Week 25 – 2016


  • Belkasoft updated their Evidence Center suite to version 7.5. In this update the user interface has been revamped, encrypted iTunes backups are now supported, Outlook 2016 Outlook 2016 support has been improved, as well as updates to usability. A more extensive set of release notes can be found here.
    New Update: Evidence Center v.7.5

  • Elcomsoft has update their Phone Viewer tool to version 2.20. Previously this tool could only open unprotected data or backups pre-decrypted with other tools, but the developer has now added the ability to decrypt password-protected iTunes backups. Elcomsoft Phone Viewer supports information saved to local or cloud backups by
    Apple iOS 6.x to 9.x (iTunes and iCloud backups), BlackBerry 10 backups created with BlackBerry Link and decrypted with Elcomsoft Phone Breaker, and
    Windows Phone 8/8.1 and Windows 10 Mobile; Windows Live backups downloaded with Elcomsoft Phone Breaker.
    Elcomsoft Phone Viewer 2.20 Goes Stand-Alone

  • Cellebrite updated Physical and Logical Analyzer to version 5.1.1 however later advised not to update as a bug has been identified. I don’t have the release notes, however I recall reading that this update contains various bug fixes and enhancements. Once Cellebrite uploads the release notes they should be found at the location below.

  • PeerLab by Kuiper Forensics was updated to version 2.0. I hadn’t heard of PeerLab but it appears to parse the various files associated with peer-to-peer file transfer programs. The update appears to be various minor enhancements and bug fixes.
    Thanks to Weare4n6 for passing that along.
    PeerLab’s Version-History

  • Forensic Browser for SQLite was updated version 3.1.2. This update fixes a bug where partial records were occasionally overlooked.
    New release 3.1.2

  • X-Ways Forensic 18.8 was updated to SR-9. The update contained a few bug fixes
    X-Ways Forensics 18.8 SR-9

  • X-Ways Forensic 18.9 Beta 6 was released. This update added hashing images when imaging through the command line interface and the ability to hash files, interpreted images and disks in X-Ways Imager.
    X-Ways Forensics 18.9 Beta 6


  • Eric Zimmerman was asked if he could add a GUI to his Jumplist parser (via Mark Woan and Andrew Case) and delivered a Beta version in a day (I guess that should be expected from Digital Forensic Investigator of the Year).
    I’m looking forward to the Zimmerman Windows Intelligence Forensic Tool (ZWIFT) that it appears he’s working towards. I’m envisaging an MFT viewer that allows you to select files of interest, right click and parse them (or parse them automatically), and then add them to a report or timeline or both.
    Jumplist Explorer Beta Announcement

  • The guys at GC-Partners also released a Python script for parsing Windows Event Logs called EventMonkey. Once the tool is run it stores the output in an SQLite database. I’m assuming that it works on EVT and EVTX files.


  • The slides for last week’s First Conference in Seoul were posted in the program page. There are a few presentations that look interesting, but unfortunately I didn’t have time to go through them.
    First Conference 2016 Program

  • This week’s Digital Forensics Survival podcast covered the John the Ripper password cracking utility. Michael went over the basic uses of John and introduced us to a tool called Winrtgen. Winrtgen, which can be downloaded here, allows a user to generate their own rainbow table. On a side note, do any password cracking utilities generate rainbow tables whilst they’re bruteforcing? I feel like that would be a great time saver if you brute force often…considering hard drive space is so cheap these days.
    DFSP # 018 – John the Ripper & Rainbow Tables

  • The SANS DFIR Summit in Austin was on during the week, and with it came the annual Forensic 4Cast awards. Lee has done a great job yet again getting this self-proclaimed “cage fight” up and running yet again. Congrats to the winners!
    • Computer Forensic Software         – Magnet IEF
    • Computer Forensics Hardware     – Tableau TD2U
      Open Source Forensic Software    – Sumuri Paladin
    • Phone Forensic Software                – Cellebrite PA/4PC
    • Phone Forensic Hardware              – Cellebrite UFED Touch
    • Digital Forensics Book                    – iOS Forensics
    • Digital Forensics Blog                     – Forensic Focus blog
    • Digital Forensic organisation       – Cellebrite
    • Digital Forensic investigator         – Eric Zimmerman
      Forensic 4:cast Awards 2016 – Results

  • Brian Moran has shared his slides for his presentation at the DFIR Summit. This presentation covers Smart Watches and was previously presented at Bsides Charm. The slides can be found here.
    Brian also released a Perl script to go along with the presentation. The script will “allow the user to parse out data from a SQLite database associated with Pebble data stored on either an iOS or Android device, and present that information in an easy to read format.”
    Public release of “allyourpebblearebelongtous” Perl script

  • The China Computer Forensics Conference was also held in Shanghai this week. The list of presentations look quite interesting so if anyone has access to them (Chinese or English, Google Translate is great), please send them through.
    12th Annual China Computer Forensics Conference


  • Paul Slater at Nuix has written his thoughts about information (and intelligence) sharing; primarily that “investigative tools similarly must be developed that enable, not prevent, information sharing, intelligence, and collaboration”. This in turn would allow investigators to examine all the available information from the current and previous cases in a manner that they can discern useful intelligence. If I recall I think Cellebrite has similar thoughts with their UFED Analytics tool. I think Microsystemation’s XEC may also lean this way.
    Intelligence and Information Sharing Are Indispensable in the Fight Against Crime

  • The folks at Magnet have a post describing a feature of AXIOM that allows examiners to easily identify where the tool has obtained its data from. The two columns, “Source” and “Location” now contain hyperlinks that allow an examiner to quickly go to the data that has been parsed. The next step would be to highlight some of the parsed data as well, so you can see which bytes are being parsed as the date for example. Another feature being showcased is the ability to filter results for a specific user using the “Find Related Artifacts”.
    Connecting the Dots Between Data and its Source: Source Linking

  • Michael Maurer has started a series on outputting Log2timeline to Elasticsearch and then reviewing the output with Kibana. This first post covers installing all of the applications on Ubuntu.
    Viewing Log2timeline output with Kibana (4.x)

  • Blackbag training team have an interesting piece on some testing of iOS’s airdrop capability. They took a photo on one iPhone and transferred it via the AirDrop functionality to a second iPhone. The team found that the original photos name and created/modified dates were changed and the photo size was reduced but otherwise the internal metadata was unchanged. This would mean that an examiner may think that the recipient may have taken the original photo. From simply looking at the metadata of the original photo you can see that the EXIF data matches the date created/modified (which are the same). It’s interesting to see that the file size has changed and I wonder if that has to do with the compression or physical dimensions of the image being altered. Lastly the created and modified dates of the file on the recipient’s iPhone are different (from each other). It would be good if Blacklight had a feature that incorporates some simple analysis to highlight photos in the DCIM folder that most probably weren’t taken with the current phone being examined; it appears that there are a number of data points that can be examined (different EXIF/Date Created/Date Modified) that can identify that the photo may be different from the others.
    Did The iPhone Take The Picture?

  • Sarah Edwards has shared a number of links regarding the most recent announcements out of WWDC. This includes the advent of the new operating and file system as well as the updates to security and various Mac related blog posts. She also listed a number of the locations where she will be presenting and teaching her SANS FOR518 course.
    Mac News & Updates

  • The Mach Monster has a very in-depth technical post on examining the Apple EFI firmware in an attempt (successful one too) to determine how Apple is able to reset an EFI password using an unlock code. This post is very technical and way over my head, but the end result is that the author was able to determine a method of resetting your firmware password “as long the SPI flash chip is not the new BGA type. You just need a device to dump the flash chip, remove the variable and reflash the modified version, or directly remove the variable (I always prefer to full dump and reflash)”. I wonder if you modified the variable inline if this will have an affect on the computer clock, I imagine it shouldn’t, unless you have to remove the battery before reading the chip?.
    Apple EFI firmware passwords and the SCBO myth

  • Cindy Murphy has a fairly extensive post about Flash Memory and the possibility of recovering data from a formatted flash memory chip. The story goes that a client had brought in a memory card that had accidently been formatted, and the hex editor showed all zeroes. Because of the way that NAND works, data may reside on the chip itself waiting to be cleaned up and can only be accessed by circumventing the controller (which would just tell you that the data isn’t there). The examiner had to do a direct read of the NAND (difficult) which happened to be a Monolith style card. The end result, the recovery of a significantly large amount of the photos that everyone else had previously written off as gone. This has quite important forensic implications, especially if an offender has taken photos of a victim and then wiped them away in the hope of saving themselves.
    Flash Memory Amnesia – Resurrecting Data through Direct Read of NAND Memory

  • Oleg Afonin at Elcomsoft has posted the Android section of his “Fingerprint Unlock Security” series. The post covers Androids Fingerprint unlock process, as well as the “Smart Lock” feature, which allows a user to unlock a phone based on physical proximity to a location or bluetooth device or the user’s face. Similarly to Apples TouchID however the Smart Lock feature doesn’t work if the phone has been power cycled. Also, without encryption enabled the passcode unlock itself does very little to circumvent those able to bypass it. The end of the articles adds a bonus section covering the Windows Hello feature on high-end Lumia devices – basically the phone uses the camera to perform a depth-sensitive iris scan to unlock the phone; the author hasn’t been able to test this security feature, nor has he located any research about it.
    Fingerprint Unlock Security: iOS vs. Google Android (Part II)

  • Adam at Hexacorn had a few posts this week
    • First he has written a list of windows-related artifacts created by various programming frameworks that may help us to determine what is the payload compiled with.
      Certain Windows… stay classy…
    • He shared the lessons he learnt running his small side business. It was interesting to read how he started his company and nothing happened, then an avalanche of work, and then (after unfortunate circumstances), decided to scale it back. It seems like that’s a trend with many small businesses.
      5 years of hexacorn
    • He has also updated DeXRAY, adding support for ESafe (VIR), Microsoft Windows Defender (partial support) and Spybot – Search & Destroy.
      DeXRAY update

  • Forensic Focus has posted an interview with Lee Reiber, Chief Operations Officer at Oxygen Forensics. The interview covers Lee’s careers progression and where Oxygen is heading. Lee believes that the main challenge in mobile forensics is application overload, which I have to agree with; if someone is using an app that isn’t supported then the examiner may miss important data in their examination. I haven’t used Oxygen in a long while, but I would really like the phone forensics manufacturers to provide an app list for a phone, and then identify whether they support the app (including version) for the examiner. (Although I have to mention a caveat that I haven’t been doing many phones recently, so they may have updated to do this).
    Lee also mentioned that he’s working on an update for his book.
    Interview With Lee Reiber, COO, Oxygen Forensics

  • Greg Smith at TrewMTE shared a number of posters that he’s collected over the years relating to forensics, cyber and security.
  • Ryan Benson has put together a plugin for his Hindsight tool for decoding load balancer cookies; although Ryan admits that the use case for these cookies relates more to web app testing or red-teaming over DFIR.
    Load Balancer Cookie Decoder

  • Harlan Carvey has a couple of posts this week
    • The first post covers a few updates relating to the new book’s cover (Syngress has changed the format again across the line), Mari’s recent blogpost on Mac imaging, and updates to the malware regripper plugin. It’s a little surprising that Harlan has had people not reading the title of the books…Syngress has been fairly consistent with their cover’s over the years. Don’t judge a book by its cover people!
    • And on the topic of books, Harlan has announced his next book project; this one covers the analysis process, rather than specific artifacts; think “I’ve got the data, how do I answer the questions I’ve been asked”. I’d highly recommend reading through the post to get an idea of what the book will cover, and if there’s something you think he’s missed, reach out to him because he wants the feedback. Realistically he can only cover what he knows about, so if there’s something in there that you can contribute, shoot him an email (keydet89 at yahoo dot com). There was also a shout-out for images (real or user generated), and the offer a free signed copy of the book when it comes out. I’m happy to see in the comments that a few people have taken him up on the offer, but I’d like to see more people get involved if they can.
      New Book

  • Weare4n6 posted a few articles
    • First they shared a link to Ghiro, an open source forensic tool developed by Alessandro Tanasi and Marco Buoncristiano.
      Ghiro – a must have digital image forensics tool
    • They also compared a few different iTunes backup examination tools to determine which obtained the most data from incomplete iTunes backups. Of the tools they tested (UFED PA, Oxygen, Belkasoft Evidence Centre), Belkasoft’s tool provided the most data.
      Extracting data from damaged iTunes backups
    • Phil Hagen wrote a python script that “reads IP addresses from STDIN and uses the MaxMind GeoIP databases to output various data points for each source IP”.
      ip2geo – a handy script for geoip lookups
    • Chet Hosmer, Joshua Bartolomie and Rosanne Pelli have written a new book called “Executing Windows Command Line Investigations”. I was unable to locate an expected publication date.
      Executing Windows Command Line Investigations
    • Lastly they shared a link to a comprehensive set of articles by Adam Leventhal on the new Apple file system.
      APFS in Detail


  • Maxime Lamothe-Brassard at the Demisto Blog shares a basic process for proactively hunting for threats on a system. The basic process is to create a hypothesis, prototype the detection mechanism, test it, refine it, and then evaluate your original hypothesis. This process can be applied to a number of different areas. For example, performing user activity analysis one can list the various ways that an artifact could have come to be where it was, perform some testing and then determine which hypothesis is most likely.
    Proactive Hunting: Hunt With a Plan, Structure and Automation

  • The Microsoft Malware Protection Center has a blog post about malware delivered in OLE-embedded objects. User consent is still required, however I believe this method is similar but different from executing macros.  The author then explains that you can modify a registry key to prevent activation of OLE packages.
    Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

  • Moritz Raabe and William Ballenthin have a post on the FireEye blog on the use of “FireEye Labs Obfuscated Strings Solver (FLOSS) to recover sensitive strings from malware executables”. FLOSS appears to be an updated version of strings.exe, as it can be run on malware with obfuscated strings, and “can also extract all static ASCII and UTF-16LE strings from any file”. The authors also shared a few ways to use the tool.
    Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)

  • Shawn Kanady at Trustwave has a post describing some memory analysis looking for the PoSeidon malware. The post covers his process answering a few commonly asked questions; Confirmation of malware on the system, date of compromise, outbound connections and location on disk.
    PoSeidon Adventures in Memory

And that’s all for Week 25! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s