 Forensic Lunch interview (since half of it was lost due to the audio issues). Encase Forensic 8.0.1 is coming out at the end of June and will be updated quarterly. It appears that 8 is more of an update to 7 than a new version and as a result 8 will allow users to continue their v7 examinations (although I’m not sure if it that means you then can’t take the case files back down to v7).

      Guidance has been working on integrating with Project Vic, and has a new Enhanced Agent for corporate customers of Risk Manager which allows users to do more on the agent itself. This update is a shift away from full disk images onto an “export the relevant forensic artifacts” methodology.  One of the interesting features of the Enhanced Agent was the ability to set an extraction on a client and the extraction will continue even if they go off the network and notify you when they come back online.

      Ashley also mentioned that Guidance is working on libraries for EX01 and LX01 to allow partners to use images created in that standard.
      Lastly Ashley discussed a little piece of Guidance’s roadmap for Encase which includes:

      • Changing how Encase handles archives as well as new archive file format support.
      • Browser updates every quarter
      • El capitan servlet with Filevault2 support when the agent is online
      • Increased Encryption/OS support
      • Return of “Bookmark as Image”
      • The “Is bookmarked” column
      • “Refresh” which I’m not familiar with but apparently is a big deal with hashing/hash sets.
      • Integrating the Triage report enscript from App Central directly into the product.

On the training front, there is now going to be an “all you can eat” option, which I think includes the online Vclass option. And there’s also a 10% discount on tableau products if you purchase training

Jeff Hedlesky shared what’s happening with Guidance’s Tableau line of products. Jeff covered the PCI storage mediums and new Tableau Universal bridge (and eventually portable version) that is the same as the Combo Bridge but has a PCI socket (including m.2 support) to natively image PCI suspect media.
Jeff also talked about an update to the TD2-U duplicator which adds AES encrypted evidence files, and a soon-to-be-released update to the TD-3 firmware which should triple the network performance, as well as adding NTFS and HFS+support for destination drives (which also improves imaging speeds).
Forensic Lunch, Live from Enfuse! Day 2 5/25/16


  • Kevin Ripa posted an article on the SANS Digital Forensics and Incident Response Blog regarding data recovery. The post goes into detail about the various problems that can be faced on hard drives and solid state drives. Hard drives seem to have more pieces that can break, but the chances of recovery are probably better. The section on SDD’s basically says if the controllers get corrupted you can potentially emulate them but if you can’t you have to resort to chip removal and data reconstruction. The remainder of the article addresses some common misconceptions as well as provides a list of guidelines and links.
    Let’s Talk About Data Recovery

  • On the same topic of Data Recovery, the folks at Gillware have posted a couple of case studies
  • Ruurd Dijkstra at Access Data has listed 6 things that government tax authorities should look for when selecting a digital forensics software platform to support their investigations. These are: collaboration, remote examination, role-based access, scalability, web review, and reporting.
    Investigating Potential Tax Fraud:  6 Things Government Tax Authorities Should Look for in a Digital Forensics Tool

  • Adam at Hexacorn has another program execution post. This method allows a script to run when a user log’s in and can be placed on the domain controller’s netlogon share, a fake share created using a simple command line trick, or in a folder within the computer’s System32 directory.
    Beyond good ol’ Run key, Part 38

  • Paul Sanderson has a post up about secure deleting SQLite records. When a record is deleted “in order to maintain database integrity SQLite MUST maintain a copy of the data that has been deleted somewhere until it ‘knows’ the last transaction has completed correctly, that somewhere is the journal”. It appears that regardless of the mode that a Rollback Journal works in you may be able to recover deleted records using normal forensic techniques. The post then goes on to explain how to examine the Write Ahead Log for deleted records and concludes that “if a WAL file still exists or can be recovered you can potentially find evidence of any securely deleted records from often many previous transactions.”
    Q. When is secure delete not secure?

  • There were quite a few posts on the Champlain College blog this week covering Enfuse and a few final projects
    • Justin Waite provided a short summary of Jake Williams’ “Advanced Persistent Threat (APT) Attacks Exposed Network, Host, Memory, And Malware Analysis” presentation. The take away was that an incident response process should look contain Memory, Threat and Malware Analysis as well as System Forensics and hopefully be able to distribute the load among a team of specialised professionals.
      Enfuse 2016 Reflection – Justin Waite
    • Parker Desborough shared thoughts on the “Red Team Blue Team Black Eye: A Case for Cyber Readiness Exercises and Continuity” panel. The panel noted the importance of a well rested, up to date incident response plan. Your Y plan can be all well and good, but it needs to be tested and up to date to ensure the best response in the event of an incident. It also allows people to constantly identify their weaknesses and adjust in a training environment so on game day they don’t have to rise to the occasion and instead default to their training.
      Enfuse 2016 Session Highlight By Parker Desborough
    • Parker also wrote a short post about the overall (positive) experience of attending Enfuse as a beginner.
      I Had Nothing To Be Worried About At Enfuse 2016
    • Kyle Montibello shared his thoughts on Ken Pyle’s “Public Information Gathering and Social Engineering: Low Tech, High Reward”; which can be summarised into use strong passwords rather than just the bare minimum and ensure that the information shared about you on social networks (even ones you don’t use any more) can’t be used to steal your identity.
      Enfuse 2016 Session Highlight – Kyle Montibello
    • The Forensic Tool Comparison team has published their final report for the semester. The report covers the time taken to perform a keyword search, the number of hits returned, the accuracy of the timelining features, as well as file export. The tools examined were FTK v6.0.1, EnCase v7.10, and Magnet IEF v6.7. If you use any of these tools it may be worth looking through their findings, especially around search hits. For the most part the tools excelled where you would expect them to however it’s good to know that some tools are better at one thing than the other.
      Forensic Tool Comparison Final Report
    • The Cloud Forensics team has also published their final report. The team set out to update the previous report written in 2013. The questions they set out to answer regarded application artefact creation, file deletion, file and system metadata modification from move and copy operations in the synced folders, and remaining artefacts after uninstallation. The services examined were iCloud, Dropbox, Google Drive and Microsoft OneDrive. There’s a lot of content here so it’ll be a little difficult to summarise it all so it’s worth reading through the report when similar questions in an investigation arise.
      Cloud Forensics Final Report
    • Lastly, the Amazon Echo report was also published. The Echo team attempted to determine what forensic artefacts can be recovered from devices and interfaces associated with the Amazon Echo. The team’s findings mainly covered the Nexus 7 device that they used to interact with the Echo and found  “timestamps for the commands given to Alexa as well as the Echo’s response to user commands” which can be quite useful to know.
      Amazon Echo Final Report

  • Michael Cohen at Rekall has two posts up this week:
    • The first describes the pmem suite of tools that allow for memory acquisition. Interestingly the tools acquire memory to the AFF4 image format but can also output to RAW and ELF. The post continues with some examples of RAM acquisition and interpreting the AFF4 file format.
      The pmem suite of memory acquisition tools
    • This post provides an indepth look at the new plugins (i.e: “pfn”, “p2v” and “rammap”) that use Windows Page Frame Number database to relate a physical address directly to the virtual address.
      Rekall and the windows PFN database

  • Pasquale Stirparo posted a short diary entry on the SANS ISC InfoSec Forums. This post covered some testing done on the effects in the Registry from opening a file in WinZip. Pasquale found that “If a user opens a document/file contained inside a zip archive by double clicking directly from the WinZip explorer view, it will not be recorded in the Registry”. I’ve asked a couple of questions on the forum because I’d like to know if the recentdocs key was examined, or maybe there were additional subkeys created that the WinZip regripper plugin didn’t know about.
    The strange case of WinZip MRU Registry key

  • Weare4n6 posted how they had removed the NAND from an iPhone (model unspecified) and rebuilt the data with a PC-3000 Flash before parsing the binary file with Oxygen. Without more information I would have to guess that this is an iPhone 3GS or prior as my understanding was that the data was encrypted on the chip level from the iPhone 4 onwards (and then logically if I recall from a couple iOS versions ago).
    Extracting data from a damaged iPhone via chip-off technique

And that’s all (3300 words) for Week 21! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s