Week 29 – 2016


  • Philippe Lagadec has updated oleobj.py and rtfobj.py in his OLE Tools project to version 0.48.
    OLE Tools

  • Magnet Forensics updated IEF to version 6.8.1, which mainly includes improved app support and updates, and bug fixes.
  • Oxygen Forensic has updated their Detective product to version 8.5.0. This includes updated whatsApp and Apple Wallet support, however the major talking point will be around it’s iCloud Extractor, which can emulate a phone so that when the data is downloaded the user isn’t notified. The full release notes can be found here.
    Oxygen Forensic® Detective acquires apps data from iCloud!

  • Johan Berggren announced the release of Timesketch 2016.7 codename Interstellar. The update adds a “Story” section, which allows you to include saved searches in a report alongside a narration. This looks quite useful as often I find I need to add a bit more context (for both myself and the client) to understand the presented artefacts. There is also improved control of the sharing options among other improvements. There is also a short section on improvements planned for the next release, which include canned searches and the ability to add external timeline events; both of which are making me interested in checking this out.
    Timesketch 2016.7

  • Brian Carrier advised that Cyber Triage was updated to version 1.6.0. The new update adds metadata extraction for all scanned files and identification of dynamic domains “to quickly identify if the endpoint was connecting to a dynamic DNS domain”.
    Dig Deeper: Find More IOCs and Fast Flux Domains

  • The Sleuth Kit and Autopsy were updated to version 4.3.0 and 4.1.0. The update to TSK includes PostgreSQL support (Windows only) and Support for virtual machine formats, whilst the updates to Autopsy include a new list view in Timeline tool as well as VMDK/VHD detection and support. The full release notes can be found below.
    The Sleuth Kit History
    Autopsy History

  • X-Ways Forensics 18.9 SR-2 was released, which contained various bug fixes. Stefan also advised that the EDBex.dat external program file is not malicious despite what 9 out 53 virus scanners on VirusTotal say.
    X-Ways Forensics 18.9 SR-2

  • X-Ways Forensics 18.9 Preview 2 was released with some minor improvements to the interacting with PhotoDNA hash database.
    X-Ways Forensics 18.9 PR-2


  • Cellebrite announced their UFED Touch2 platform on their YouTube channel.  the updated version is a slimmer tablet with better battery life, improved screen, faster CPU and memory, as well as USB3 ports and an inbuilt SIM (including micro and nano) card reader
    UFED Touch2 Platform

  • Eric Zimmerman published a small program that will examine IIS logs and add geolocation data to the end of each, as well as creating a spreadsheet of all geolocated IPs.


  • SANS uploaded a few presentations from the recent Summit to the DFIR YouTube channel:
  • This week’s episode of the Digital Forensics Survival podcast covers DFIR certification. As Michael explains certifications provides a resource for teaching and validating your skills, as well as being a requirement for passing the HR gauntlet. Of course one doesn’t need a certification to show their abilities, however it does show that at the very least you were at one time capable of passing the exams, or were shown how to perform a task. Michael recommends the vendor neutral certifications such as those provided by IACIS or SANS, but also suggests that one should be certified in their tool.
    DFSP # 022 – DFIR Certification Planning & Considerations

  • On this week’s Brakeing Down Security podcast Bryan interviewed Cheryl Biswas regarding her involvement in TiaraCon, a venture to promote women in Infosec as well as her work in securing ICS and SCADA systems. TiaraCon is running concurrently with DEFCON and Blackhat in Las Vegas. Registration appears to be free, and you can register here.
    2016-028: Cheryl Biswas discusses TiaraCon, Women in Infosec and …

  • Steve Whalen of Sumuri frame was on The Cyber Jungle this week, giving a brief overview of their new product Carbon. Carbon is a virtualisation suite that allows an examiner to quickly create a virtual machine of a mounted Windows drive, without altering data on the drive itself. The tool also comes with a copy of Recon for Windows to quickly parse forensic artefacts. I haven’t had a chance to play with Recon yet however I’m definitely interested; most of my cases I tend to create a virtual machine of the device (usually using Jimmy Weg’s method, OpenLV, or creating a restored copy) as this allows me to easily get a feel for the user, as well as verify settings. Steve explains in the podcast that Carbon will allow an examiner to create this virtual machine in under a minute, which is definitely appealing. The tool also allows you to bypass Windows passwords, and create a recording of what you do.
    July 20 2016, Episode 382, Show Notes


  • Scott J. Roberts shared his thoughts on using Golang for DFIR – primarily a series of resources that he’s used to learn the language and it’s benefits over Python, which appears to be the DFIR de facto standard.
    Golang for DFIR

  • A post on DFIR.Training expounds the benefits of reviewing tools. This website is probably the only comprehensive resource of DFIR tools and training so it’s as good a place as any to compile a list of experiences with a specific tool. I do wonder if people may be hesitant because they aren’t sure if the issue is with their understanding or the tool itself.
    DFIR Tool reviews matter

  • Carpe Indicum describes his process of timeline analysis using ElasticSearch and Kibana. He explains how he has setup his system (which includes the initial hiccups) and then the benefits of using this form of visualisation over the Excel template created by SANS. I’m interested in getting this to work because there’s a lot of repetition when it comes to determining user activity on a system (as per the SANS poster mentioned in the post) that can easily be scripted.
    Kibana and SANS Evidence of…

  • Didier Stevens continues his posting on password auditing a AD user database.
  • Forensic Focus had two posts of interest this week
  • Cindy Murphy at Gillware Digital Forensics has done a brief analysis on the data stored by Pokemon Go on Android and iOS. From the looks of things the Android app stores a lot of useful information. From my brief dalliance with the game there’s some location data stored when you successfully capture a Pokemon as well (although I’m not sure whether that would be stored on the device, or the servers, or both). I wonder if these teens used that location data when speaking with the cops.
    Oh, No – Pokémon Go! A Sneak Peek at Forensic Artifacts

  • Mari DeGrazia has a post on decrypting FileVault2 images without a Mac. Mari walks through the process of extracting the EncryptedRoot.plist.wipekey and using it, along with the password, to decrypt a FV2 encrypted image in SIFT. After the encrypted volume is mounted you can then image using ewfaquire or DD.
    Mounting and Reimaging an Encrypted FileVault2 Mac Image in Linux

  • Patrick Siewert At Pro Digital Forensic Consulting shared thoughts I’m sure many of us have had whilst being asked if something was possible. “It depends” is almost the standard answer. Simple things questions like “Can you extract data from a locked iDevice” which previously may have had a single yes or no answer now are conditional on OS version, model, status of the phone etc. I think that this post is quite good for clients to read through just to get an idea of what may or may not be possible, it all just depends.
    The Digital Forensic Answer: It Depends

  • Vineet Bhatia at Threathunting shared a list of talks they believe defenders should attend at the upcoming Blackhat and Defcon conferences in Las Vegas.
    Defenders guide to talks at BlackHat 2016 / Defcon 24

  • Jamie Levy at Volatility Labs has posted up an opportunity for those that have taken the Windows Malware and Memory Forensics training course to partake in the Memory Forensics Across the Enterprise – Beta course. The course will be in NYC next month and “will test some new material focused on performing IR across multiple machines involving different operating systems; and how to maximize efficiency of analysis on a large scale”.
    Memory Forensics Across the Enterprise – *Beta*

  • William Ballenthin, Matt Graeber, and Claudiu Teodorescu at the FireEye Labs Advanced Reverse Engineering (FLARE) Team at FireEye released their paper on WMI. The paper “demonstrates actual and proof-of-concept attacks using WMI, shows how WMI can be used as a rudimentary intrusion detection system (IDS), and presents how to perform forensics on the WMI repository file format.”
    Windows Management Instrumentation (WMI) Offense, Defense, and Forensics

  • Samuel Alonso shared a paper developed by NATO that is used to train special forces in digital forensics and evidence preservation. I wasn’t able to read through the paper but it’s linked at the end of Samuels post.
    Battlefield Digital Forensics

  • Adam B at Hexacorn has part 42 of the Beyond good ol’ Run key series; this time covering the Ease of Access centre. By modifying a registry key in Win8+ systems registered Assisted Technology applications can be launched during the logon process. Elevated privileges are required to register the AT. Alternatively it’s possible to modify an existing AT to point to your malicious executable. Adam also included some sort-of persistence mechanisms as a bonus.
    Beyond good ol’ Run key, Part 42

  • Harlan Carvey has a short post covering a variety of topics. His new book on the analysis process is getting a new chapter (for an explanation of the book go here, and to my knowledge Harlan is still looking for forensic images to include). He shared his thoughts on an RDP Bitmap Cache Parser and Pancake Viewer, as well as a compilation of the links shared regarding Web Shells.

  • Igor and Oleg at Weare4n6 explained that they had trouble extracting contacts and sms’s from newer Samsung devices. They identified a tool called “wondershare mobile trans” that is capable of decoding SmartSwitch backups, which gives you access to the SMS and contact list.
    Extracting data from SmartSwitch backups


  • Darknet shared a tool called DMitry – Deepmagic Information Gathering Tool. This is a Linux commandline program ”with the ability to gather as much information as possible about a host”. The basic functionality allows for whois lookups, searching for subdomains and emails,  as well as TCP ports cans.
    DMitry – Deepmagic Information Gathering Tool

  • Hasherezade has a how-to for turning DLL’s to EXEs.There are two types of cases that she has come across: where code starts in an exported functions, or starts in DllMain (with the caveat that the process won’t always work). She then shows the steps to generate a standalone EXE using her tool, PE-Bear.
    How to turn a DLL into a standalone EXE

  • The Microsoft Malware Protection Center Threat Research & Response Blog has a couple of interesting posts this week
    • The first is a writeup of the Kovter click-fraud malware; it utilises an interesting trick where it creates a junk file with a random file extension and then adds a shell open registry key, which contains the actual malicious code. The malicious code is then executed when the junk file is run.
      Kovter becomes almost file-less, creates a new file type, and gets some new certificates
    • This next post says more about Microsoft’s decision to allow multiple dots in filenames than anything. The “vulnerability” relies on the user assuming that the “..” is there because the filename is too long, not that the filename ends in “.” and has the file extension “WSF”.
      Nemucod dot dot..WSF

  • Didier Stevens provided an analysis of a malicious Office document on the SANS ICS Diary. The Office document that utilised a UserForm to execute a PowerShell command. Didier walked through his process of utilising his oledump and base64dump Python scripts to obtain the PowerShell command.
     Office Maldoc: Let’s Focus on the VBA Macros Later…

And that’s all for Week 29! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s