Week 11 – 2017

Nominations for the 2017 Forensic 4Cast Awards are still open! If you’d like to nominate this site for blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Nominations are Open


  • James Habben at 4n6ir has posted a follow-up to his previous post on the CCM_RecentlyUsedApps artefact, presenting “what [the] properties mean and how they can be used”.
    CCM_RecentlyUsedApps Properties & Forensics

  • Andrew Swartwood at Between Two DFIRns walks through Dr. Ali Hadi’s “Web Server Case”
    Ashemery.com: Challenge #1 – Web Server Case Write-up

  • Matt Raeburn at Context has a write-up of how he tried to boot a forensic image into a VM and came across the “Operating System not found” error. He, along with a colleague, delved into the MBR and ultimately identified a solution within VirtualBox to boot the VM. I’ve had a lot of success using a combination of VMware+Jimmy Weg’s method, Forensic Explorer, and LiveView/OpenLV to get VM’s booted; they definitely give you a good idea of what the user saw.
    Forensic Imaging. So this should now boot… right?

  • The guys at Cyber Forensicator shared a few articles and links this week
  • Digital Forensics Corp shared a number of articles this week
    • They shared a paper by Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini from the University College London, and University of the West of England called “MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models”
      Detecting Android Malware
    • They shared an article by Igor Kuksov at Kaspersky on how “metadata can turn a normal digital document into compromising intel.”
      Microsoft Office Document Metadata in Incident Response
    • They shared an article by Thomas White at Tribal Chicken on “recovering BitLocker keys on Windows 8.1 and 10”
      How to Recover BitLocker Keys
    • They shared a paper by “researchers from the University of Stuttgart and the University of Munich Ludwig-Maximilian [who] created a technique for “thermal attacks”. In this work, they examined the effect of the PIN / Pattern property on its vulnerability to thermal attacks.”
      Thermal Attacks on Mobile-based User Authentication
    • They shared an article describing how researchers were able to modify data on devices using sound waves and the accelerometer.
      Sound waves may be used to hack our gadgets
    • They shared an article by Fernand Lone Sang on the proprietary bootloader named SBOOT, used in various Samsung Exynos based smartphones. Fernand describes “how to determine SBOOT’s base address for the Samsung Galaxy S6 and how to load it into IDA Pro.”
      Reverse Engineering Samsung SBOOT
    • They shared a presentation by Alex Ionescu titled “Getting Started with a Type-C USB Cable”.
      Windows 10 RAM Forensics and UEFI Attacks

  • Adam at Hexacorn has two posts this week
    • He shared another registry location that can be used as a persistence mechanism. The key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup, executes a given DLL, and can be “used to copy files during the system start”. Adam, however, advises that this trick may not work on Win10.
      Beyond good ol’ Run key, Part 60
    • He also identified a registry key in Win10 that “is looked at during the system boot by the smss.exe process and the latter attempts to read” various entries underneath. “These entries will be used to deliver the redirection functionality intended to support a full isolation of the container”.
      More contained redirections coming to Registry near you…

  • Sarah Edwards shares her research on the Aggregate Dictionary database on iOS, which can be obtained in a physical acquisition. The database aggregates data for the last 7 days. Sarah digs into the database to try and obtain some additional information about a user’s locking and unlocking the device. Using some of the information provided an examiner may be able to tell when a user changed their passcode from one type to another (ie removed the passcode).
    Pincodes, Passcodes, & TouchID on iOS – An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite)

  • Mark Mckinnon has combined many of the Windows Autopsy plugins into one Windows Internals plugin.
    And Many Become One, The Best of Both Worlds.

  • Lee Holmes shows how to detect and prevent PowerShell downgrade attacks. Examiners can look for Event ID 400 in the “Windows PowerShell” classic event log.
    Detecting and Preventing PowerShell Downgrade Attacks

  • Patrick Siewert at ProDigital 4n6 explains that when an employee is fired timing is critical if a client needs the employee’s devices examined. Patrick advises that the devices should be seized when the employee is notified, and examined by a trained forensic specialist rather than general IT staff. He also provides a list of helpful information to provide to the forensic specialist.
    Digital Forensic Discussion: So You Fired An Associate

  • There were a couple of papers shared on the SANS Reading Room this week
    • First, was Balaji Balakrishnan’s whitepaper on AWS security monitoring. The paper provides an overview of AWS CloudTrail and CloudWatch Logs, and shows how they can be used to detect attackers.
      Cloud Security Monitoring
    • They also shared Xiaoxi Fan’s paper on detecting system clock modifications on Windows. Xiaoxi lists a number of artefacts that contain both a timestamp and a sequential ID, which can be used to show clock modification as one would expect the ID’s to increment along with the time. One of the additions I could make to the paper is relating to the timestamps identified in Google URLs which I hope to present soon.
      Detection of Backdating the System Clock in Windows

  • Matt Bromiley wrote a couple of Morning Reads this week
  • Thomas White at Tribal Chicken walks through Windows IOT Core Kernel Debugging, and also memory acquisition using Windbg.
    Adventures with Windows IoT Core Kernel debugging.





  • Cyberscoop has interviewed their top women in cybersecurity for 2017.
    Top Women in Cybersecurity

  • Jonathon Poling at Ponder The Bits discusses scoping, which he describes as an “often-overlooked, admittedly very unsexy, but nonetheless integral piece of performing effective DFIR”. He lists a range of important points to consider across a number of key questions including: what has happened, what response has already taken place, what artefacts are available, and what is the goal of the engagement (and priority). I would also add ‘establish a time frame to complete the work’, although I would say that the timeframe for an incident would usually be “get it done by yesterday”.
    The Importance of Incident Scoping/Assessment

  • Jason Lang at #_shellntel provides his thoughts on an argument regarding block Powershell from a pen tester (attacker) and defenders perspective.
    Thoughts on Blocking Powershell.exe

  • James Habben at 4n6ir has shared his thoughts on the BsidesSLC, as well as an offer to assist anyone that wants to get started with blogging.
    BsidesSLC Experience and Offer to Help

  • Danielle Russell at AlienVault looks at “how centralized log management changes in the public cloud as well as the native logging and monitoring services and components provided by AWS and Azure”, as well as centralising your log data.
    Centralized Logging in the Cloud

  • Lee Whitfield has announced the end of the nominations period for the 4cast awards. Lee will be taking nominations until the end of the month and then announce the top 3 in each category. The awards are taking place at the DFIR Summit (which I forgot to post the agenda for last week). Lee also covered his current happenings (talk at Enfuse, DFIR summit, and employment with SANS).
    Awards Nomination Closing Date and News

  • Scar at Forensic Focus interviewed Devon Ackerman; of Kroll and AboutDFIR.com fame. Devon explains his background, starting at the FBI and moving on to become a senior director at Kroll, as well as how AboutDFIR came about.
    Interview With Devon Ackerman, Senior Director, Kroll

  • Didier Stevens at NVISO Labs provides some tips on streamlining Lua program development
    Developing complex Suricata rules with Lua – part 2

  • The guys at Sumuri have posted a scathing rant about other vendors copying their forensic machines. Apparently, another company has released a product that is identical to their Talino KA-L Omega laptop.

  • Chris Sanders describes “a new case management system called TheHive”. Chris describes TheHive as “a purpose built case management system to facilitate the investigation of security incidents”, and provides an overview of various components of the system
    Investigation Case Management with TheHive

  • Devon Ackerman has written an article on “The Hill” about attribution in cyberspace. Devon explains that we must ultimately base our findings on “our training, education, and experience” and that “we must be diligent in examining our own potential assumptions and always remember that forensic science ultimately deals in evidence and actualities.”
    CIA’s #Vault7 leak opens a Pandora’s box of doubt

  • David Spreadborough at Amped explains the File Info section of the latest updated to FIVE.
    Advanced File Information – A Closer Look!

  • Lesley Carhart answers questions for those looking to get into the InfoSec field. One of the questions I quite liked the answer to explains the difference between a person that can use a tool and the other that understands how the tool works, and the usefulness of the later.
    Ask Lesley InfoSec Advice Column: 2017-03-16


  • Cellebrite updated their UFED line to version 6.1, changing their interface, adding new devices and apps, and introducing an advanced ADB physical extraction that apparently allows physical extraction for previously unsupported phones. “To perform this extraction using an external USB storage device, you will need cables OTG 501 and 508”.
    UFED Touch2, UFED Touch, UFED 4PC, UFED InField, UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.1 (March 2017)

  • Elcomsoft released a maintenance release of their Elcomsoft Phone Breaker tool, now at version 6.45. The update adds support for cloud backups produced by iOS 10.3 devices, fixes authentication issues for devices tied to Microsoft Account, and includes numerous fixes and improvements for GPU-accelerated password recovery attacks. “The tool can now extract text messages from Microsoft Accounts with both Windows Phone and W10M devices on the same account”. They also updated Elcomsoft Explorer for WhatsApp to version 2.01.

  • Belkasoft released version 8.3 of their Evidence Centre product, updating the UI and providing a 64-bit build. Additional release notes can be found here.
    Belkasoft Evidence Center 8.3 Is Out with New UX and 64-bit Edition

  • Mount Image Pro was updated to version, adding “support for Microsoft BitLocker drives.”
    13 Mar 2017 – v6.2.0.1691

  • GetData also updated Forensic Explorer to version, improving “performance reading large drives with large unallocated clusters”, “UNIMO .umv carving”, and fixing a bug relating to Google Earth KML’s in Turkish and German
    17 Mar 2017 – v3.9.8.6364

  • Passware Kit 2017 v2 has been released adding new features including “Instant Decryption of Passwords Stored in iOS Keychain, Password Recovery for WPA/WPA2, [and] Export and Import of Known Passwords”
    New In Passware Kit 2017 v2

  • Radare version 1.3.0 was released with various updates and bug fixes.
    Radare 1.3.0 Released – Codename: Refactor Forever

  • X-Ways Forensics 19.1 SR-6 was released, with various bug fixes and minor improvements
    X-Ways Forensics 19.1 SR-6

  • X-Ways Forensics 19.2 Beta 3 was released with some minor improvements.
    X-Ways Forensics 19.2 Beta 3


  • Nir Sofer at Nirsoft has released a new tool, DataProtectionDecryptor, that allows users to “decrypt passwords and other information encrypted by the DPAPI (Data Protection API) system” on Window.   
    New DPAPI decryption tool

  • Jim Clausing has shared a Python script that he wrote to calculate various hashes
    New tool: sigs.py, (Mon, Mar 13th)

And that’s all for Week 11! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s