Week 19 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting






  • James Habben at 4n6ir shares his thoughts on improving the soft skills – although in my opinion the list of steps can be transferred to most skill acquisition – realise the deficiency, commit, be accountable, find a mentor, and don’t waste time. All very valuable things when ensuring your improvement. I would also recommend listening to The Art of Charm podcast, which I’ve found to be interesting and focused almost entirely on soft skills acquisition (skip the earlier episodes). And thanks for the shout out! 😀
    Real Self Improvement

  • Martino Jerian at Amped shares his thoughts on a paper by Matthew P. J. Ashby titled “The Value of CCTV Surveillance Cameras as an Investigative Tool: An Empirical Analysis”.
    CCTV is more useful than we may perceive

  • DFIR Guy at DFIR.Training shared a couple of posts this week
    • The first is regarding the various ways that people can get into the DFIR field. I think regardless of the way that one gets into the field, the steps laid out in the second half of the post are quite important – basically do your research, read and educate yourself, share your findings, mentor/teach etc – don’t rely on anyone else for your improvement.
      The 2 Easiest Ways to get into DFIR
    • The second indicates, what appears to be, his frustration in purchasing software from certain vendors that require you to give them information in exchange for a price (which also may vary depending on the information you give them).
      Trading Personal Information for Price Quotes. Why do we do it?

  • Didier Stevens shows how to crack a password protected zip file using John The Ripper on Windows
    Quickpost: ZIP Password Cracking With John The Ripper

  • Matt Hernandez at DME Forensics shares some information about the new previewing feature in DVR Examiner 2.0
    DVR Examiner 2.0 Sneak Peak – Previewing

  • Oleg Afonin at Elcomsoft forecasts the future of cloud-based storage/authentication – they recently had to update their Phone Breaker tool to deal with an update by Apple. Also, the guys at Elcomsoft found that “Apple locks some iCloud accounts after downloading iCloud backup, requiring a change of password to continue using Apple ID-related services”.
    ElcomSoft vs. The Cloud: a Game of Cat and Mouse

  • “A number of the EU’s leading digital forensic experts have called for the adoption of the Cyber-investigation Analysis Standard Expression (CASE) as a standard digital forensic format”. A number of companies have been listed as implementing the standard.
    EU Forensic Experts Call For Action On New Cyber Investigation Standard

  • There were a few posts on Forensic Focus this week
  • Greg Smith at TrewMTE continues his series on evidence standard operating procedures
    • The first refers to adding a “removal of doubt (ROD)technique”, whose purpose is to assist “the examiner’s comprehension from the outset of the 5-Ws rule of thumb”.
      Contaminating Evidence FOUR
    • The second relates to APDU (application protocol data unit) command’s that can be run “to select particular data from a SIM card”.
      Contaminating Evidence FIVE

  • Microsystemation explain that they have simplified the driver installation process for XRY, replacing all of the separate drivers with a single one.
    Say hello to a single driver that lets you access your data hassle-free

  • OmenScan shares a post on using AChoir to copy files based on file signatures. AChoir allows an examiner “to load all the signatures into a table, and copy any files that match any of the extensions or signatures.”
    AChoir – Copying based on File Signatures

  • Yulia Samoteykina at Atola Technologies shows how to extract or reset the password on a variety of hard drives.
    Extracting and Resetting an Unknown ATA Password

  • Richard Wartell and Tyler Halfpop at Palo Alto Networks walkthrough how to obtain access to the LabyREnth 2017 teaser site.
    LabyREnth Teaser Site

  • SANS have announced that the numbering for the Windows Forensic Analysis class will be changed from SANS 408 to SANS 500.
    FOR408: Windows Forensic Analysis has been renumbered to FOR500: Windows Forensics Analysis

  • Wolfgang Ettlinger at SEC Consult shares an advisory of an exploit in Encase Forensic Imager which allows an attacker to execute code on a machine provided that a specially crafted LVM2 partition is loaded. I’m not sure if this will apply to Encase which I imagine shares a similar codebase. I’m also not sure how critical this is for those that use their forensic tools on an air-gapped network, which I imagine would be most law enforcement labs (considering it reduces the likelihood of a remote break, distributing a lot of badness). Guidance also doesn’t appear to think that threat is very serious.
    Chainsaw of Custody: Manipulating forensic evidence the easy way

  • Brad Garnett at Cisco shares some information about the workshop on Triage methodology that he will be teaching with Shelly Giesbrecht at Cisco Live! US 2017 on June 27th.
    Triage Forensics: Leveraging Digital Forensics during Incident Response

  • The Volatility twitter account tweeted a link to information regarding “critical details on using volatility 2.6 with Windows 10 / Server 2016 Anniversary and Creators Update”
    Check out @Volatility’s Tweet

  • Also if anyone reads this post from AccessData, the stylesheet for the product versions page appears to be having issues.


  • Alan Orlikoski advises that “CCF-VM has been updated with updated CDQR 3.1.3 & CyLR 1.3.2 versions”.
    Check out @AlanOrlikoski’s Tweet

  • Didier Stevens updated his zipdump Python script to version 0.0.6 to accommodate password protected files
    Crack A ZIP Password, And Fly To Dubai …

  • Didier also updated his re_search Python script to version 0.0.5 to fix a bug.
    Update: re_search.py Version 0.0.5

  • Guidance Software announced Encase Mobile Investigator (which I think is a revival of their previous Neutrino product). They also announced “the release of EnCase Forensic and EnCase Endpoint Investigator 8.05.” All three are expected to be out late June.
    Guidance Software Announced Encase® Mobile Investigator

  • “A new version of MISP 2.4.73 has been released including new features, improvements and bug fixes.”
    MISP 2.4.73 released

  • I have released a new tool that parses URLS generated by Google Search. SANS have also uploaded the webcast that I gave on my research. I do intend on converting the tool to Python once I get around to learning Python…which will have the added benefit of becoming a Hindsight plugin
    Introducing GSERPent

  • James Habben has updated his Firefox Cache parser to extract data from a flags field
    Check out @JamesHabben’s Tweet

  • X-Ways Forensics 19.3 Preview 3 was released adding a new feature for setting an alternative name of a file, a new menu command for collapsing the file tree, and some fixes.
    X-Ways Forensics 19.3 Preview 3

And that’s all for Week 19! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s