Monthly wrap up of the DFIR news for July 2017!
I haven’t really decided if I want sponsors or to Patreon this so I would appreciate some feedback regarding that.
Special thanks to my friend Jeff (Animatic on Soundcloud) for letting me use one of his tracks.
- Oleg Afonin at Elcomsoft has compared the data that can be extracted from various cloud sources including Google Drive, Apple iCloud and Microsoft OneDrive using Elcomsoft’s tools.
- Garrett Pewitt at Forensic Expedition continues his series on note-taking using OneNote part 2 and part 3.
- On the topic of note taking- Robert Merriott guest posted on the Mobile & Technology Exploration blog about the pros and cons of the variety of ways that examiners can take notes.
- Jonathon Poling at Ponder The Bits digs into the hibernation file as he has noticed that a number of the artefacts that we used to get aren’t being extracted since Win8.
- Dr. Ali Dehghantanha had a number of posts on the SANS Internet Storm Centre covering BitTorrent Sync version 2.0.
- Arsenal consulting released some information about a forged digital forensics report which may be the first forged DF report that’s been talked about.
- Cindy Murphy at Gillware Digital Forensics shared a case where chip extraction/reading didn’t work and instead a transplant was required on a mobile phone
- Adam at Hexacorn provides “a brain-dump of ‘malicious’ ideas that memory forensics will not help with, or will find at least challenging”
- Devon Ackerman and Mary Ellen Kennel joined David Cowen on the Forensic Lunch to talk about their AboutDFIR project.
- Brett Shavers has released a new training course based on his 4Cast award nominated book, “Hiding Behind The Keyboard”. Brett also published a post with a lesson on investigations that can be applied across the board
- Chris Sanders has released a new online course for using ELK for Security Analysis
- John Patzakis, Esq. at X1 Discovery posted an interesting development in Canadian courts where the RCMP used screen recording tools to capture social media evidence instead of a dedicated tool resulting in the evidence not being immediately accepted and instead, additional qualifying information was sought.
- Jared Atkinson at SpecterOps examines how attackers can utilise the Extended Attributes on the NTFS file system to store malware.
- Didier Stevens posted a few times about analysing malicious ISO files and a reminder that ZoneIdentifier’s don’t follow files extracted from downloaded ISO.
- Jamie McQuaid at Magnet Forensics shared a few videos showcasing various methods of phone acquisition on Samsung devices using Axiom
Video 1, 2, 3
- DFIR Guy at DFIR.Training talks about the many ways to get into the field and then specifically about a DIY college degree.
- On a similar note, James Habben at 4n6ir wrote a bit about infosec job listings and how they sometimes request every skill under the sun. My main takeaway from this post was really the part about being noticeable – starting a blog, speaking at conferences, meeting people etc. letting me know when you’ve done so so I can share it
- Cindy Murphy’s article on Continuity/iCloud synchronization is important for those that deal with iOS devices and the question of file knowledge.
- Sarah Edwards at Mac4n6 has updated her Mac MRU Parser Python script.
- Steve Whalen at Sumuri shared an important clarification about Paladin and how it will remain donation-supported/free into the future.
There were a few interesting software updates/releases as well:
- Blackbag Technologies have released MacQuisition 2017 R1
- Oxygen Forensics have updated their Detective product to v9.4.2 adding the ability to obtain physical extractions from the latest “passcode-locked Motorola devices running Android OS”.
- Elcomsoft updated their iOS Forensic Toolkit version 2.30 adding “physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4)” for iOS devices.
- DME Forensics released version 2 of their DVR Examiner product.
- Johan Berggren has announced a new version of Timesketch. Johan also added a live demo server so you can test Timesketch out and see how it can help your examinations.
- There were other updates to X-ways, Forensic Explorer, OSForensics, XRY, ExifTool, MobilEdit Forensic, Axiom, UFED Physical Analyser, Forensic Browser for SQLite, HFS+ Journal Parser, Evimetry
Thanks for listening!
*Apologies for the formatting of this post – wordpress just didn’t want to play