Week 18 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting


  • In self-promotion news (yes, I moved this section to the top of the site this week ;)), I will be presenting a SANS webcast on Thursday at 11 AM EST/3 PM GMT/1AM AEST. My talk will cover some interesting information that can be obtained from the URLs Google generates when you use the site, mainly to do with a few timestamps, and some parameters that assist in understanding what the user did.
    Webinar: https://www.google.com/search?what+does+all+this+mean?

  • DME Forensics will be hosting a webinar regarding the release of DVR Examiner 2.0. The webinar will take place May 18th 9:00am – 11:00am MST, and you can register here

  • Registration for DFRWS USA 2017 opened during the week.
    Check Out @DFRWS’s Tweet


  • The Blackbag Training Team provide an overview of the MFT and a few of the key attributes, along with how to examine the records in Blacklight.
    Master File Table Basics

  • The guys at Cyber Forensicator shared a couple of articles this week
  • Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp explain how Oxygen Forensics Detective uses LG’s Advanced Flash technology to obtain a physical extraction. Unfortunately, if the user has enabled device encryption the extracted data will still be encrypted.
    Creating physical dumps and unlocking Android LG phones

  • Cindy Murphy at Gillware Digital Forensics shares a case study where she was required to identify what had occurred on a laptop after an ex-employee had taken it with them upon exiting.
    Adventures in Laptop Forensics

  • Matt Seyer at the Hacking Exposed Computer Forensics blog shows how to manually and automatically parse a USNJournal ($J) file that has been exported using FTK Imager. Even though the $J file is a sparse file, FTKi exports the file with sections of unallocated data (0x00’s), so Matt has written a tool to carve out the records and reduce the file size of the exported $J quite considerably. Interestingly, @superponible recommends using Joakim Schicht’s ExtractUsnJrnl which he advises that he hasn’t seen the additional 0x00’s in between records.
    Contents in sparse mirror may be smaller than they appear

  • John Lehr at Linux Sleuthing explores the world of epochs and shares a Python function for parsing win, unix and mac epochs.
    Time Perspective

  • There were a few posts on the SANS Digital Forensics and Incident Response Blog
  • Francesco Picasso at Zena Forensics explains Windows Dropbox DBX files and shares a new tool, decwindbx, to assist in decrypting these files.
    Brush up on Dropbox DBX decryption





  • Yulia Samoteykina at Atola Technologies shows how to use the Insight to remove the HPA/DCO (permanently, or until the next power cycle).
    Lifting HPA and DCO restrictions

  • AccessData are celebrating their 30th year, which is a fairly significant milestone in a company’s life cycle.
    Happy 30th Anniversary to AccessData!

  • Paul Slater at Nuix suggests that implementing a technological solution can assist LE with their backlogs, rather than just throwing bodies at the problem.
    Police Backlogs—Is Throwing Bodies at the Problem the Answer?

  • Chris Sanders has announced a contest for those that have purchased his latest book, Practical Packet Analysis 3rd Edition. The person that sends Chris the most creative picture with his book will win a free seat in his new training course. The contest ends May 10th.
    Practical Packet Analysis Photo Contest

  • Chris has also continued his series on knowing your bias, this time explaining the availability heuristic, which “is a mental shortcut that relies on recalling the most recent or prevalent example that comes to mind when evaluating data to make a decision”.
    Know Your Bias – Availability Heuristic

  • There were a couple of articles on the DME Forensics blog this week
  • DFIR Guy at DFIR.Training posted a couple times this week
    • The first regarded updates to the site. He has removed the event calendar, added additional search warrants and templates, and will be playing around with the RSS feeds on the homepage. If you find that the RSS feed isn’t working, just read this site the following week 😉
      Website Updates (more search warrants, affidavits, forms, etc..)
    • The second was a list of the various DFIR books that he has read, along with recommendations about whether he liked it or not (or if he believes it’s required reading). Pretty sure I have all (except one) of the required reading books, so I’m happy about that.
      My #DFIR Books of the Month

  • Not to be outdone by Guidance, Magnet have announced an artefact exchange of their own (although there isn’t a mention of any compensation in the post). Magnet would like users to submit artefacts in an XML or Python based format and further information should be posted in the near future. There was some interesting discussion regarding these new walled gardens of artefacts; both Guidance and Magnet are calling for the community to assist them in improving their products, both are explaining that those that submit are still able to share their submissions. It seems that some people believe that the submitters won’t necessarily share their findings. I’m in two minds about the whole thing, because currently the artefact parsing can be held behind closed doors, at least this way it can be shared (and in some instances even rewarded). I like this suggestion of an open standard, which I think this is meant to be but I haven’t thoroughly explored it.
    The Magnet Artifact Exchange is Coming Soon

  • MSAB have an article about their XRY Library mobile app. This app can be used to determine whether a device is supported by XRY, but unfortunately, requires a customer login. I’ve never been a fan of hiding device support behind a customer ID because it makes it harder for me to determine if I need to become a customer of a product or not.
    Review full extraction & decoding capabilities of XRY easily

  • Joshua Faust has posted a dump of Cowrie Honeypot data, which contains a number of malicious binaries and scripts. These are being shared for educational and/or research purposes.
    I’m publishing all my Cowrie Honeypot Binaries weekly

  • Lee Whitfield at 337 Forensics has announced that his new venture will be sponsoring the 4Cast Awards this year.
    337 Forensics – Forensic 4:cast Award Sponsors

  • John Patzakis at the X1Discovery blog shares some cases that have been sanctioned for data spoliation. These cases relate to situations where data has been intentionally destroyed, unwittingly destroyed due to lack of process, or reliant on custodian self-collection.
    The Three Categories of eDiscovery Spoliation Sanctions

  • Scar at Forensic Focus shared a paper by Nadeem Alherbawi, Zarina Shukur & Rossilawati Sulaiman titled “A Survey On Data Carving In Digital Forensics”
    A Survey On Data Carving In Digital Forensics


  • Cellebrite released an update to their UFED line of products, now at version 6.1.6, adding “support for 180 new app versions for iOS and Android devices”, and fixing a number of issues.
    UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.1.6 Maintenance Release (April 2017)

  • Dave at EasyMetaData has announced the first beta release of MetaDiver 3.0. The new release adds a variety of new features including keyword searching, picture review in the review window, performance improvements, including various bug fixes and other enhancements.
    MetaDiver 3.0 beta is released #dfir #infosec #metadata

  • Elcomsoft have released an update to their Phone Breaker tool, now at v6.46. “The update fixes the iCloud authentication issue and resolves the Invalid Credentials error, enabling customers to download iCloud backups and have continued access to files stored in iCloud Drive, synced data, and iCloud Photo Library.”
    ElcomSoft Phone Breaker 6.46 Fixes iCloud Authentication and Invalid Credentials Problem

  • Evimetry released v3.0.0-RC6 to “fix regression in iSCSI virtual disk on Windows 10.”
    Release 3.0.0-RC6 (UNSTABLE)

  • Phil Harvey has updated ExifTool to version 10.51 (developmental release). The update adds some new tags, as well as other minor improvements.
    ExifTool 10.51

  • FireEye released RedLine version 1.2 with a variety of new updates, including support for Win10 systems, and bug fixes. This thread on Twitter was also interesting; apparently, a bug has been introduced that “removed the ability to process existing memory images and removed MRI score”, which is being looked at currently.
    RedLine Release Notes

  • Magnet’s IEF was also updated last week, now at version The release notes aren’t publically available, and it doesn’t appear that Magnet are sharing information on the release on their blog as readily as they are regarding Axiom. I was able to find a copy of the release notes online combining the IEF and Axiom release notes (because my understanding is they share the same processing engine, so the artefact updates and bug fixes should transfer). I am slightly worried that the company will be phasing out IEF and pushing their users further towards Axiom – something that comes with increased functionality sure, but also an increased price tag – I’m not sure how that will go down with some organisations that already have defined workflows or limited budgets.
    2017.05.01 MagnetForensics software update

  • Microsystemation have released updates to a few of their tools.
    • XAMN Spotlight was updated to version 2.0, adding search filters, “source Mode to allow review of original hex data”, as well as other features.
      MSAB Announces XAMN Spotlight 2.0
    • They also updated XRY and Kiosk to v7.3.1, adding “support for iOS 10.3 in iCloud Backup extraction, improved chat decoding for Viber on iOS”, and a couple of bug fixes.
      Released today: XRY & Kiosk v7.3.1

  • Nir Sofer at Nirsoft has released a new tool, UninstallView, “that collects information about all programs installed on your system and displays the details of the installed programs in one table”.
    New uninstall tool for Windows

  • Paul Sanderson at Sanderson Forensics has updated Forensic Explorer for SQLite to v1.2.2, adding a number of enhancements and bug fixes.
    New Release 1.2.2

  • TZWorks updated a variety of their tools, including evtwalk, evtx_view, wacu, cafae, yaru, and dup.
    May 2017 build (package)

  • X-Ways Forensics 19.2 SR-4 was released fixing a variety of bugs.
    X-Ways Forensics 19.2 SR-4

  • X-Ways Forensics 19.3 Preview 1, and then Preview 2 were released with a variety of new features.
    X-Ways Forensics 19.3 Preview 2

And that’s all for Week 18! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s