Week 28 – 2017

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

  • The guys at Digital Forensics Corp shared a paper by Pablo Gonzalez Perez and Francisco Jose Ramirez Vicente called “Hidden Network: Detecting Hidden Networks created with USB Devices”. “This paper reflects the possibilities provided by the so-called Hidden Network and how these can be identified and focused on protection of these issues inside a corporate network.”
    Detecting Hidden Networks

  • Anthony Giandomenico at Fortinet lists the various types of threat actors and threat intelligence
    Byline: Know Your Enemy: Understanding Threat Actors

UPCOMING WEBINARS

PRESENTATIONS/PODCASTS

MALWARE

MISCELLANEOUS

  • James Habben at 4n6ir comments on the need for people to take ownership when relaying a message to ensure that all parties “correctly understand the message”.
    Soft Skills: Respect

  • ACELab have released a post explaining how to upgrade your PC-3000 by purchasing the “new Intelligent Power Supply Unit with oscilloscope functions”. “You can replace the previous version of the power supply unit with the new one. There is no need to replace the PC-3000 Express board itself.”
    Upgrade your PC-3000 Express to Rev.2.0 with the new Intelligent Power Supply Unit!

  • Peter Bright at Ars Technica wrote an interesting article about how a document released in the Panama Papers was determined to be forged based on the font selection. The document purported to be from 2006, however, the Calibri font “didn’t actually ship in a stable version of Windows or Office until 2007”. It’s possible that it was used in real documents, it’s just unlikely.
    Not for the first time, Microsoft’s fonts have caught out forgers

  • Blackbag Technologies announced that MacQuisition 2017 is going to be released soon, adding support for the latest Mac’s as well as imaging APFS drives. The only correction I’d make to the article is the claim that “MacQuisition™ is the only forensic solution that runs within a native OS X boot environment”, from speaking to Sumuri, Recon Imager also runs a native OS X boot environment. Regardless, Macquisition is still a great tool to use to acquire Macs (especially when FileVault is involved).
    MacQuisition™ 2017 Coming Soon!

  • Brett Shavers has released a new training course based on his 4Cast award nominated book, “Hiding Behind The Keyboard”. The course contains “more than 12 hours of investigative methods and effective techniques to build a case against criminals who use technology to commit crimes.” There’s even a promo going this week for the first 100 people to purchase the course (at half price too!)
    Placing the Suspect Behind the Keyboard online course

  • Didier Stevens posted a couple times about ClamAV
  • Deepak Kumar shares a variety of digital forensics models.
    Forensics Frameworks/Models

  • Scar at Forensic Focus interviewed Jad Saliba of Magnet Forensics fame.
    Interview With Jad Saliba, Founder & CTO, Magnet Forensics

  • Garrett Pewitt at Forensic Expedition finishes off his series on using Microsoft OneNote for taking case notes by showing how users can import and export data from their notebook, as well as some of the other features – the previous versions and edit tracking looks like it could be helpful.
    Microsoft OneNote for Case Notes – Part Three

  • John Patzakis, Esq. at X1 Discovery posted an interesting development in Canadian courts where the RCMP used screen recording tools to capture social media evidence instead of a dedicated tool, in this case, X1’s Social Discovery tool. As a result, the evidence was not immediately accepted and instead, additional qualifying information was sought. John mentions that this has significant implications for various courts around the world (mainly Commonwealth countries, but also the US once FRE 902(14) comes into effect). DFIR Guy at DFIR.Training didn’t appear happy with the ruling.
    Canadian Court Admonishes Police for Submitting Facebook Screenshots as Evidence

  • Yulia Samoteykina at Atola Technologies shows how to print reports from Insight Forensic.
    Case Management: Print reports from a case

  • Giselle A. Morales at Precision Discovery explains how analysis of a car’s infotainment system can provide invaluable to various types of cases.
    Your Car Is Storing Your Secrets

  • Andrea Fortuna at “So Long, and Thanks for All the Fish” shared a few posts this week
  • The Scientific Working Group on Digital Evidence have published a few papers for comment.
    Check out @SWGDE’s Tweet

  • Martijn Grooten at Virus Bulletin wrote a review of Bsides Athens
    Review: BSides Athens 2017

SOFTWARE UPDATES

  • Apache Tika 1.16 has been released to extract a number of additional artefacts, as well as bug fixes.
    12 July 2017: Apache Tika Release

  • Cellebrite updated their UFED line of products to version 6.3. The update incorporates hash sets including project VIC, improved carving, as well as various other new features.
    UFED Physical Analyzer, UFED Logical Analyzer, UFED Reader 6.3 (July 2017)

  • Didier Stevens updated his zipdump Python script to version 0.0.10, adding the “option –yarastringsraw … to view just the matched string”
    Update: zipdump.py Version 0.0.10

  • Elcomsoft updated a couple of their tools this week
  • Eric Zimmerman has updated Timeline Explorer to v 0.5.5.0, ShellBags Explorer to v 0.9.0.1, and XFIM to v1.7.0.0. You can download the latest versions of these tools here

  • “A new version of MISP 2.4.77 has been released including security fixes, bug fixes and various improvements.”
    MISP 2.4.77 released

  • MobilEdit updated a couple of their tools this week
    • MobilEdit Forensic 9.1 was released, adding “support for Android 8.0 and iOS 11 beta, new phones and iPads supported and the update brings many other new improvements.”
      MOBILedit Forensic 9.1 released!
    • Forensic Express 4.1 was also released, adding “Cloud Analyzer, support for iOS 11 beta, application downgrade so rooting is no longer needed for applications data analyzer, Documents Analysis feature, faster more stable analysis and more”
      Forensic Express 4.1 Released!

  • Nir Sofer at Nirsoft has released a new tool, RegistryChangesView, which “is a new tool for Windows that allows you to take a snapshot of [the] Windows Registry and later compare it with another Registry snapshots, with the current Registry or with Registry files stored in a shadow copy created by Windows”
    New tool that compares snapshots of Windows Registry

  • Radare2 v1.6 has been released. “This release comes with major improvements in GDB Client/Server, Windows support, timeless debugger and many stability bugfixes. Also adds support for PPC VLE, Ethereum Virtual Machine, workaround to properly configure the disassembler on PlayStation2 ELFs and added support for the Hexagon CPU”
    radare2-1.6 aka Digital Lettuce

  • X-Ways Forensics 19.0 SR-15,  19.1 SR-9, and 19.2 SR-7 were released to incorporate “several of the fixes introduced in later versions”
  • X-Ways Forensics 19.3 SR-4 (and SR-3) was released during the week fixing a variety of bugs.
    X-Ways Forensics 19.3 SR-4

  • X-Ways Forensics 19.4 Preview 2 (and preview 1) was released during the week with a number of new features.
    X-Ways Forensics 19.4 Preview 2

And that’s all for Week 28! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s