Week 22 – 2016


  • Didier Stevens updated his python script zipdump to version 0.0.3. This update added in a number of different command line arguments such as -dumpall which dumps all files rather than just the first, allows for inputting a password, support for YARA rules and decoders, among others. (I could only compare to 0.0.1, so some of the updates mentioned may have been in a previous version).
    Major Update For zipdump.py
  • Oxygen Forensics updated their Detective product to version 8.4.1. Notable feature improvements include the ability to extract WhatsApp data from iCloud Drive, crypt9/10 decryption for WhatsApp message backups on Android devices,, acquisition of email conversations from any IMAP Email servers and some additional minor application support and usability updates.
    Oxygen Forensic® Detective extracts messages from Email Server and WhatsApp data from iCloud!
  • Cellebrite released UFED 5.1 which updates their Touch, 4PC, Physical and Logical Analyzer products. Noteable mentions in this update are improvements to physical (including passcode bypass) support for a number of Samsung, Nokia, Huawei and LG devices, as well as updates to app support, functionality tweaks and bug fixes.
    Cellebrite UFED 5.1 Release Notes
  • MSAB renamed XAMN 6.16 to XAMN Horizon version 1.0 updating it to a 64bit version and is fully compatible with XRY v7 files.
    XAMN Horizon v1.0
  • MSAB also updated MSAB Kiosk & Tablet to version 7.0. The latest version adds additional device and app profiles as well as software-based write protection of all connected USB drives, as well as “improved Admin functionality in v7 Kiosk, when importing and exporting settings to units”. The Kiosk has also been updated with “full logical and physical extraction capabilities matching our MSAB Office and Field platforms.”
    MSAB Kiosk & Tablet 7.0
  • Passware released Passware Kit 2016 v3. The main updates were to Passware Kit Forensic, but all editions can now recover passwords from iWork documents. Specific to their Forensic product;
    • FileVault2 decryption using an iCloud recovery key (authentication token or iCloud credentials)
    • iCloud token acquisition from standalone systems
    • Improvements to Distributed Password Recovery improvements for
      RAR, KeePass and OpenOffice files.*
    • PGP GPU acceleration for passwords with Unicode (non-ASCII) characters.*
      * – (Also added to Passware Kit Business)
      New In Passware Kit 2016 v.3
  • Katana Forensics released Lantern 4.5.7. This update adds support for iOS 9.3.2 and Android 6.0. Thanks to @mattdotts for passing this on.
  • Paul Sanderson updated Forensic Browser for SQLite to version 3.1.1 resolving a bug that slowed down the program after a query returns a large dataset.
    New release 3.1.1
  • X-Ways Forensic 18.8 updated to SR-6 which came with several bug fixes and minor improvements.
    X-Ways Forensics 18.8 SR-6
  • X-Ways Forensic 18.9 Beta 1 and 2 were also released during the week. This release added the ability to add comments in the photoDNA hash database, improvements to the interface, updates to the relevance estimation, improvements relating to dealing with bitlocker, and several minor improvements and bug fixes
    X-Ways Forensics 18.9 Beta 2


  • Yogesh Khatri has a short post discussing the database associated with the notifications feature that was first added in Windows. The post also includes a python script for parsing the database and an 010 Editor template as well.
    Parsing the Windows 10 Notification database


  • A new episode of The Cyber Jungle podcast was released this week with the host Ira Victor giving his thoughts on Enfuse 2016, as well as conversations with Heather Mahalik, Aarong Higbee and David Cowen. Heather covered the general philosophy of improvement; identifying where your weaknesses lie and reaching out to others for help. Aaron from PhishMe discusses phishing and the issues faced by organisations. And lastly David talked through the challenges and benefits of Windows 10 for forensic examiners. Apparently Cortana is a wealth of information with location tracking on by default, as well as a record of the audio searches performed, including the SSID and MAC addresses of the routers that the device is connected to. David also mentioned that the System Resource Usage Monitor may also be an important artefact in the future. I’m quite interested to see the changes in LNK file creation/existance and will have to do a bit of research on that. Lastly David mentioned the issue with Hibernation file decoding for the new format. There was a tool, HIBR2BIN,that purported to do it, however a colleague of mine had a look at it and said that it didn’t successfully convert the file.
    May 30, 2016 Episode 380, Show Notes
  • SANS DFIR webcast by Philip Hagen and Ryan Johnson on DNS Evidence. In the webcast they “explore some simple and effective ways to create logs of DNS traffic, what specific value they can provide for other evidence types, and how to exploit these logs at scale.”
    DNS Evidence You Don’t Know What You’re Missing
  • SANS uploaded a number of videos this week from the Threat Hunting Summit 2016 which took place in April. I ran out of time and wasn’t able to watch all of them, so if any of the speakers read this it wasn’t an indictment of the quality of your talk.\
  • Dr Bradley Schatz shared his slides from AusCERT 2016. The presentation compared various methods of forensic imaging and proposed some changes that will result in speed improvements as well as promoted the AFF4 forensic imaging standard (see slide 51 for why this may be a smart move). I just found a number of the videos from AusCert2016 have been uploaded here but I wasn’t able to locate Dr Schatz’s talk.
    Accelerating forensic and incident response workflow: AusCERT 2016 Slides
  • Magnet posted some information about a couple of webinars


  • Soufiane Tahiri, author of Mastering Mobile Forensics has a post on the Packt Publishing blog. Soufiane identifies that there is currently “no standard or unified model that is adapted to acquiring evidences from smartphones”. This is probably true as phones are all so different that its difficult to determine which is the best method of data extraction. Due to this I have been performing a series of different extractions on mobile devices and then doing a comparison of the data available (and noting that sometimes a logical will get you one piece of data and a file system another). The author has examined a number of different models and proposed a new one for mobile devices; realistically though this model appears to be fairly standard and can probably apply across the board; After identifying and taking possession of the relevant item, preserve and process it, validate and verify your findings, then present your findings in both written and oral form before archiving your case. This model adds “documentation” as a central process connected to all processes that interact with the device. The article goes on to explain some low-level techniques for data analysis (file carving, metadata extraction, application reverse engineering) and then an overview of iDevice, Android and Windows Phone forensics including a summary of file systems, lock screens/passcode-bypass and data extraction techniques.
    Mobile Forensics
  • Pete McGovern at Epyx Forensics has a post on loading custom firmware onto a locked Samsung Galaxy Exhibit T599n MetroPCS phone (with USB debugging turned off) to allow an examiner to remove the passcode and image the device over ADB.
    Android Forensics – Bypassing Passcodes by Flashing Recovery Partitions
  • Jamie McQuaid at Magnet Forensics has a short post walking through the “Process” component of Magnet Axiom. Streamlining the acquisition and artifact parsing process will be quite useful considering often an image will finish halfway through the night and the processing time would otherwise be wasted. There’s also a video at the bottom of the link worth watching to see how the whole process works.
    Magnet AXIOM Process: Streamlining Acquisition and Processing
  • James Habben has a post announcing a new page on his site for the various python libraries that he uses in his scripting. If you have the background to get the libraries installed (if you’re new to it definitely feel your pain, especially on non internet Windows-based systems) then libraries are great at getting code written quickly.
    New Page: Python Libraries
  • Brett Shavers mentioned that he was recently on a podcast, discussing his career, some case studies and new book. The accompanying blog post goes on to explain why Brett believes that sharing the information on how to conduct your investigation, even with those on the other side, will have a net positive effect. This is because during the conversation you can learn valuable information that you could use at a later stage. I particularly liked when he pointed out that even those who know better still get caught.
    The Secret to Becoming More-Than-Competent in Your Job
  • Adam at Hexacorn has two posts up this week in his Run key series
    • An administrator can utilise group policy to execute scripts on events such as logon/logoff. I think the main thing to look out for is noted in the last line: “an attacker could simply append some commands to existing scripts, or hijack execution of existing commands using many of existing tricks (f.ex. path interception, path companion, etc.)”. This is because of the number of artifacts left behind to indicate script execution.
      Beyond good ol’ Run key, Part 39
    • I’m not 100% sure of where part 40 is going but it appears that Internet Explorer and WERFault.exe try to load a series of DLL’s on Win10 that don’t exist on the Desktop platform. So I guess an attacker can exploit this functionality by adding in malicious DLL’s?
      Beyond good ol’ Run key, Part 40
  • Luis Rocha at Count Upon Security has a new post in his digital forensics series, this week regarding NTFS INDX and journaling. The post provides a step by step guide of parsing the $I30 and $LOGFILE in an attempt to locate indications of a deleted file in the $INDX attributes.
    After the author locates indications of his deleted file in the $LOGFILE he correlates this information with other timestamps in the Prefetch and Shimcache.
  • Harlan Carvey had two posts up this week.
    • The first posed the question what is the value of data and who decides what’s valuable. He explains that the client and the examiner both have their goals, and the question arises as to how much information does the examiner provide, especially when information they’ve obtained may be outside their initial scope, but could be important to the client.
      The question posed is a difficult one; the client has an end goal and they’re paying you to give them the answers to their questions. Discerning what a client is asking and what they actually want as a deliverable is a valuable skill. From there, the examiner will have a series of questions of their own and have to obtain relevant artefacts to draw conclusions from, as well as identify the various avenues that may be questioned by opposing counsel.
      Harlan explains that data interpretation is also a critical skill, as often artefacts on their own can be misunderstood, and ultimately misrepresented. Having multiple artefacts to support your claims is quite important if they exist.
      One of the questions asked is “how much data is too much data”; I think that on one hand it’s good to have the “too much data” because your standard processes might miss something. I’ve been playing around with creating small timelines surrounding artefacts of interest (ie certain files that appear to be the beginning of a malware infection) and then creating a kitchen-sink timeline and looking around that time for anything I have missed. If you go the other way however, you might get lost in the minutia of standard OS operations.
      Regarding the questions posed at the end on ‘where to stop’ (aka scope creep); I think that for the scenario provided, I would give the client a rundown of what I’ve found prior to putting my findings into a proper report so they can decide whether what you’ve found is important to them. You can also give them updates throughout your investigation so that you don’t go down the rabbit hole on something they ultimately don’t care about.
      What’s the value of data, and who decides?
    • The second post explains the new “lastloggedon” Regripper plugin, which extracts the LastLoggedOnUser and LastLoggedOnSAMUse from the Authentication\LogonUI key in the Software hive. Harlan also explains how regripper’s amcache plugin can be used to parse the AmCache despite it not being a registry file, because it uses the same format. Lastly Harlan updated his AppCompatCache on the back of Eric’s AppCompatCacheParser post.
  • Weare4n6 have a few articles this week
    • The first article shared a GIF of a chemist’s method of destroying the platters of a hard drive. The full video with explanation can be found here.
      The best way to secure erase hard drives
    • They also elaborated on last weeks article on their iPhone chip-off-decryption technique. They acknowledged that there is encryption on iPhone’s post the 3GS and explained that to decrypt the data you will need to either brute-force or obtain the keys from the device. They appear to have developed a technique to obtain the keys from the device and then use them to decrypt the data that is on the chip. Overall this technique covers devices that are damaged but not locked with a passcode. They ask at the end of the article how they can show the process working without revealing what they do; I think that even if they just show a working iPhone, then the chip removal process (or even just the chip before/after), the read using the PC3000-flash and then finally the decrypted files would satisfy most. If they can figure out how to brute-force the passcode next (and share it) that would be fantastic.
      Extracting data from a damaged iPhone via chip-off technique – Part 2
    • They also explained a case where they were able to examine the components of a car after a crash to ascertain what happened. Typically this is done by crash investigators, so I don’t know how much the computer forensics folks will deal with this level of examination. There may be a merging of the crash investigation team and the computer forensics scope of work as more and more is moved onto the car’s computers. Examinations using tools like Berla’s iVe can show whether a cars lights were on, whether the doors opened, and I think in some cases whether there was weight on the seats. I believe that it’s important that the people in charge of the investigations know what sources of data there is available so sharing this type of information with them is critical.
      The Evolution of Vehicle Forensics. A fresh approach
    • Microsoft has allowed users to remove the 260 character limit for NTFS paths in the latest Win10 Preview build via a Group Policy update.
      Microsoft removes 260 character limit for NTFS Path
    • They also shared a presentation by Steve Watson on Arduino Forensics which was presented at DFRWS 2014. The presentation covers what Arduino’s are, their potential uses, and a couple of different ways of obtaining data from them if required.
      Arduino Forensics


  • Chris Brewer continued his series of posts on ransomware by showing how to perform a dynamic analysis using regshot, procmon and wireshark. As a side note, I’ve recently come across a tool called Noriben by Brian Baskin which is quite useful at interpreting the procmon output.
    Ransomware Part 3: Let’s Try the Real Thing
  • James Antonakos at Trustwave has posted up a short walkthrough on how he dissected some malware that arrived in his spam folder. The author goes through deobfuscating some vbscript, downloading the malware, and decoding it. At the very end of it (spoiler alert), James ends up with his executable showing that the spam email was trying to distribute the Cryptolocker malware.
    Digging in the Spam Folder
  • Adam at Hexacorn showed that the Autoit compiler preserves paths to the original Autoit script. This can be useful should the language be used to generate malware.
    Real coders code in Au3
  • Weare4n6 shared an article from Demisto about malware command and control servers. The article describes a method for identifying C2 servers and compromised devices and recording them.
    Command-and-control Malware Traffic Playbook

Lastly, Mitch Green posted this YouTube video on a fantastic new technique for locating hidden electronics. I’m not sure how to get one, but I think it’s definitely worth putting in the request to the boss.

As a side note, I’ve added a calendar page to the blog so that I can easily see what’s coming up. It’s mainly for conferences, webinars and a few other notable dates that I would otherwise mention. I figured that this would be easier than having a spreadsheet.
And that’s all for Week 22! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 22 – 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s