Week 26 – 2017

Aaaaaaaaand we’re back 😀 I am considering going back and fixing up the last two posts, but that depends on both a) interest by readers and b) my time


  • There were a couple of posts by the guys at Amped Software
    • David Spreadborough shows how to use Amped Five to collaborate in a video analysis and investigation. “The idea is that someone in one of the collaborative forces or local units completes some analysis, restoration or enhancement.”
      Learning & Development
    • Jim Hoerricks shows how to use the Temperature Tint filter
      The Temperature Tint Filter
  • The guys at Cyber Forensicator shared an article by Arman Gungor at Meridian Discovery “forensic analysis of Microsoft Outlook attachments” particularly in relation to their timestamps.

    Forensic Analysis of Email Attachment Timestamps in Outlook

  • Eliézer Pereira has a post on the Forensic Focus blog on some simple RAM analysis
    RAM Forensic Analysis

  • Garrett Pewitt at Forensic Expedition explains why he uses Microsoft OneNote to document his examination.
    Microsoft OneNote for Forensic Case Notes

  • Volume 21 of the Journal of Digital Investigation has been released.
    Digital Investigation – Volume 21 (June 2017)

  • Jamie McQuaid at Magnet Forensics shows how to use custom recovery images to acquire supported Samsung Android devices. For those that don’t do mobile forensics often, I’d pay particular attention to the last couple of paragraphs about “how” the recovery partition works. I’d also stress the last line; if you use a custom recovery you will not be able to access the data stored in KNOX. If you suspect that the user is using KNOX then you should seek other means of accessing that data before attempting to use the custom recovery. I’ve also seen instances where custom recovery’s result in the phone going into a boot loop. In that instance, you can download the original firmware (sammobile is a good resource) and reflash it using Odin. To determine the original firmware, take note of it in the bootloader options PRIOR to flashing the recovery partition (as in, it’s a good idea to do this every time).
    Android Recovery Acquisitions with Magnet AXIOM

  • The Nuix team shared an article by Erika Namnath at H5 on tips for reducing your eDiscovery workload. Many of the tips can be used for forensic analysis as well.
    Partner Featured Article: eDiscovery Tips to Reduce Stress (and Spend)

  • Ryan Benson at Obsidian Forensics shows how to create a visualisation of the metadata in an encrypted iOS backup.
    Visualizing Activity from Metadata

  • David Kovar & Greg Dominguez have a post on Paraben’s blog regarding preparing for a UAV examination (including documentation).
    UAV Forensics for First Responders By David Kovar & Greg Dominguez

  • Dr. Ali Dehghantanha has a guest post (the first in a series) on the SANS Internet Storm Centre Handler Diaries regarding BitTorrent Sync. “This diary post explains artefacts of directory listings and files of forensic interest of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.”
    Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud  (Part 1), (Mon, Jun 26th)

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ posted a couple times this week
  • Jacob Wilkin at TrustWave SpiderLabs walks through a “lock screen authentication bypass” in the Elephone P9000.
    Elephone P9000 Lock Screen Lockout Bypass







  • Mobile Phone Examiner Plus (MPE+) 5.8.0 was released during the week. Release notes can be found here. The update adds support for iOS 9/10 and Android 6/7, as well as “extracting voice recording data from the Apple Voice Memos app” and “file system and SD card data within a dLogical extraction”.
    Mobile Phone Examiner Plus (MPE+) 5.8.0

  • Phil Harvey has released ExifTool 10.58 (development release) adding some new tags and bug fixes.
    ExifTool 10.58

  • Guidance apparently updated Encase 8 to 8.05 last week, adding in the Mobile Investigator section. Unfortunately, the release notes aren’t public, but special thanks to the guys at Focus Systems (and Google Translate) for sharing some excerpts. Vendors, please stop putting release notes behind a login screen and make them publically available.
    2017.06.27 EnCase Forensic Software Update / EnCase Mobile Investigator Release

  • Adam Witt has patched Mandiant’s ShimCacheParser to add support for Windows 10 Creators Update.
    Updated ShimCacheParser

  • Oxygen Forensics have released an update to their Detective product (v9.4.1), including improvements to the SQLite viewer, cloud extractor, and support for additional app versions.
    Enhanced Apps Analysis with SQL queries

  • Passcovery have updated their Passcovery Suite to version 3.5, adding “support of Apple iOS 10.2 backup files”, “GPU-enabled processing on NVIDIA GP100 and NVIDIA GK210”, “instant removal of passwords from weakly-protected Microsoft Excel/Word 2013-2016 files”, and “accelerated recovery of passwords for ZIP files with classic encryption”.
    Passcovery has released an update of its professional password recovery solution — Passcovery Suite 3.5

  • Peter Van Hove has announced the release of IsoBuster 4.0 with a multitude of changes including “improved and powerful search functionality, an updated GUI, much faster image file access and auto-detection of drive add or removal.”
    IsoBuster 4.0 released

  • X-Ways Forensics 19.3 SR-1 was released with various bug fixes, and “some improvements for execution in Wine under Linux”,
    X-Ways Forensics 19.3 SR-1

  • YARA 3.6.2 was released with a couple of bug fixes.
    YARA 3.6.2


And that’s all for Week 26! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s