Week 16 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting





  • A few more presentations from Art Into Science: A Conference for Defense conference were uploaded to YouTube.
    ACoD Ops Track, Day 2 
  • Adrian Crenshaw has uploaded videos from Bsides Nashville 2017.
    BSides Nashville 2017 Videos 
  • Joshua James at Cybercrime Technologies acquires “an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), netcat and dd using a Linux forensic workstation”. He uploaded two videos, one for Windows and the other for Linux 
  • Didier Stevens shared two videos related to his previous analysis of a CVE-2017-0199 maldoc
  • “Sharon Nelson and John Simek talk to Craig Ball about the intricacies of preserving digital evidence”, specifically, social networking and online information. Craig explains that preserving social media and the like doesn’t always require a trainer forensic analyst and can be performed appropriately by the law firms employed; provided that they are adequately trained and follow approved procedure. Craig also talks about the various methods of preserving data; screenshots (which he says have a place but are not preferable), Google and Facebook’s takeout features, as well as the various tools specifically designed for social media and online preservation.
    Practical Approaches to Preserving New (and Not-So-New) Media 
  • “The Forum of Incident Response and Security Teams (FIRST) today announced it is making available a public repository of conference presentations from the last twenty years of FIRST events”
    FIRST releases twenty years of conference materials 
  • Karsten Hahn analyses “a hook injection PoC by Robert Kuster and partially fix it for Windows 7.”
    Malware Analysis – Hook Injection PoC by Robert Kuster 
  • Corey Tomlinson sat down with Gerard Ryle from the International Consortium of Investigative Journalists about how Nuix has been instrumental in compiling and reviewing the data from the Panama Papers.
    Interview With Gerard Ryle – International Consortium of Investigative Journalists 
  • On this week’s Digital Forensics Survival Podcast, Michael gave a brief overview of the relevant artefacts involved in the Firefox web browser.
    DFSP # 061 – Firefox Forensics 
  • Recorded Future, in conjunction with The CyberWire, have started a new podcast on Threat Intelligence, the first episode was out last week covering what threat intelligence is, and the second covers ThreatIntel feeds.
    Threat Intelligence Podcast 
  • SANS have released all of the slides from the recent Threat Hunting Summit.
    Threat Hunting and IR Summit (April 2017) 
  • Alex Pinto has shared his slides for his presentation at the 2017 Threat Hunting Summit, “Pushing the Boundaries of Threat Hunting Automation”
    Check out @alexcpsec’s Tweet 
  • DFIR Guy from DFIR.Training tweeted out Simon Biles presentation from the FlossUK 2017 Spring Conference called “Are We Ready for Open Source Digital Forensics”.
    Check Out @DFIR_Guy’s Tweet 
  • David Cowen shared out his NCCDC redteam debrief.
    Check Out @HECFBlog’s Tweet



  • The “CIBOK Editorial Committee … announced its establishment and the 1st edition “Cybercrime Investigation Body Of Knowledge” (CIBOK) published work. CIBOK is designed to provide a new standard for law enforcement organizations and enterprises around the globe with knowledge, skills and behaviors required to solve or prevent today’s complex and sophisticated cybercrime.”
    New standard for cybercrime investigation launches as Cybercrime Investigation Body Of Knowledge 
  • Philippe Lagadec shares a process for “downloading thousands of [legitimate] MS Office files for testing”
    Tip: How to download thousands of MS Office files for testing 
  • Trent Leavitt at Decipher Forensics addresses “the absolute necessity for deleted data in civil cases.” The post provides an overview of preservation letters, data collection, analysis, and presentation.
    Deleted Data in Civil Litigation 
  • DFIR Guy at DFIR.Training shares a recent (non-technical) case study about an employee deleting data from his employer’s server and stealing equipment. The police were called however classed it a civil matter. In my opinion, it’s a bit of a grey area because it would depend on when the employee performed his various malicious activities for it to be classed as a civil or criminal matter (in the state that I live in in Australia). Down here, there’s a specific section of law covering unauthorised access – so, in my opinion, the analyst would be required to determine what actions were taken and when, and whether the company indicated that he was no longer to have access to the system. Once that was shown, however, LE may have enough information to charge with the unauthorised access/destruction offence (if it exists in the jurisdiction).  I recall reading about a case in the States a few weeks ago regarding a sys-admin performing malicious activities, however, at the time he was still employed, so it was entirely a civil matter – there was no unauthorised access. That being said, I think the physical theft would still be considered criminal, but then again I’m not a lawyer, a police officer, or in the jurisdiction where the actions took place.
    3 Tips to Keep Your Name out of the News 
  • Cat Ianni at DME Forensics list a few reasons why examiners should consider using DVR Examiner on their DVR cases.
    Convincing Your Agency to Buy DVR Examiner 
  • Kent Walker at Google explains that the MLAT process is too cumbersome for today’s investigations and that he will be “sharing more thoughts about the legal frameworks that can address some of these challenges in the coming weeks and months”. I think the major paragraph is the following: “Without better and faster ways to collect cross-border evidence, countries will be tempted to take unilateral actions to deal with a fundamentally multilateral problem. A sustainable framework for handling digital evidence in legitimate cross-border investigations will help avoid a chaotic, conflicting patchwork of data location proposals and ad hoc surveillance measures that may threaten privacy and generate uncertainty, without fundamentally advancing legitimate law enforcement and national security interests”.
    An international framework for digital evidence 
  • Devon Ackerman has updated his iOS Dashboard “to include recent iOS releases, iPhone releases and unlocking services”
    Forensics – Apple iOS & Watch OS Artifacts 
  • Guidance Software has created a campaign on BugCrowd to reward researchers for finding new forensic artefacts. Researchers are encouraged to submit information about previously undocumented artefacts. Guidance verified that the researchers still maintain the control of their research and are able to share it publicly if they wish. “The goal of the program is to reward researchers for work already being done to contribute to the industry.” The campaign will remain open until 11:59 PST on the 31st August. On a personal note, I think that this is a good move by the company to encourage more people to share their research. There are a lot of people doing so, but they’re doing so for free for the most part, so a potential reward is always nice.
    Guidance Software – Forensic Artifact Research Program 
  • Matt McFadden at Guidance Software announced on Twitter that the new “EnCase training website has launched”.
    Check Out @cybr4n6’s Tweet 
  • Jordan Potti listed his various experiences that led to his start in infosec
    How I Got Started in InfoSec 
  • Jeff Hamm posted on Linkedin that the book that he has co-authored with Katrin Franke, André Årnes, and others, “Digital Forensics 1st Edition”, is finished and could be published in June.  The book purports to be a “definitive text for students of digital forensics, as well as professionals looking to deepen their understanding of an increasingly critical field”.
    Check out Jeff Hamm’s Post 
  • Magnet Forensics have a post advising that their Magnet Certified Forensics Examiner (MCFE) certification, and Forensic Fundamentals is now available. This post also includes a video by Chuck Cobb on the training courses offered by Magnet.
    Magnet AXIOM MCFE Certification & New Forensic Fundamentals Course Launched 
  • Richard Wartell and Tyler Halfpop at Palo Alto Networks have advised that LabyREnth CTF 2017, “a new Unit 42 Capture the Flag (CTF) challenge, is coming on June 9, 2017”.
    LabyREnth CTF 2017: We’re At It Again…


  • Arsenal Consulting have released “Hibernation Recon v1.1.0.56 with support for Windows 10 Creators Update (v1703) hibernation”
    Check Out @ArsenalArmed’s Tweet 
  • Eric Zimmerman has updated his lnk project and all of its dependencies. This brings LECmd to version, JLECmd to version, and JumpList Explorer to version
  • Phil Harvey has released ExifTool 10.50 (production release), adding and improving a couple of tags, and fixing a couple of bugs
    ExifTool 10.50 (production release) 
  • Katana Forensics’ Lantern product has been updated to version 4.6.8, and now “has support for iOS 10.3.1 and Android 7 devices”.
  • David Pany updated his PyWMIPersistenceFinder and CCM_RUA_Finder Python scripts.
    WMI_Forensics Commits 
  • Oxygen Forensiс have released an update to their Detective product, now at version 9.3. There are a number of updates including data extraction from Huawei cloud, decryption of WhatsApp data saved to iCloud, and parsing of encrypted Apple Notes.
    Oxygen Forensic® Detective extracts data from Huawei cloud 
  • Radare2 v1.4 has been released, and “comes with 12768 new lines of new features, bug fixes and enhancements”.
    Codename: “no comments” 
  • Thomas Patzke has released an open source Python library, Elasticsearch Query Language. “The main goal of EQUEL is to provide access to as many Elasticsearch features as possible with a query language that is easy to understand and write for humans.” The author indicates that the tool is still in its early development stage and shares the future plans (as well a request for assistance in implementing these plans).
    Introducing EQUEL, an Elasticsearch QUEry Language 
  • Pestudio has been updated to version 8.58. You can download the latest version here 
  • X-Ways Forensics 19.2 SR-2 was released, fixing a variety of bugs.
    X-Ways Forensics 19.2 SR-2 
  • The Viewer Component was updated to version 8.5.3 to include several non-security related patches.
    Viewer Component

And that’s all for Week 16! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s