Week 4 – 2017

Nominations for the 2017 Forensic 4Cast Awards have opened! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • MISP was updated to version 2.4.61, and then 2.4.62 during the week. The updates include “a critical bug fix, new features and minor updates” including updates to warning lists, a new API, enforcing UTF8 encoding in the default database config, feed import, and extended API restsearch. “PyMISP has [also] been released as version 2.4.62”.
    MISP 2.4.61 released, MISP 2.4.62 and PyMISP 2.4.62 released

  • DME Forensics updated DVR Examiner to version 1.29.0, adding and improving support for various file systems, and fixing some bugs. The release notes can be found on their support portal.

  • Katana Forensics has released Lantern 4.6.6, adding improved “parsing of the Manifest Database in iOS”, and bug fixes.

  • Microsystemations have released XRY v7.2.1 adding “support for 100 new apps, [and] Full support for iTunes backup encryption on iOS 10.1 and 10.2”.
    We’ve released XRY v7.2.1!

  • Oxygen Forensic Detective apparently updated to v9.1.2.40, however, their site doesn’t have any release notes available.
    Check Out @MobileDeviceESI’s Tweet

  • Elcomsoft updated their iOS Forensic Toolkit to version 2.20, adding limited iOS 10 support, “logical acquisition of iPhone 7 and 7 Plus models”, and “fixes automatic discovery or lockdown records in macOS Sierra”
    iOS Forensic Toolkit 2.20 Adds Limited iOS 10, iPhone 7/7 Plus and macOS Sierra Support

  • X-Ways Forensics 19.1 SR-1 was released with bug fixes and minor improvements.
    X-Ways Forensics 19.1 SR-1

  • Eric Zimmerman has release ShellBags Explorer v0.8.0.0 that he demoed on last week’s Forensic Lunch. This is a complete rewrite to incorporate many of the features found in Registry Explorer including updated hex viewer, icons, and manual to reflect the changes. The post walks through the various new features. Eric also updated SBE to version to fix a date time format bug.
    ShellBags Explorer v0.8.0.0 released!

  • Didier Stevens updated a couple of his tools this week



  • Lee Reiber posted two Mobile Forensic Minutes this week
    • Episode 106 explains the rationale behind Mobile Forensic Minute – it’s meant to bring attention to the wealth of information not necessarily provided by automated tools, as well as a corollary to Lee’s book, Mobile Forensic Investigations.
      What is MFM? Episode 106
    • Episode 107 covers some of the useful information found in Webkit. Webkit allows websites to store information such as logins, searches, shopping cart etc that many tools do not automatically parse out.
      Mobile Forensic Minute 107 – Webkit Nuggets

  • Ted Smith at X-Ways Clips shows how he creates Report Tables (Bookmark). He has also created a YouTube video to help illustrate the narrative.
    Video 54 – Children and Parent Objects and Report Tables

  • A webinar by Carolyn Casey JD, John Wilson, John Grim, and Jason Britton on “Complex Digital Data Calls for a New Breed of Data Hunters” has been uploaded to Forensic Focus.
    Webinars – 2017 Complex Digital Data Calls for a New Breed of Data Hunters

  • Dave and Matthew hosted Lee Whitfield and Jonathon Poling this week on the Forensic Lunch. Dave put the request for guests to come on the show, and he also said that next months shows will take place over the next two weeks (to meet the 2-shows-a-month commitment). Lee gave an overview of the 4cast awards (nominate here!). Jonathon also gave us an insight into his background and talked about his site including the .DS_Store artefact and his work into AWS investigations. Matt shows off the custom functions and scripts that he has developed to assist examiners to utilise SQLite in their analysis.
    Forensic Lunch 1/27/17

  • On this week’s Digital Forensics Survival Podcast, Michael covers the Windows System Resource Usage Monitor (SRUM) database that was introduced in Win8. This database contains every application executed on the system, and the SID that executed it, as well as “The names of all networks connected to the system and the length of each connection, [and] how many bytes were written to or read from the hard drive by each application”. It can be parsed with the Python script “srum-dump”.
    DFSP # 049 – Get your SRUM on!

  • Douglas Brush gave a quick recap on SchmooCon12.
    #010 – SHMOOCON 12 (2017)


  • There were a few posts on Cyber Forensicator this week
  • Digital Forensics Corp shared a number of articles this week
  • Matt Bromiley continues the Zeltser challenger
  • SANS InfoSec Reading Room published Pierce Gibbs’ white paper on Intrusion Detection Evasion Techniques including Time-To-Live Manipulation, IDS Mac Address Attack, IP Fragmentation Attack, Encryption, and Polymorphic Blending Attacks, and includes various case studies.
    Intrusion Detection Evasion Techniques and Case Studies

  • The Incident Response Team at Dell SecureWorks has “identified commonalities in host-based logs [in POS systems] that revealed indicators of compromise that sometimes occurred months before SecureWorks was engaged”. The three main indicators described in the post are “”Services were created, Windows event logs were cleared, and AV software detected anomalies”.
    Common Attributes of Point-of-Sales Breaches

  • The Blackbag Training Team explains how to boot a Mac into Target Disk Mode (hold option on boot and then once in Start-up manager, hold T). Interestingly, the new Macbooks don’t support TDM through Thunderbolt so “attempting to start the new MacBook in Target Disk Mode while connected via Thunderbolt to USB-C will cause the MacBook to simply boot to the login screen”. Also apparently USB-C → USB-A will charge a Macbook.
    Macbook Target Disk Mode

  • D3pak Kumar shared a glossary of terms for computer and email forensics.
    Glossary : Computer & Email Forensics

  • Carpe Indicum walks through installing TimeSketch on a fresh Ubuntu installation and then provides an overview of the various pages and buttons. The author also advises to disregard the installation instructions from part 1 and provides alternate links to installation instructions.
    Delving into Timesketch (part 2)

  • Adam at Hexacorn shares three more persistence mechanisms this week, as well as a post with links to the whole series.
    • The first shows off a function called OffloadModExpo that loads a DLL in the ExpoOffload value in the OffLoad subkey. Apparently, this loads all the time as it has something to do with crypto, which means it’s loaded all the time by common processes such as svchost.exe, iexplore.exe etc.
      Beyond good ol’ Run key, Part 57
    • The second shows two places in the registry which can contain executables that will be triggered by Bluetooth devices. The first will execute “when a notification alert is received from the remote LE device” (which Adam was unable to get to work), and the second executes on establishing a connection.
      Beyond good ol’ Run key, Part 58
    • The third shows another location in the registry relating to DLL execution relating to Bluetooth. Adam wasn’t able to get it work (but advised it should as it’s a documented feature), and requested that anyone with Win8 (but not 8.1) could give it a go.
      Beyond good ol’ Run key, Part 59

  • Didier Stevens at NVISO shares a YARA rule that they have created to detect files compiled with py2exe.
    Detecting py2exe Executables: YARA Rule

  • Jonathon Poling at Ponder The Bits examines the .DS_Store file found in the user’s Trash folder. Examining the .DS_Store file may recover metadata of deleted files. As long as a single file remains, the .DS_Store file will remain intact (so that the “Put Back” feature can be used), however, if the Trash is cleared this file will also be removed. Interestingly, “when you move another file to the trash, the ~/.Trash/.DS_Store file is re-created and historical entries [since the last reboot] are re-populated into the file!“. “Rebooting the machine seems to finally remove all historical entries”. Jonathon then goes on to show how to parse the .DS_Store files using in-built and third party utilities. I’d highly recommend doing some testing with this to get your head around it, particularly relating to the Trash folder.
    Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 1

  • Oleg Afonin at Elcomsoft shows how you can use the various Elcomsoft tools to extract data from a locked iPhone running iOS 10. According to Oleg, you’re limited to only accessing information such as the model and serial number of the device if it has been rebooted and never unlocked afterwards, or been switched off and you don’t have the password.
    How Can I Break Into a Locked iOS 10 iPhone?

  • The Blackbag Training Team continues the Windows Forensic Essentials Blog Series, this time providing the basics of Windows Event logs. The post also lists the events that examiners should look for to detect date/time changes and logon events.  
    Leveraging Windows Event Logs In Examinations

  • Xavier Mertens at SANS ISC Handler Diaries recommends that you “test your set of IDS rules based in shared IOC’s before enabling them in production” and provides the three steps to do so.
    IOC’s: Risks of False Positive Alerts Flood Ahead

  • Also on the ISC Handler Diaries, Lorna Hutcheson shares a list of things to look for in packet captures that may be abnormal.
    Packet Analysis – Where do you start?


  • Malwarebytes Labs have a few posts this week
    • Nathan Collier provides some history of the AndroRAT mobile malware. Turns out it was open source malware created as a university project. The malwriter community has taken this code and updated it, and it’s now being seen in various popular apps. Nathan advises “to have a good malware scanner installed on your mobile device, and to install apps from reputable stores such as Google PLAY”.
      Mobile Menace Monday: AndroRAT Evolved
    • Nathan Scott dissects the VirLocker ransomware and explains the decryption process (without paying the ransom).
      VirLocker’s comeback; including recovery instructions
    • Hasherezade has unpacked the Terdot Zloader/Zbot downloader, which is related to the ZeuS-based malware. The malware is spread via email campaign and the sundown EK, and interestingly deploys legitimate tools for malicious purposes.
      Zbot with legitimate applications on board

  • The Symantec Security Response investigate the Greenbug cyberespionage group which they believe has tentative links to Shamoon. They also provide a bit of information regarding Trojan.Ismdoor. This is distributed via a RAR file containing “a .pdf file and a .chm (Compiled HTML Help) file, which includes an ADS hiding the payload (Trojan.Ismdoor)”. The backdoor created then leverages a PowerShell C&C.
    Greenbug cyberespionage group targeting Middle East, possible links to Shamoon

  • Christiaan Beek and Raj Samani at McAfee’s Securing Tomorrow blog also examine Shamoon.
    Spotlight on Shamoon

  • Peter Cap, Mathieu Letourneau, Ben Koehl, and Milad Aslaner at Microsoft’s Threat Research & Response Blog examine the Winnti malware associated with the Barium and Lead threat actors. They also show how Windows Defender ATP can be utilised to detect this threat.
    Detecting threat actors in recent German industrial attacks with Windows Defender ATP

  • Kai Lu at Fortinet shared his deep analysis of the Android Rootnik Malware. This malware “uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device”. Part 1 decompiles the malware and begins the analysis. In part 2 Kai analyses the secondary dex file.
    Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook Part 1 and 2

  • Xavier Mertens at SANS ISC Handler Diaries comments on malicious Scalable Vector Graphics being used to entice victims in executing malware.
    Malicious SVG Files in the Wild

  • Rodel Mendrez at Trustwave SpiderLabs also examines SVG files and identifies an SVG file that points to the same executable as Xavier Mertens did in the previous story (probably from the same campaign)
    SVG Files Are Not As Benign As It May Seem

  • There were two posts on the CheckPoint blog
  • The guys at Joe Security also analysed the “Charger” ransomware app and ran it through their Joe Sandbox Mobile product.
    Deep Analysis of Android Ransom Charger

  • Jeff White at Palo Alto Networks analyses “the distribution infrastructure for the [SAGE 2.0 (Sage Locker)] ransomware and enumerate indicators that can be deployed for detection and prevention”. Interestingly, the malware utilises “the Windows command-line escape caret character injected between your regular characters to break up commands such as “powershell” and “executionpolicy”” to circumvent “pattern or string matches that prevent process launching”.
    Farming Malicious Documents to Unravel Ransomware

  • David Maynor & Paul Rascagneres at Cisco’s Talos blog have “identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload”. “This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.”
    Matryoshka Doll Reconnaissance Framework


  • Mary Ellen at “What’s A Mennonite Doing In Manhattan?!“ has a post promoting her and Devon’s project, AboutDFIR and thanking the various people that have assisted or mentioned her work.
    AboutDFIR.com Partnership

  • Cindy Murphy at Gillware Digital Forensics shares her thoughts on treating digital forensics as a combination of art and science – “thinking creatively about the way we do things and trying new and innovative things”. She also explains the concept of Synchronicity.  “This is where the art in science is found, and where the science in art is found. If you stay open to it, it can change the way you see the world around you.”
    Digital Forensics as Art and Science

  • Scar at Forensic Focus has reviewed AccessData’s live online training course designed to “help forensic investigators understand the specific challenges presented by Windows 10“. She also reviewed the in-person training on the Windows operating system and “its potential for analysis in digital forensic investigations”.
    Reviews – 2017 Windows 10 Live Online Training From AccessData, 2017 Reviews – 2017 Windows OS Training From AccessData

  • DFIR Guy at DFIR.Training has been busy writing three posts this week (and adding more data to his newly formatted site)
    • He reminisces about e-evidence.info and covers how to utilise his site to best effect.
      e-evidence.info was one of my favorite DFIR blogs
    • He explains the importance of problem-solving – particularly in relation to bugging your co-workers for the solution without doing any troubleshooting.
      One skill every DFIR practitioner must have…..
    • And lastly, he shares some potential nominations for the 4cast award. I agree with many of the recommended nominations. The subset of nominations suggested and products I’ve used I don’t see anything that doesn’t deserve to be there. I’m also humbled by the suggestion to nominate my site. Hopefully, I’ll even be able to make the summit this year to congratulate the winners!
      So…who are you voting for?

  • John Patzakis, Esq. at the next Generation eDiscovery Law & Tech blog shares Hon. Judge John Facciola comments from the Georgetown Law Technology Review regarding the recent change to Federal Rule of Evidence 902(14). The Hon. Judge looks favourably on the changes saying “The proposed Rules will likely reduce litigation costs spent authenticating information, and help foster judicial efficiency and familiarity with technology”.
    Judge Facciola Addresses Impact of New Federal Rule of Evidence 902(14)

  • Sean Morrissey at Katana Forensics has announced a new web-based certification training. “This course will be a one day Lantern Certification course”.

  • Yulia Samoteykina at Atola Technologies shows how to use a serial cable with the DiskSense unit to “extract or reset an unknown password or perform drive recovery on a Seagate hard drive”.
    Connecting Seagate Drives to Serial Port

  • Tyler Schlecht at DME Forensics shares the DME training schedule for 2017.
    Check Out Our New Training Room!

  • And in a meta post (making this a meta-meta-post?), Scar at Forensic Focus has shared out a few select links from my posts this month
    This Month In Forensics

And that’s all for Week 4! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s