Week 26 – 2016


  • Cellebrite updated UFED Physical Analyzer to version 5.1.2. This update adds support for the crypt12 WhatsApp backup database and addresses various bug fixes.
    UFED Physical Analyzer Version 5.1.2 Maintenance Release

  • Oxygen Forensics released an update to their Detective product, now at version 8.4.2, improving support for newer versions of various apps and numerous minor usability enhancements.
    Oxygen Forensic® Detective enhances applications support!

  • Google updated Rekall to 1.5.2. The update includes a number of new plugins for IR and triage, better integration of the EFilter and the ability to use data within the forensic artifacts project.
    Release 1.5.2 Furka

  • Paul Sanderson has fixed a few bugs and added the ability to  ability to “colour code columns that the Browser adds to carved tables” in the latest version of Forensic Browser for SQLite (v3.1.3).
    New release 3.1.3

  • Phil Harvey has updated ExifTool to version 10.21 adding various new metadata tags. There may also be minor bugs in this version (of the EXE) as it was packaged on Win10 as opposed to WinXP.
    June 29, 2016 – Version 10.21

  • F-Response have updated their Universal and Now products to The update includes “more examiner platform support, improvements to Linux Subjects, better handling of Apple Volume labeling, and LDAP/AD Authentication improvements”
    F-Response Universal/Now Released

  • Berla recently updated their iVe product to version 1.8.4 however I haven’t been able to locate release notes.
    Berla Support

  • X-Ways Forensic 18.8 SR-10 was released with various bug fixes and the “ability to identify more PDF and HTML documents with no extractable text”.
    X-Ways Forensics 18.8 SR-10

  • X-Ways Forensic 18.9 updated to Beta 6B with the same fix level as 18.8 SR-10.
    X-Ways Forensics 18.9 Beta 6b


  • Matt Seyer has released a Python based forensic image viewer. It’s an alpha release and is based on open source libraries. You can download it here.
    New Forensic Image Viewer Under Dev #DFIR #INFOSEC

  • Nir Sofer at NirSoft has released ShadowCopyView (and updated it to v1.01) to examine Volume Shadow Copies on a system. The tool allows an examiner to load all of the VSCs and optionally export files from them. As a feature request it would be great if you could select a file or folder and export the same path from each VSC.
    ShadowCopyView v1.01


  • Guidance have released the slides from the most recent Enfuse conference.
    Enfuse 2016 Presentations

  • SANS, too, have uploaded the slides from the recent DFIR Summit
    Digital Forensics & Incident Response Summit 2016 Presentations

  • David Kovar released another version of the presentation slides; they’re more or less the same except for the first few slides which cover a background of the drone industry, anti-drone solutions and terminology
    UAV Forensics – version 2

  • Mark Dufresne at Endgame posted his slides on Proactive Threat Hunting. This presentation covers the importance of searching and hunting for adversaries on your network. Mark explains that the difference between hunting and searching is that on a hunt you are stealthy, proactive and methodical without relying on IOCs, whereas in a search, you know what you’re looking for. The presentation continues with methods of hunting, as well as the benefits of doing so.
    Hunting Before a Known Incident

  • IronGeek, also known as Adrian Crenshaw, has uploaded the presentations from BSides Cleveland 2016. Thanks to We Are 4n6 for pointing this out.
    IronGeek’s YouTube Channel

  • International Journal of Electronic Security and Digital Forensics 2016 Vol. 8 No. 3 was published, however it requires a subscription to access. It contained the following articles:
    • A fuzzy logic approach for detecting redirection spam – Kanchan Hans; Laxmi Ahuja; S.K. Muttoo
    • An ad hoc detailed review of digital forensic investigation process models – Reza Montasari
    • Besieged privacy in social networking services -Shujun Dong; Xingan Li
    • Privacy-enhanced distance computation with applications – Xiaojuan Chen; Yi Mu; Xiaofen Wang; Runhua Shi
    • An authentication scheme for multi-server environments based on chaotic maps – Yun Tao
    • Generating optimal informed and adaptive watermark image based on zero-suppressed binary decision diagrams for medical images – Lamri Laouamer; Muath Alshaikh; Laurent Nana; Anca Chrisitine Pascu
      IJESDF 2016 Vol. 8 No. 3

  • This week’s Digital Forensics Survival podcast provided a description of the freely available hash cracking tool, Hashcat. The episode covered the benefits of the tool, and the various attacks that it is capable of.
    DFSP # 019 – Password Cracking with Hashcat


  • The Scientific Working Group on Digital Evidence released a document for public comment on the forced minimisation requirements for the seizure of digital evidence. “SWGDE’s position is that this is a disturbing trend, as it can have a negative impact on the investigation and cause, not only a loss of both inculpatory and exculpatory information, but worse, could result in the misinterpretation of information that causes detrimental consequences.”
    SWGDE Comments on Forced Minimization Requirements for the Seizure of Digital Evidence

  • Kevin DeLong at AccessData shared a post regarding changes to Rule 41(b) of the Federal Rules of Criminal Procedure by the US Supreme Court regarding remote searches of computers inside and out of the US. The update intends to allow law enforcement to keep up with technology and access a server that resides within another jurisdiction. Congress has until December 1st to act on the ruling or it will become law.
    Big Changes in Law Enforcement Remote Computer Searches

  • Carpe Indicum shared various stories about analyses that had been conducted where the client ultimately didn’t care about the results, or didn’t follow the recommended advice, which in some instances created further issues for them. This is an interesting topic of discussion that has been raised previously questioning how far in an investigation do you go. The author did go on to explain how they provide their findings; they have determined that writing a high level memo describing their findings, or verbally explaining what they believe has happened is the best utilisation of their time – especially considering it appears clients prefer to get their businesses back on track with a quick fix rather than preventative measures.
    You Can Lead a Client to Water

  • Brian Carrier expanded on the talk that he gave at the recent SANS DFIR Summit. The post talks about “why we’d automate, how other industries think about automation, and a framework for thinking about automation in IR”. For Investigation activities, Brian explains that true automation (that is, unguided by human interaction) is only currently possible for a limited set of questions and scenarios. For Mitigation activities, mistakes could be costly and “like with investigation work, the practical solution for many companies is to have partial automation for mitigation”. The general conclusion is that, at the moment, partial automation appears to be the way to go, and cases for full automation need to be further explored.
    Automating Incident Response: Setting the Stage

  • Cindy Murphy at Gillware’s Forensic arm has a post regarding her gratitude for the recent DFIR Summit in Austin. Cindy explains that she takes away a considerable amount from each summit and training course that she runs. I like the last line of her post: “there is a vast pool of unrecognized or lesser recognized expertise represented among attendees and speakers that keeps our digital forensics and incident response worlds fresh and intensely interesting”. With the advent of WordPress, Github, Blogger and the like, sharing your experiences and knowledge is easier than ever, and many of the denizens of 4n6land are happy to converse if you get them going on a topic. (Plus it gives me more to write about).
    Experts and Expertise in an Ever-changing Environment

  • A new blog popped up this week called DFIR Training. The site is a little raw at the moment as it’s brand new, but the author intends on creating the most comprehensive forensic tool listing available. The site also includes a calendar for the training available globally; for both endeavors the author is requesting assistance from the community. This looks like a promising project.
    If you know what “DFIR” is, you really need to look through this website

  • Paul Sanderson shared a set of steps an examiner can follow to “see the EXIF data from some image files displayed as maps and showing a clickable URL for googlemap”. This can all be done using exiftool (see up top for the latest version) and Paul’s Forensic Browser for SQLite (also see up top for the latest version).
    Using the Forensic Browser for SQLite to display maps based on data from exiftool

  • Hana Gazoli at Cellebrite has posted an article about the TomTom Triplog decryption offered by Cellebrite Advanced Investigative Services. The statistics are a little questionable (GPS sales in North America have been dramatically reducing since 2009), however the article describes the important information that may be obtained from a TomTom device should a user decide to assist the company in improving their navigation. Examiners can extract the logs using UFED PA and employ the services of CAIS to decrypt the information.
    TomTom Triplog Decryption: Provided by Cellebrite Advanced Investigative Services

  • Brijesh Zaveri has a walkthrough on how to downgrade WhatsApp on an Android device, take a backup using ADB and then view the contents of WhatsApps ‘msgstore’ and ‘wa’ databases. After the extraction is complete the user will have to update WhatsApp again for it to work.
    Decrypting the WhatsApp Database

  • This was posted a couple weeks ago but I just found it. Amanda has written up some information about the MFT. For those going through IACIS, this will be a nice handy reference for the NTFS section. She then shares an Enscript  (v6) script for validating and sorting MFT File records into categories (Complete MFT record, Partially Parsed MFT record, Cannot Parse (Unable to Parse but valid header properties), and Not a MFT record).
    NTFS MFT Record Parsing + Parser

  • Michael Karsyan shared some functionality of Event Log Explorer, which allows an examiner to combine a series of event log files into a single event log.
    Saving event logs to one event log file

  • Marc Padilla shared an extensive post on utilising the HFS+ file system attributes to store data. HFS+ allows a file to have an unlimited number of attributes, which can be used to store up to 256KB of data. There are many potential malicious use cases for this feature such as breaking up an image or executable into chunks and attached to an otherwise innocuous file. I imagine if you scan all the extended attributes on an HFS volume and find a file header for a picture, video or executable where it shouldn’t be that would be a flag, until the headers are encoded in some way. Marc also explained that this allows a user to fill a drive with data, regardless of the operating system’s file/folder size limits. This could be a fairly important thing for Apple to fix as an OS X server could be taken offline for a period of time by the disks filling up.
    Using File Attributes to Fill Volumes and Bypass OS X Server Limits

  • Gillware shared an article on extracting data from a FileVault2 encrypted drive. It appears that the problem with this case lay with the file system rather than the hard drive. I found this link to be a really useful takeaway from this article, if you have to troubleshoot a mac when you’ve done a restore. For those that don’t know, you can restore an image of a Mac hard drive to another disk (I usually use USB3 external drives) and then use the Option key to boot the restored copy on another Mac. I’ve found this works a majority of the time although occasionally you get an error message or the computer loops. I find this incredibly useful to examine user settings and get a feel for the user’s system. I haven’t been able to figure out how to boot a forensic image of a Mac using a virtualisation tool.
  • Michael Maurer continued his series on log2timeline and kibana with two articles this week.
    • The first focusing on creating a custom dashboard in Kibana to help analyze Log2timeline log. The post provides a walkthrough on creating searches and visualisations (various graphs of artefacts).
      Log2timeline to Kibana (4.x) Part 2: Custom Dashboard
    • The second covers “deleting a case, installing Kibana plugins, and the difference between analyzed vs not analyzed”. For those utilising Kibana and Elasticsearch, Michael notes at the end of the article that “The current posted Elastic output module for this series does not do a good job separating Analyzed vs Non Analyzed fields”, which may be worth keeping in mind.
      Log2timeline to Kibana (4.x) Part 3: More about Kibana

  • Mary Ellen at “What’s a Mennonite Doing In Manhattan?!” has updated and combined her previous papers into the “Incident Response: A-Z”. This is a fairly extensive paper on how Mary conducts her examinations, and is a very useful resource to read through. As with the last paper she posted, I’m not going to summarise it here, go have a read of it and take what you will from it. I’d imagine everyone will get something out of it.
    Incident Response: A-Z

  • Michael Cohen at the Rekall Memory Forensics blog has a short post about the new searching feature, by the Efilter library, in the update to Rekall.  Michael illustrates how one can use the new feature, which is similar to using SQL queries, to filter data; and it  appears that you can get quite granular.
    Searching memory with Rekall

  • We Are 4n6 were very busy sharing articles this week
    • The first article shares their process for imaging a Filevault2 encrypted drive. The process involving imaging the drive and then mounting the drive on a Mac and imaging it. I haven’t tested it, but I imagine you could also circumvent taking the initial image and connect your drive directly with a write blocker; once the drive has been mounted you can then image it using DD.
      Imaging Apple FileVault2 encrypted drives
    • They shared a Python script released by Alejandro Ramos for recovering SQLite deleted records.
      Just another script for deleted SQLite records recovery
    • European Union Agency for Network and Information Security shared several training courses online. I’m not sure how recently these courses were released, but a few have the “new” tag next to them. Each course includes a handbook and toolset, and when necessary virtual images to work through the examination.
      A digital forensics training online
    • They linked to a blog post where the author, Pieces0310 at cnblogs, shared their experience using Belkasoft to obtain an image of an Android phone.
      Use BEC to do mobile phone forensics
    • Efasfox have released their latest series of forensic computers, which appear to be built with specific software requirements in mind.
      Update your forensic hardware
    • There’s a new app for Encase 7.12 on Guidance’s AppCentral. I tried to download it to play around but unfortunately I’ve had limited success with the portal in the past. The toolkit comes with 15 integrated modules to aggregate Encase functions and open source tools and assist in DFIR investigations.
      EnCase Integrated Toolkit (EITT) Version 2 Release
    • Laginimaineb (who’s name I’m guessing is Gal Beniamini) has posted a very extensive and technical writeup on bruteforcing Qualcomm’s master keys on an Android device.
      Extracting Qualcomm’s KeyMaster Keys – Breaking Android Full Disk Encryption
    • They shared an article by Doug Olenick on a new variety of malware that utilises JavaScript as the ransomware delivery vehicle.
      New RAA ransomware written in JavaScript discovered
    • Following on from the above article they shared a blog post by Floser Bacurio and Roland Dela Paz at the Fortinet Blog that utilises JavaScript to download a new variant of the Locky executable. The new variant has an additional anti-sandboxing technique however their product, Fortinet, has been updated to detect it and “blocks … C&C communication via the IPS signature Locky.Botnet.”.
      Cracking Locky’s New Anti-Sandbox Technique


  • Rodel Mendrez at the SpiderLabs blog shares an analysis of some spam picked up by their spam traps containing a malicious RTF document, exemplifying what Luis Rocha spoke about in his article, The ABC’s of a Cyber Intrusion. Rodel determines the name of the keylogger in use (and is able to obtain the code using an open source .NET decompiler), and then performs some dynamic analysis to examine how the keylogger works, including examining the SMTP traffic it generates and identifying the attackers email address. The author then continues to examine the source code, and is able to decode the FTP credentials stored in the source code.
    How I Cracked a Keylogger and Ended Up in Someone’s Inbox

  • Pieter-Jan shared a Python script, MISP-Extractor, to extract information from MISP via the API.
    Pieter’s Tweet

  • Monnappa Ka has an article in the eForensics magazine on memory analysis using Volatility. The article walks through an example scenario where a user’s computer has been flagged as accessing a malicious website and how the author would examine memory to obtain further information.  The author is able to extract the malicious DLL from memory and confirm that it relates to a specific piece of malware.
    Finding Advanced Malware Using Volatility

  • Casey Smith at subTee shared a method of program execution that utilises regsvr32. This utility allows a user to register and unregister DLLs. He then shared some PoC code to run PowerShell just by calling the aptly named evil.dll.
    What you probably didn’t know about regsvr32.exe

  • Adam at Hexacorn shared a list of “all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment”.
    Enter Sandbox – part 12: The Library of naughty libraries

  • Decalage posted an article describing their Python script mraptor works “to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code”. The script looks for automatic triggers, write, and execute operations; if an automatic trigger followed by a write or execute operation is detected then the macro is flagged as suspicious.
    How to detect most malicious macros without an antivirus

And that’s all for Week 26! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

PS: For those that have gotten to the end of the post, if you’d like to contribute to an exciting project on the analysis process get in touch! Looking for some Windows 10 images populated with user activity and compromised Windows Server (any version) images.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s