Week 10 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open



  • Jessica Hyde at Magnet Forensics will be hosting two 1 hour webinars on parsing data from new applications. Viewers will “learn how to test, find, parse and script to obtain evidence in new applications using a physical forensic image.” The webinars will take place Tuesday, March 28, 2017 at 1:00 PM EST and Wednesday, March 29, 2017 at 9:00 AM EST.
    Methods for parsing new applications

  • The CFP for R2Con 2017, held around September 7th-9th in Barcelona (although the date/location haven’t been confirmed), is opened. There doesn’t appear to be a close date yet.
    Check Out @radareorg’s Tweet

  • The session guide for Enfuse 2017 has been posted. The event will take place May 22-25 at Caesars Palace in Las Vegas.
    Guidance Software Unveils Deepest Cyber Incident Response Agenda For Enfuse Conference 2017

  • The CFP for The 10th International Workshop on Digital Forensics (WSDF 2017) is opened. The event will take place in Reggio Calabria, Italy, on August 29 – September 2, 2017. The submission deadline is April 15, 2017.
    WSDF 2017

  • “DFRWS USA invites submissions to present workshop sessions”. DFRWS will take place August 6-9, 2017 in Austin, Texas. Submission deadline is March 31, 2017 (midnight GMT).
    Call for Workshops


  • Didier Stevens shared a couple of videos on maldoc deobfuscation covering both Character Removal, as well as the oledump plugin ‘sub-str’.

  • Dave and Matthew hosted Lee Whitfield on this week’s Forensic Lunch. Lee spoke about the Forensic 4cast awards, as well as the talk he will be giving at the DFIR Summit and Enfuse on MacOS timestamps. The guys also discussed the recent CIA leaks and the SHA1 collision. Matt then talked about his work with ArangoDB and other NoSQL databases that he has used to assist in linking data sources, as well as his new Rust-based Prefetch parser.
    Forensic Lunch 3/10/17

  • On this week’s Mobile Forensic Minute, Lee Reiber lists the various areas on iOS and Android that applications are installed; this, in turn, can be used to identify spyware, as it would have to be installed on the system to run.
    Mobile Forensic Minute 111

  • On this week’s Digital Forensics Survival Podcast, Michael talked about Hostintel by Keith Jones. HostIntel will take a list of domain names and IPs and return all of the open source information that it can find. “This is [a] great tool for Incident Response triage where you may be looking to generate leads for follow-up from log files or traffic captures. For disk forensics this tool pairs well with malware triage efforts.”
    DFSP # 055 – Automated Host Intelligence

  • SANS posted a few videos from the recent CTI Summit. These videos were Ronnie Tokazowski’s Fun with Strings in Malware, Robert M. Lee’s Knowing When to Consume Intelligence and When to Generate It, as well as Cliff Stoll’s opening keynote, (Still) Stalking the Wily Hacker.

  • Coleman Kane tweeted that the lectures from Weeks 1 through 7 of the University of Cincinnati Malware Analysis class have been updated. This includes both slides and videos of the lectures.
    Check Out @colemankane’s Tweet



  • John Patzakis, Esq. at the Next Gen eDiscovery Law & Tech Blog provides various examples of how important proper collection of web-based/cloud-stored data can be. Apparently many courts are scrutinising screen-captures of data, and in some cases “disallowing or otherwise calling into question social media evidence” presented in this form.
    ILTA eDiscovery Survey Reflects Increased Social Media Discovery

  • Yulia Samoteykina at Atola Technologies explains how their Insight product handles hard drives that freeze.
    Imaging Freezing Damaged Drives

  • Matt Bromiley shares a few “Morning Read’s”
    • He shares some snippets from the recently leaked Vault 7 documents. These snippets relate to suggestions for how to make DFIR more difficult
      Morning Read: DFIR Snippets from Vault 7
    • He has collected some posts “surrounding recent disclosures and issues with Western Digital’s My Cloud products”. Apparently, these My Cloud products are very vulnerable, so the current recommendation is to remove them from the internet.
      Morning Read: Western Digital My Cloud Issues
    • He also comments on breach notification and advises that urgency is key – “As you build out your incident response teams and plans, make sure that urgency is one of the top priorities”. Matt also explains that cyber insurance relies on the client not violating the policy, so it’s a good idea to make sure you comply with the terms.
      Morning Read: Lloyd’s MGA, CFC Underwriting, Launches Cyber Incident Response App

  • Martino Jerian at Amped Software has an article on Forensic Focus advising examiners to be cautious of Google’s new image enhancement (creation?) algorithm.
    Unscrambling Pixels: Forensic Science Is Not Forensic Fiction

  • David Spreadborough at Amped provides some more information about the 9010 update for Amped FIVE including the various enhancements and features, and bug fixes.
    Amped FIVE Update 9010 Part 2: Filter Updates and Interface Enhancements… too much for one post!

  • There’s a post on BugRoast showing two executables that produce different outputs producing both the same MD5 and SHA1. Not sure how they did it either, outside of MD5’s known collision. It’s entirely possible the two files are the exact same and they use something external to change the value.
    Eat more hashes 🙂

  • Adam at Hexacorn has updated his EDR (Endpoint Detection and Response) spreadsheet
    Updated EDR Sheet

  • Kurt Bertone at Threat Geek lists the 5 requirements for stopping modern intrusions. Kurt explains that to accurately detect and stop an intrusion, investigators need real-time deep visibility and alerting of network content and endpoints as the intrusion is happening, as well as in the past (so as to capture all phases of the attack).
    5 Requirements for Stopping Modern Intrusions

  • DFIR Guy at DFIR.Training explains that successful DFIR examiners should be like a bloodhound, think like a squirrel, and work like a honey badger. He also promotes the benefits of further education every day as this is a field that is constantly changing.
    3 Animalistic Tips to Bust Open Your DFIR Job.


  • Didier Stevens updated a couple his scripts this week
  • Phil Harvey updated ExifTool to version 10.46 (development release) with various bug fixes and minor improvements
    ExifTool 10.46

  • Adam at Hexacorn has updated DeXRAY to version 2.0, adding and improving support for some more quarantine files.
    DeXRAY 2.0 released

  • The guys at MISP released version 2.5.69 and shortly after 2.4.69. The new version includes multiple bug fixes, and a few new features and improvements.
    MISP 2.4.69 released

  • Ryan Benson at Obsidian Forensics has released Hindsight v2, which introduces easier installation through pip, a web GUI, and cache parsing
    Hindsight v2 Released – Web UI and Cache Parsing

  • Arsenal Consulting have released Hibernation Recon v Beta which includes a “free mode”. This mode allows “output of active memory and statistics”. The guys at Digital Forensics Corp also found this announcement that explains that “the latest Hibernation Recon now provides a streamlined graphical user interface, parallel processing of multiple hibernation files, and advanced NTFS metadata recovery”. Arsenal also published a video showing their Hibernation Recon tool “process Windows hibernation files in parallel, incl. advanced NTFS metadata recovery”.
    Check Out @ArsenalArmed’s Tweet

  • GetData updated Forensic Explorer, fixing a number of bugs, as well as other minor improvements
    10 Mar 2017 – v3.9.8.6356


And that’s all for Week 10! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 10 – 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s