Week 31 – 2017


  • The guys at Digital Forensics Corp shared a couple of articles of interest this week
  • Mark Mckinnon has released another Autopsy plugin. This plugin parses “the Volume Shadow of an image, extract the changed files and then load them as a new data source and create an extracted view content of each volume shadow”.
    Renzik Can Now See His Shadow!
  • Packt Publishing shared an article by Oleg Skulkin and Scar De Courcier from their book Windows Forensic Cookbook. The article covers “drive acquisition in E01 format with FTK Imager, drive acquisition in RAW Format with DC3DD, and mounting forensic images with Arsenal Image Mounter.”
    Windows Drive Acquisition

  • There’s a post on Paraben’s Forensic Impact blog showing some of the data that can be obtained from Alexa (both app and cloud stored data) using the latest update to their E3 platform.
    Alexa Your BFF or Worst Nightmare

  • Nick Raedts at Raedts.BIZ walks through the process of determining a Windows computer’s last shutdown time using NirSoft’s TurnedOnTimesView.
    Examining when a system was turned on and off.

  • David Dym at RRTX examines the “Find and Replace” history stored in the registry by Visual Studio 2015, and then privateregistry.bin in Visual Studio 2017.
    Visual Studio registry artifacts – part 1 – find & replace #dfir

  • Anton Lopanitsyn at Wallarm shows how to parse DS_Store files on an OS X system to identify files/folders in a directory.
    Hunting the Files!

  • Yogesh Khatri at Swift Forensics lists a few locations on recent versions of OSX (10.9+) that store the serial number of the Mac that they were found on.
    Finding the Serial number of a Mac from disk image

  • Pieces0310 shares the location of the Index database relating to the WeChat Android app. This index may have indications of previously deleted chat messages.
    Dig out WeChat deleted chat messages on Android Phone – Pieces0310

  • Pieces0310 also shows how he bypasses a Win10 logon password using Lazesoft’s Recover My Password. I can’t recall if I figured out a way around the Win10 LiveID passwords, might have to put that on the research list. If anyone has a way to extract the cached password/hash then let me know.
    How to bypass Win10 logon password? – Pieces0310



  • Sean Blaton at Carbon Black talks about the different types of malware.
    “The 101” – Episode 4 – What are the Different Types of Malware?
  • Douglas Brush interviewed Brett Shavers on Cyber Security Interviews this week. “In this episode we discuss starting forensics in law enforcement, his approaches to investigations, what makes a good DFIR examiner, forensic tools, Windows FE, book writing advice, IoT surveillance, and so much more.”
    #028 – Brett Shavers: It’s Not the Machine, But the Examiner

  • Cysinfo posted the presentations from their 11th Quarterly meetup.
    11th Quarterly Meetup –  29TH July 2017

  • Didier Stevens shared a couple of videos this week
    .ISO Files & autorun.inf

    • The first shows that an autorun.inf file inside an ISO will not execute when you open an ISO on Win8/10.
      .ISO Files & autorun.inf
    • The second shows that the ZoneID associated with a ZIP file downloaded from the Internet will follow the files found inside it, unlike ISO files where the ZoneID does not follow the contained files.
      .ZIP Files With Zone.Identifier

  • David Cowen at the HECF Blog has shared the National Collegiate Cyber Defense Competition Red Team Debrief 2017 as well as a bit of background about the competition.
    National Collegiate Cyber Defense Competition Red Team Debrief 2017

  • On this week’s Digital Forensics Survival podcast, Michael talks about the strings command/executable and its various uses. One time I found this command particularly useful was for a plist that stored data outside of the regular XML tags, so when viewed with a plist viewer critical information wasn’t shown.
    DFSP # 076 – Strings!

  • Steve Whalen at Sumuri reassures the community that Paladin will remain free/donation supported.
    A Message to SUMURI’s Customers from CEO Steve Whalen

  • Dave/Karit has released his presentation from DefCon 2017 on GPS Spoofing & controlling NTP time. This could have a great application for dealing with iPhones whose batteries have died. For those that don’t know, this resets the time to Unix epoch and occasionally you can turn on an iPhone and it’ll tell you there are x million minutes until you can enter the password – even with the correct password, there’s little that you can do. I really should find an iPhone to test this on and see if when it connects to the network if it automatically fixes the date/time.
    Take a look at @nzkarit’s Tweet

  • Patrick Wardle shared his presentation from Blackhat/Defcon 2017 on OSX/FruitFly malware analysis
    Take a look at @patrickwardle’s Tweet

  • I also released the first “This Month In 4n6” podcast during the week. It’s a quick summary of the happenings of the last month, I don’t know if I’ll expand it further than that, but it’s meant to be for the people that don’t want to read through the thousands of words I write each week. It’s in this feed so I’m not sure why I’m mentioning it again. You can find it on iTunes.




And that’s all for Week 31! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s