Week 17 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting


  • As an update to a post by Mari, there’s been a bit of talk about a newly located registry subkey that indicates the actual install date of Windows 10. I had a quick look on my Win10 system and identified three subkeys named Source OS (Updated on MM\DD\YYYY HH:MM:SS)” which contained an InstallDate or InstallTime value. Converting these times, however, did not necessarily match up with the time in the text of the subkey. More research will have to be done to determine whether the lastwrite time of the Source OS subkey indicates when the update was started or complete, and what the OS is doing when it creates the data inside it. As a guess, Windows might be copying the previously existing data into this area as a backup – which means looking at the first one should give you the install date of the OS.
    When Windows Lies

  • Brett Shavers shares his thoughts on two “games” that are commonly seen in infosec (although this post can relate to many enterprises I’m sure). The two games are “hot potato”, where the responsibility is passed on down the chain, and “are we there yet”, where people prefer to await the inevitable, rather than plan and prepare to avoid the issue.
    The 2 Worst Games to Play in #infosec

  • Luis Rocha at Count Upon Security posted an introduction to Linux forensics where he examines a compromised Red Hat system. He covers mounting the file system, using TSK and plaso to generate timelines, and recover and examines deleted files.
    Intro to Linux Forensics

  • The guys at Cyber Forensicator shared a few articles this week
  • Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp list the various artefacts on iOS and Android that can be used to assist in identifying the owner of a device.
    Who is the owner of the mobile device?

  • Brewster Rolland-Keith at DME Forensics lists four ways for extracting data from a DVR – using DVR examiner, using the DVRs export feature, using a capture card and replaying the footage, and lastly seeking assistance directly from DME Forensics.
    The 4 main ways of recovering video from a DVR

  • Preston Miller at DPM Forensics examines the appinfo files created by VMWare’s Unity mode (I’m not sure if the files are created prior, or as a result of the user using Unity mode). “The names of these files are simply the MD5 checksum of the application’s file path as recorded within the .appinfo file. The create and modify timestamps of these files correlate to when the application was installed within the VM.” He then explains the Python script that he wrote to parse the files.
    Hasty Scripts: Summarizing Installed Applications on Encrypted VMs

  • Mark Mckinnon has released a new Autopsy plugin that is “an extension of the research that Ken Johnson did on Windows File History. ”
    Windows File History Plugin

  • Pete James at Precision Discovery shows how a Microsoft Office Alert can be used to identify file activity. An ex-employee had accessed a file, and made a modification to it before closing it; this showed the dialog box asking if the user would like to save the file. As a result, an event was created indicating “the date, time, software program being used, and the name of the file”. I haven’t explored this log, however, the author doesn’t indicate whether the entry is different if the user does or doesn’t save the item. This information would be useful when coupled with other file access artefacts.
    Oh, the Traces You Leave on Your Computer: O-Alerts and the Executive

  • Dan O’Day has identified an issue with RAM capture using Dumpit on large (64GB) memory captures. If I’m to understand correctly, Dumpit can’t necessarily decode parts of the memory in 64-bit systems so it’s advisable to take a crashdump instead of a raw capture. Dan did indicate that he “was able to successfully acquire and analyze the RAM using winpmem 2.1.post4 and Rekall 1.6.0 (Gotthard), respectively (your mileage may vary)”. Brian Moran also weighed in, saying that Belkasoft’s RAM capture utility also is not affected by the issue.
    Big RAM and the kernel debugger data block

  • Lee Whitfield has started a new company and blog. His first post lists his company’s philosophy, and the second lists the events he’ll be attending in the coming months.
    Say hello to my little friend!

  • The students at Champlain University have shared some information about their analysis of the Discord app. “The uses of caching and SQLite formatting allowed [the team] to recover artifacts such as the … chat logs to the images and files uploaded”
    Application Analysis: Conclusion

  • Yogesh Khatri looked into the /private/var/folders in OS X. He also explores how the folder names are generated so that an examiner can tie them back to the specific user account (aside from looking up “the owner uid of the folder”).
    The mystery of /var/folders on OSX


  • The guys at Carbon Black have shared another chapter of their ‘Threat Hunting for Dummies’ eBook. This section covers the various people/processing/training/technologies/intelligence required to prepare for a hunt.
    Threat Hunting: Preparing to Hunt

  • Jack Crook at DFIR and Threat Hunting shares a few of his thoughts on the presentation that he was scheduled to give at the SANS Threat Hunting Summit and x33fcon, but was unable to due to surgery.
    Billions and Billions of Logs; Oh My

  • Jon-Louis Heimerl at NTT Security has announced the release of the “Global Threat Intelligence Report (GTIR)”.
    The 2017 Global Threat Intelligence Report is out now

  • There were a few posts on the SANS InfoSec Reading Room this week
  • Kyle Bubp at the Savage Security Blog shows how to setup Microsoft’s Local Admin Password Solution to mitigate the threat of lateral movement in a network.
    Mitigating the Threat of Lateral Movement

  • Cliff Kittle at SecureWorks explains why healthcare organisations such as hospitals should proactively hunt for threats in their networks. “You can’t always block attackers, but you can break the kill chain so they’re not successful. Human behavior analysis is critical to detecting and responding quickly to this type of threat. That is accomplished by performing regular pro-active threat hunting to identify indicators of an attack.”
    Hospitals Need Proactive Targeted Threat Hunting


  • Mattia Epifani and Arnon Tirosh at Cellebrite will be hosting a webinar 10th May 2017 at 9:00AM UK time about how Cellebrite’s Advanced Investigative Services can assist in investigations, primarily unlocking locked devices.
    Don’t Get Locked Out Of Your Investigation

  • Jad Saliba at Magnet Forensics will be hosting two webinars next week on the latest update to Axiom. These webinars will be held Tuesday, May 30 at 9:00AM EST, and Wednesday, May 31 at 1:00PM EST.
    Webinar: Dig Deeper with Magnet AXIOM 1.1





  • AccessData released FTK and AD Lab 6.2.1 improving WeChat parsing and adding support for encrypted iOS 10 backups.
    AccessData Forensic Toolkit 6.2.1 Release Notes

  • AccessData also updated Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) to version 8.1.0. The update supports recovering “BitLocker passwords when a user-generated password was used for the encryption”, as “support for iOS 10 backup passwords”.
    Password Recovery Toolkit (PRTK) version 8.1.0 Release Notes

  • Brian Baskin updated Noriben to v1.7.2, fixing some bugs and adding the headless option. He also added a new script, NoribenSandbox.py, which “allows you to automate the execution of Noriben within a guest VM and retrieve the reports” (on OSX). Brian has also released a video of this in action.
    Noriben malware sandbox 1.7.2 with Frontend

  • Didier Stevens released a new Python script that runs a Python command against each line of an input text file.
    New Tool: python-per-line

  • Elcomsoft updated Cloud Explorer to v1.30. The update allows examiners “to extract SMS text messages from Android backups made with Google Pixel/Pixel XL smartphones and devices running Android O Developer Preview”. CE has also been updated to “correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI)” from Google Location data. Oleg Afonon wrote this post explaining how CE can be used to parse the data from Google, as well as this post regard extracting SMS’s.
    Elcomsoft Cloud Explorer 1.30 Supports Android O, Extracts SMS Text Messages, Routes and Places from Google Account

  • Eric Zimmerman released a minor update to his Timeline Explorer tool, now at version

  • Peerlab by Kuiper Forensics has been updated to version 2.02.
    Version history – v2.02 (25.04.2017)

  • Magnet Forensics have updated their Axiom product to version 1.1. The update adds machine learning to assist in child abduction cases by examining chat (more information here), support for various types of encryption, as well as improved speed, and functionality allowing new evidence to be added to a case. They have also released this video about the update.
    Magnet AXIOM 1.1 Launches with New Artificial Intelligence Support

  • MobilEdit have released Camera Ballistics 2.0, with GUI, performance, and accuracy improvements, multi-threading support, as well as a “new  generation of camera ballistics algorithms”
    Camera Ballistics 2.0 just released!

  • Microsystemations have updated XEC to version 1.3, and Kiosk to version 7.3. “The latest XEC enables you to manage users effectively with the central user & system management”. “The newest version of Kiosk v7.3 also gives Kiosk users video and watchlist support, supports XRY v7.3 and more” (ref)
    Achieve higher operational efficiency today with XEC v1.3 & Kiosk v7.3

  • Adam Witt has updated his USN Journal Parser to v4.0.1, refactoring the code “to better handle records carved from unallocated space” and halving processing time.
    Check Out @_TrapLoop’s Tweet

  • Recon Imager has been updated to version 1.01 with some minor feature improvements including “a popup notification to notify the examiner if any FileVault volumes exist on startup”, and adding imaging speed to the progress bar.
    RECON IMAGER Version 1.01 Now Released

  • Matias Bevilacqua at FireEye announces a new tool, AppCompatProcessor. The new tool “handles both AppCompat and AmCache artifacts, has modules for processing more than 11 different formats, and contains some novel analytics to redefine the way we look at execution trace artifacts.”
    Evolving Analytics for Execution Trace Data

  • X-Ways Forensics 19.2 SR-3 was released with a variety of bug fixes.
    X-Ways Forensics 19.2 SR-3

And that’s all for Week 17! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s