This Month In 4n6 – July – 2017

Monthly wrap up of the DFIR news for July 2017!

I haven’t really decided if I want sponsors or to Patreon this so I would appreciate some feedback regarding that.

Special thanks to my friend Jeff (Animatic on Soundcloud) for letting me use one of his tracks.

Show notes:

  • Oleg Afonin at Elcomsoft has compared the data that can be extracted from various cloud sources including Google Drive, Apple iCloud and Microsoft OneDrive using Elcomsoft’s tools.
  • Garrett Pewitt at Forensic Expedition continues his series on note-taking using OneNote part 2 and part 3.
  • On the topic of note taking- Robert Merriott guest posted on the Mobile & Technology Exploration blog about the pros and cons of the variety of ways that examiners can take notes.
  • Jonathon Poling at Ponder The Bits digs into the hibernation file as he has noticed that a number of the artefacts that we used to get aren’t being extracted since Win8.
  • Dr. Ali Dehghantanha had a number of posts on the SANS Internet Storm Centre covering BitTorrent Sync version 2.0.
  • Arsenal consulting released some information about a forged digital forensics report which may be the first forged DF report that’s been talked about.
  • Cindy Murphy at Gillware Digital Forensics shared a case where chip extraction/reading didn’t work and instead a transplant was required on a mobile phone
  • Adam at Hexacorn provides “a brain-dump of ‘malicious’ ideas that memory forensics will not help with, or will find at least challenging”
  • Devon Ackerman and Mary Ellen Kennel joined David Cowen on the Forensic Lunch to talk about their AboutDFIR project.
  • Brett Shavers has released a new training course based on his 4Cast award nominated book, “Hiding Behind The Keyboard”. Brett also published a post with a lesson on investigations that can be applied across the board
  • Chris Sanders has released a new online course for using ELK for Security Analysis

  • John Patzakis, Esq. at X1 Discovery posted an interesting development in Canadian courts where the RCMP used screen recording tools to capture social media evidence instead of a dedicated tool resulting in the evidence not being immediately accepted and instead, additional qualifying information was sought.
  • Jared Atkinson at SpecterOps examines how attackers can utilise the Extended Attributes on the NTFS file system to store malware.

  • Didier Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow files extracted from downloaded ISO.
  • Jamie McQuaid at Magnet Forensics shared a few videos showcasing various methods of phone acquisition on Samsung devices using Axiom
    Video 1, 2, 3
  • DFIR Guy at DFIR.Training talks about the many ways to get into the field and then specifically about a DIY college degree.
  • On a similar note, James Habben at 4n6ir wrote a bit about infosec job listings and how they sometimes request every skill under the sun. My main takeaway from this post was really the part about being noticeable – starting a blog, speaking at conferences, meeting people etc. letting me know when you’ve done so so I can share it
  • Cindy Murphy’s article on Continuity/iCloud synchronization is important for those that deal with iOS devices and the question of file knowledge.
  • Sarah Edwards at Mac4n6 has updated her Mac MRU Parser Python script.
  • Steve Whalen at Sumuri shared an important clarification about Paladin and how it will remain donation-supported/free into the future.

There were a few interesting software updates/releases as well:

  • Blackbag Technologies have released MacQuisition 2017 R1
  • Oxygen Forensics have updated their Detective product to v9.4.2 adding the ability to obtain physical extractions from the latest “passcode-locked Motorola devices running Android OS”.
  • Elcomsoft updated their iOS Forensic Toolkit version 2.30 adding “physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4)” for iOS devices.
  • DME Forensics released version 2 of their DVR Examiner product.
  • Johan Berggren has announced a new version of Timesketch. Johan also added a live demo server so you can test Timesketch out and see how it can help your examinations.
  • There were other updates to X-ways, Forensic Explorer, OSForensics, XRY, ExifTool, MobilEdit Forensic, Axiom, UFED Physical Analyser, Forensic Browser for SQLite, HFS+ Journal Parser, Evimetry


Thanks for listening!


*Apologies for the formatting of this post – wordpress just didn’t want to play

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s