Week 30 – 2017

I keep forgetting to mention, if people want to be notified when these posts come out then there’s a place to enter an email address on the left-hand side. I do get to see your email, but I’m not going to be doing anything with the information if that was a concern. Alternatively, there’s RSS 🙂




  • The CFP for the SANS Cyber Threat Intelligence Summit 2018 is open and closes on Monday, 7 August at 5 pm EDT. The event will take place January 29 & 30, 2018 at the Hyatt Regency Bethesda (MD).
    SANS CTI Summit 2018 CFP




  • Xavier Mertens at /dev/random shares a short bash script to automatically download the Blackhat 2017 presentations
    Lazy BlackHat Presentations Crawler

  • The guys at Black Hills Information Security share their advice for getting into the information security field.
    How to Get into Information Security

  • Brett Shavers has a post about conducting an investigation. “Define the goal so you know what to look for, know where to look, and figure out how to look for it.  Apply this to every case and incident you have and your case closure rates will be much better with less work.” Brett mentions that this type of thinking can be applied to any number of investigations, not just the digital ones.
    Anonymity: Criminals are only as good as their last mistake

  • ClearSky have released a report on “Operation Wilted Tulip”, regarding the cyberespionage group CopyKittens. “Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip.”
    Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus

  • Matt Shannon at F-Response advised of a change in dropbox datetime formatting that “have made it not possible to obtain the modified dates for files at Dropbox with the most recent 6x release”. They are “evaluating either making the change in v6 or moving v7 to production very soon.”
    F-Response and Dropbox Dates & Times

  • There were a few posts on Forensic Focus this wee
  • Brian Baskin at Ghetto Forensics walks through some of the sections of the Palo Alto Networks’ Labyrenth 2017 challenge
    Exploring the Labyrenth (2017 Edition)

  • OpenText has purchased Guidance Software. I’m not sure what this will mean for Encase or Tableau going forward.
    OpenText to Acquire Guidance Software

  • Pieces0310 puts a call out for help – Apparently, they have identified an issue with Encase v8.05 where index searches may or may not work on Win10. They performed testing on a few other installs of Win10 and found that sometimes it works, sometimes it doesn’t.
    Something wrong with EnCase v8 index search results – Pieces0310


  • AceLab have released PC-3000 Express/UDMA-E/Portable Ver. 6.3.12, and Data Extractor v.5.6.8 during the week. The updates include “recovering data from locked Seagate F3 Rosewood HDDs”, and “Greatly improved parsing algorithm for damaged XFS and HFS+ file systems”.
    Unlocking the Seagate F3 Rosewood drives is possible now!

  • Alan Orlikoski released CCF-VM v2.0 with various updates to CDQR, Kibana, and ElasticSearch, as well as the inclusion of TimeSketch, Redis & MySQL
    CCF-VM v2.0

  • Cellebrite updated UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 6.3.5. The update adds “additional capabilities to the extraction summary that enable you to quickly copy and export Device Info and Device Content without needing to generate a full report” as well as updated app versions and bug fixes.
    UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader Version 6.3.5

  • Didier Stevens updated a number of his tools this week
  • DVR Examiner has been released however I wasn’t able to find public release notes

  • GetData updated Forensic Explorer to v3.9.8.6618 with various updates and bug fixes.
    27 July 2017 – v3.9.8.6618

  • Matthew Seyer has released RustyLnk v0.1.1 which, as the name suggests, is a LNK Parser written in Rust
    RustyLnk v0.1.1

  • Oxygen Forensics have updated their Detective product to v9.4.2 adding the ability to obtain physical extractions from the latest “passcode-locked Motorola devices running Android OS”, as well as new apps and updated support for existing apps.
    Oxygen Forensic® Detective gets into locked Motorola devices!

  • There were a few updates to various X-Ways products this week

And that’s all for Week 30! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s