Week 27 – 2017

Long one this week…so took me a bit longer than usual, but at least here it is!







  • Starting this section of with a community announcement. Stacey Randolph has created a new hashtag, #DFIRFIT, for those “DFIR folks interested in or working on getting healthier”. Even if you’re not looking to get healthier, or are in (apparently) peak physical condition, then jump on and encouage everyone else!
    Check out @4n6woman’s Tweet!

  • Martino Jerian at Amped shows “how to start with the integration and how the two software [Amped Five and Griffeye Analyze] work together.”
    Amped FIVE and Griffeye Analyze: Introducing the Integration

  • “Microsoft has made a change in the Bing Online Map’s service. As a result, the Online Maps functionality will stop working from June 30th 2017 in the following products”: UFED Logical/Physical/Cloud Analyzer, UFED Analytics Desktop, and UFED InField. “Cellebrite recommends updating these products to the latest version in order to restore the Online Maps functionality.”
    Important Update for Online Maps

  • DFIR Guy at DFIR.Training talks about sharing in the DFIR community and appears to be happy at how far the industry has come with regards to sharing both knowledge, and interesting cases (generally speaking of course). “We finally figured out how to share the issue of specific problems with the result of all of us solving the same problem that we have in our different cases and incidents.”
    Times have changed….

  • The guys at Digital Forensics Corp shared an article explaining how to enable/disable the various version of SMB.
    How to enable and disable SMB

  • There was a post on Execute Malware regarding setting up an ELK stack to visualise honeypot data.
    Honeypot Visualization Revisited

  • Scar at Forensic Focus interviewed Guidance Software’s Paul Shomo and Ashley Hernandez at Enfuse on their backgrounds, Guidance, gettings into the field, and the forensic artefact awards among other topics.

  • Axelle Apvrille at Fortinet gave an overview of the “Symposium sur la sécurité des technologies de l’information et des communications” or SSTIC conference. Apparently, most of the presentations are in French (which is to be expected at a French conference….)
    SSTIC 2017 in a Nutshell

  • A new project has been started called the “Hardware Forensic Database”. The project’s aim is to provide “a collaborative knowledge base related to IoT Forensic methodologies and tools.”
    Hardware Forensic Database

  • Dan at LockBoxx reviews Jeff Bollinger, Brandon Enright, and Matthew Valites’s book “Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan”
    Book Review: “Crafting The InfoSec Playbook”

  • Robert Merriott guest posted on Mobile & Technology Exploration regarding contemporaneous notes using Forensic Notes. I used to use a dedicated note-taking tool, however that produced notes in a proprietary format (which you could extract data from manually but it was a pain), and I was asked to just use Word instead – which makes sense – it doesn’t have tracking etc as noted in the article, however if I’m working on an image it doesn’t really make much difference if I move my notes around to make more sense to the reader. If a defense attorney is calling my evidence into question based on my notes being modified then they should be getting a defense examiner to verify my findings to begin with. It is interesting that “In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.” I have no idea how this makes sense; especially if the court date is years after your examination.
    What’s happening with Contemporaneous Notes

  • OMENScan at Musectech has started a Google Group to track the artefacts created by free and open source live response utilities.
    Announcing Google Groups Forensic Utilities Artifacts Forum

  • Paul Slater at Nuix has published a paper that “lays out how to establish a hyperlab through proper preparation,
    treatment of evidence and application of existing and emerging Nuix technology.” “An investigation hyperlab combines planning, process and technology to take
    advantage of available resources across geographical gaps and answer the challenge of growing case sizes and backlogs that investigators face today”.
    Hyperscaling Digital Investigations

  • Yulia Samoteykina at Atola Technology shows the variety of hard drives that they use to test their devices.
    How we test our devices

  • Jasper at Packet Foo provided a recap of the 2017 Sharkfest, the annual Wireshark conference.
    Sharkfest 2017 US Recap – 10 years of Sharkfest!

  • Dan Guido has updated the CTF field guide with new section on forensics CTFs
    Take a look at @dguido’s Tweet

  • Mary Ellen at “What’s A Mennonite Doing In Manhattan?!” comments on her recent experience at the DFIR Summit and specifically the lessons learned from being nominated as one of the finalists in the DFIR organisation of the Year category for the 4Cast awards. She also encouraged people to share their research/work because the community “only gets better if everyone contributes.”
    How to Lose Like a Champion


And that’s all for Week 27! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

2 thoughts on “Week 27 – 2017

  1. It appears the Digital Forensics Corp links in various sections are (mis) quoting the original posts without actually linking to them. Maybe I’m missing some embedded content that’s not loading for me but the actual DFC posts don’t appear to be of value – I just get dead ends!


  2. The links to the original articles are usually at the end. They’re not always immediately apparent because they’re not underlined.
    I’d suggest emailing them about fixing that, but I’m going to keep including their content because there’s still value (if you can find the link)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s