Week 20 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂
2017 Forensic 4:cast Awards – Voting



  • Barry Hensley at SecureWorks cautions the use of free threat intelligence as your only source of intel. “There is a lot to be gained from open source intelligence analysis, including free threat intelligence feeds, but the cost to extract that value is not insignificant and relies on gaining an understanding of what the data represents, how it is collected, when it was collected and perhaps crucially, what is missing.”
    Cyber Intelligence as a Free Lunch: Let the Buyer Beware

  • Lesley Carhart shares a list of publically noted malware sinkholes.
    Consolidated Malware Sinkhole List




  • Kevin DeLong at Avairy Forensic Solutions has described a number of important skills that a digital forensics practitioner should have/learn.
    Essential Skills for a Digital Forensic Examiner

  • Ryan Francis at CSO interviewed Ryan Benson, senior threat researcher at Exabeam and author of Hindsight, covering a day in his work life…yet skipping the important questions like toothpaste and breakfast cereal 🙂
    A day in the life of a threat researcher

  • Philippe Lagadec has released “a python library to create, parse and edit cyber incident reports using the IODEF v1 XML format”, called iodeflib.
    iodeflib – a python library to create, parse and edit IODEF incident reports

  • There were a couple of posts on the DME Forensics blog this week
    • Jimmy Schroering explains how DME Forensics was founded.
      Growth in a Small Forensics Company – The Beginning
    • Jason Latham has a post on looking at an examiners certifications when reviewing their CV, covering “Vendor/Tool Specific and Discipline Specific Certification.” Ultimately a certification should show “do you have the knowledge (test) and can you use this knowledge to solve a problem with a known outcome or solution (practical exam)”. When reviewing a CV you should question the certifications that a person has, especially if they’re not known to you, and weigh up the level of expertise required to obtain the certification. As a side note, I’m not a huge fan of certifications that show you’re competent in using a tool, only because I don’t want the court system to require an examiner to be certified in every tool that they use. This has massive implications for organisations that use multiple tools and have a limited budget.  
      Not all that glitters is gold: What to look for in a Forensics Expert – Part II – Certification

  • Vladimir Katalov at Elcomsoft shares his thoughts on Elcomsoft’s ability to recover iCloud data that Apple assures is removed. Elcomsoft have reported a number of instances to Apple regarding their ability to extract data from iCloud that was supposedly deleted, however, Apple hasn’t necessarily responded appropriately. I do think it’s interesting that Elcomsoft identifies and extracts this data, which is no doubt very useful to their law enforcement customers, and then gets Apple to patch the bug. It’s always a complicated issue because people want security for their devices, but LE needs to be that adversary that finds their way in to put the bad guys away.
    On Apple iCloud security and ‘deleted’ notes

  • Scar at Forensic Focus will be attending Enfuse next week and requested that “if there are any topics you’d particularly like us to cover, or any speakers you think we should interview” then to let her know in the comments. She then progressed to provide an overview of the conference.
    Enfuse 2017 – Las Vegas 22-25 May

  • There were also a couple of papers shared on Forensic Focus’ blog this week
  • The CFP for the 9th International Conference on Digital
    Forensics and Cyber Crime (ICDF2C) has been extended until May 29th. The conference will be held in Prague, Czech Republic October 9-11, 2017.

  • The guys at Magnet Forensics show how improvements in data processing speeds have improved performance of IEF and Axiom by 30%. It does appear that Axiom is slightly faster than IEF.
    An Update on Magnet AXIOM Processing Speed Performance

  • Magnet Forensics have announced that they will be releasing a whitepaper later this month on their new Magnet AI; “Magnet Forensics’ machine learning algorithm that helps triage devices to identify whether there is content or data on the devices that could show intent to lure, or groom, children for illicit sexual activity.”
    How to Identify Child Luring: New White Paper Coming Soon!

  • Greg Smith at TrewMTE continues his thesis on contaminating evidence regarding SIM card examination.
    Contaminating Evidence SIX

  • Dr Graeme Horsman is seeking “assistance from practitioners, in-house test and examination departments and laboratories regarding thoughts on testing in terms of the tools that are used” in the Institute for Digital Forensics LinkedIn group. “Access to content and discussions is open to LinkedIn members who request and are approved for membership to the group”.
    Study into Carving Validation

  • Yulia Samoteykina at Atola Technologies explains the benefits of segmented hashing when imaging damaged hard drives. When verifying a damaged drive using segmented hashing “only the hash of the damaged segment will become invalid” rather than the whole hash. She then shows how to verify segmented hashing using Insight.
    Verifying Damaged Target Images with Segmented Hashing

  • Lesley Carhart asks a number of InfoSec professionals whether it’s worth, or is a requirement to, go to college. This also spurred some discussion on Twitter; here and here
    College and Infosec: To Degree or not to Degree?

  • Paul Melson created an Incident Response Scorecard that people may find useful.
    Check Out @pmelson’s Tweet


And that’s all for Week 20! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s