This Month In 4n6 – July – 2017

Monthly wrap up of the DFIR news for July 2017!

I haven’t really decided if I want sponsors or to Patreon this so I would appreciate some feedback regarding that.

Special thanks to my friend Jeff (Animatic on Soundcloud) for letting me use one of his tracks.

Show notes:

Oleg Afonin at Elcomsoft has compared the data that can be extracted from various cloud sources including Google Drive, Apple iCloud and Microsoft OneDrive using Elcomsoft’s tools.
Garrett Pewitt at Forensic Expedition continues his series on note-taking using OneNote part 2 and part 3.
On the topic of note taking- Robert Merriott guest posted on the Mobile & Technology Exploration blog about the pros and cons of the variety of ways that examiners can take notes.
Jonathon Poling at Ponder The Bits digs into the hibernation file as he has noticed that a number of the artefacts that we used to get aren’t being extracted since Win8.
Dr. Ali Dehghantanha had a number of posts on the SANS Internet Storm Centre covering BitTorrent Sync version 2.0.
Arsenal consulting released some information about a forged digital forensics report which may be the first forged DF report that’s been talked about.
Cindy Murphy at Gillware Digital Forensics shared a case where chip extraction/reading didn’t work and instead a transplant was required on a mobile phone
Adam at Hexacorn provides “a brain-dump of ‘malicious’ ideas that memory forensics will not help with, or will find at least challenging”
Devon Ackerman and Mary Ellen Kennel joined David Cowen on the Forensic Lunch to talk about their AboutDFIR project.
Brett Shavers has released a new training course based on his 4Cast award nominated book, “Hiding Behind The Keyboard”. Brett also published a post with a lesson on investigations that can be applied across the board
Chris Sanders has released a new online course for using ELK for Security Analysis
John Patzakis, Esq. at X1 Discovery posted an interesting development in Canadian courts where the RCMP used screen recording tools to capture social media evidence instead of a dedicated tool resulting in the evidence not being immediately accepted and instead, additional qualifying information was sought.
Jared Atkinson at SpecterOps examines how attackers can utilise the Extended Attributes on the NTFS file system to store malware.
Didier Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow files extracted from downloaded ISO.
Jamie McQuaid at Magnet Forensics shared a few videos showcasing various methods of phone acquisition on Samsung devices using Axiom
Video 1, 2, 3
DFIR Guy at DFIR.Training talks about the many ways to get into the field and then specifically about a DIY college degree.
On a similar note, James Habben at 4n6ir wrote a bit about infosec job listings and how they sometimes request every skill under the sun. My main takeaway from this post was really the part about being noticeable – starting a blog, speaking at conferences, meeting people etc. letting me know when you’ve done so so I can share it
Cindy Murphy’s article on Continuity/iCloud synchronization is important for those that deal with iOS devices and the question of file knowledge.
Sarah Edwards at Mac4n6 has updated her Mac MRU Parser Python script.
Steve Whalen at Sumuri shared an important clarification about Paladin and how it will remain donation-supported/free into the future.

There were a few interesting software updates/releases as well:

Blackbag Technologies have released MacQuisition 2017 R1
Oxygen Forensics have updated their Detective product to v9.4.2 adding the ability to obtain physical extractions from the latest “passcode-locked Motorola devices running Android OS”.
Elcomsoft updated their iOS Forensic Toolkit version 2.30 adding “physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4)” for iOS devices.
DME Forensics released version 2 of their DVR Examiner product.
Johan Berggren has announced a new version of Timesketch. Johan also added a live demo server so you can test Timesketch out and see how it can help your examinations.
There were other updates to X-ways, Forensic Explorer, OSForensics, XRY, ExifTool, MobilEdit Forensic, Axiom, UFED Physical Analyser, Forensic Browser for SQLite, HFS+ Journal Parser, Evimetry