Week 21 – 2017

If you’d like to vote this site for the Forensic 4cast blog of the year, that would be greatly appreciated 🙂 Only a few more days to go till voting closes too.
2017 Forensic 4:cast Awards – Voting


  • Luis Rocha at Count Upon Security talks about the USNJrnl artefact on NTFS, and how to examine it using Joakim Schicht’s UsnJrnl2Csv utility.
    Digital Forensics – NTFS Change Journal

  • The guys at Cyber Forensicator shared a paper by Arafat Al-dhaqm, Shukor Razark, Siti Hajar Othman, Asri Ngadi, Mohamad Nazir Ahmed, and Abdulalem Ali Mohammed on the “Development and validation of a Database Forensic Metamodel”
    Development and validation of a Database Forensic Metamodel (DBFM)

  • Brian Carrier has started a series “about responding to an endpoint and what to look for.” The first article looks into a variety of tools and evaluates them against a criteria.
    Intro to IR Triage: Buyer’s Guide

  • Igor Mikhaylov & Oleg Skulkin at Digital Forensics Corp talk about SIM card and how to extract the data they hold using Oxygen Software Extractor.
    SIM cards Forensic Analysis with Oxygen Software

  • Preston Miller at DPM Forensics shows how to use Python and simpleKML to present location data in a KML format for easy viewing in Google Earth.
    Spotlight: Tracking a User’s Whereabouts with simplekml

  • Lee Whitfield at Forensic 4Cast shows why blanket statements can be dangerous by providing a few examples of deleting files and the changes to their MAC times as a result. Deleting a file on Windows may result in the Entry Modified time being changed, however this is because the filename is changed. If the file is deleted without going through the Recycle Bin (ie shift-delete), then the removal process doesn’t update any timestamps. “There will be instances where metadata may change immediately before the deletion took place, especially when using third-party tools, but the MAC times are not updated on file deletion”
    Deleted vs “Deleted”

  • Jim Hoerricks shares a quick report formatting tip for Amped Five.
    A report formatting tip for FIVE

  • Jim also shows how to use Five to unroll an image from a 360 degree camera into a panorama shot.
    Unroll 360 degree camera views with one click

  • Lastly, Jim shows how to use “Auto Selection Mode, [which] automatically identifies frequencies to remove without user intervention” in Amped Five/Axon Five
    FFT for video – yes, video

  • Foxton Forensics blog has a post showing how Browser History Examiner (BHE) can “help analyse internet history for any plain text passwords that might be inadvertently stored there.”
    Uncovering plain text passwords in internet history

  • Darryl at Kahu Security shares some information from an analysis of an infected PC where “an attacker used several NSA tools just four days after the Shadow Brokers’ dump then it burned the PC with ransomware when they were done with it.” He warns that attackers are going to be playing around with these NSA tools and these tools don’t really leave much of a trace behind.
    Not Your Typical Ransomware Infection



  • Chris Sanders released episode 5 of the Source Code podcast, interviewing Gerald Combs on growing up in Kansas City and his experience in building Wireshark.
    Source Code S1: Episode 5 – Gerald Combs

  • The Down the Security Rabbithole podcast travelled to Las Vegas this week for Enfuse and produced a few shows.
  • Four Forensic Lunches this week! So much to watch, and Dave, you’re right, I wasn’t going to be up at 3AM watching, but thanks for the shout out!
    • Day 1 at Enfuse! Dave and Matthew hosted Amber Schroader, Matt Mcfadder, and Matt Bromiley. Amber spoke about her presentation on IoT, particularly in relation to kids toys (that bear was creepy), and the Paraben Symposium and Paraben’s E3 platform. Matt M, the director of training at Guidance spoke what’s changing in the world of training, changes to the EnCE (focusing on version 8)., and the Certified Forensic Security Responder (CFSR) certification. Matt B then discussed WannaCry and the other tools dumped by the Shadow Brokers.
      Forensic Lunch 5/23/17
    • On Day 2, Dave and Matthew hosted Steve Whalen, Jake Williams, and Dmitri Sumin. Steve introduced Recon Imager, Sumuri’s new Mac imaging product and why they decided to produce it (it’s a low cost alternative to Macquisition for those that haven’t played around with it. It doesn’t have the triage capability, but it’s imaging and RAM acquisition seems to be good). Jake spoke about Wannacry, as well as Rendition Sec’s 24/7 SOC. Dmitri then spoke about Passware’s products and cloud acquisition, as well as GPU acceleration.
      Forensic Lunch 5/24/17
    • On Day 3, Dave hosted Lesley Carhart, Bradley Schatz, and Ashley Hernandez. Lesley spoke about her experience winning the first Enfuse Women in Technology prize (congrats!), as well as her current research interests including win10, win internals, memory forensics, private browsing artefacts. She requested if anyone’s interested in working with her on her research to get in touch. Next, Bradley spoke about his work on Evimetry and the AFF4 standard. The AFF4 standard is very interesting from an efficiency standpoint, and is responsible for a number of the cool things that Evimetry can do. Bradley also briefly spoke about the imaging device that Evimetry has put together to speed up the imaging process. If people haven’t seen the tool in action I’d highly recommend checking it out – Bradley explained that he is able to image a 500GB NVME drive to 2 highspeed SSD’s (in a RAID) in about 5 minutes. Bradley also spoke about DFRWS which is taking place in Austin in August. Lastly, Ashley Hernandez, Director of product management at Guidance came on to speak about the future of Encase and some of their offerings. Guidance is going to be moving some of the most used enscripts into core Encase, which is a great move. She also provided some more details on the new Mobile Investigator product, which has two components. The first allows examiners to acquire devices and is built into Endpoint and Forensic. The output is stored into a Logical Evidence File. The second component, which is a paid addition, does the parses the various artefacts in the LEF.
      Forensic Lunch 5/25/17
    • Lastly, Dave hosted Jessica Hyde and Brian Moran to talk about their upcoming presentation on IoT device forensics at the DFIR Summit. Jessica and Brian shared that they were able to determine a non-destructive acquisition method for getting data of an Amazon Echo and Dot, as well as what data that can be found on there. Jessica then gave a bit of information about what Magnet Forensics is up to including their artefact exchange, Magnet AI, and how Axiom can be used to correlate data.
      Forensic Lunch 5/26/17

  • Guidance Software released a number of videos on their YouTube channel, mainly about EnCase Endpoint Security (although there were a couple of videos about transitioning to Encase v7, which may need to be replaced with videos about v8)
  • Angela Bunting and Peter Fetzer at Nuix have a presentation on using audio in discovery and investigations
    Four myths about using audio in discovery and investigations

  • On this week’s Digital Forensics Survival Podcast, Michael goes over the Skype application and the data that can be examined. Michael mentioned the Nirsoft Skype viewer, I would also recommend Skyperious; I really like the way that conversations are laid out in it.  
    DFSP # 066 – Skype Forensics

  • Richard Davis shared “an introduction to memory forensics and a sample exercise using Volatility 2.6 to analyze a Windows 10 image.”
    Introduction to Memory Forensics




  • Berla released an update to iVe, now at version 1.11. “Headlining this release is support for SYNC generation 3, the latest version of Ford’s SYNC systems that are used in much of the Ford lineup throughout the world”. “Additionally, iVe 1.11.4 includes the ability to export files in .xry format for use in MSAB’s XRY suite, plus several minor improvements to the user interface and experience.”
    iVe v1.11 Released

  • Didier Stevens updated his zipdump tool to version 0.0.8 to add “handling of zlib errors when performing a dictionary attack.”
    Update: zipdump.py Version 0.0.8

  • Evimetry 3.0.0 was released with major features and bug fixes/improvements. One of the major updates is the adoption of the AFF4 Standard v1.0, for more information on the release watch Bradley Schatz’s talk during the Enfuse Day 3 Forensic Lunch.
    Release 3.0.0

  • Phil Harvey released ExifTool 10.54 (developmental release), adding support for a number of new tags, and features.
    ExifTool 10.54

  • GetData updated Forensic Explorer to v3.9.8.6498 with some minor improvements/fixes.
    22 May 2017 – v3.9.8.6498

  • Willi Ballenthin updated python-evtx to version 0.6.0 with “lots of enhancements to improve code quality”.
    Release v.0.6.0

  • Magnet Forensics updated Axiom to version 1.1.1. The update adds “the ability to create Custom Artifacts using Python”. They also added automated searching 7-zip containers (although I’m not sure if this includes password protected files…maybe there’s an option to add a list of password?), and filtering conversations in column view.
    AXIOM’s Custom Artifacts Now Supports Python Development

  • Jean-David Gadina released a macOS keychain cracker on Github
    Check Out @macmade’s Tweet

  • Adam Witt has released a “Python script to carve Windows Prefetch artifacts from arbitrary binary data”.
    Check Out @_TrapLoop’s Tweet

  • X-Ways updated X-Ways Forensic 19.1, 19.2, and 19.3.

And that’s all for Week 21! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s