Week 32 – 2017


  • Brett Shavers wrote a few articles this week
    • The first post discusses the various aspects of a photograph that can be used to place the suspect at the scene of the crime. This includes the content, combining the various elements of data stored in metadata with your knowledge of the case, as well as the examination of the camera itself if you have access to it. One thing that Brett didn’t mention is Camera Ballistics; I haven’t really played with it but it can be used to determine if a camera was used to take a certain photo – if you have the camera in question and the suspect image you can compare reference images with the suspect image to determine the likelihood that the camera was used to take the suspect image. Brett has also generously given readers of his blog a massive discount on his latest course, but the discount offer is only around for a few weeks so act quickly.
      Placing the Suspect Behind the Camera
    • The second is more of a rationale behind writing his latest book and course, and about how some simple mechanisms can be used to blow a case open.
      Yes, you can place the suspect behind the keyboard, even if Tor is used.
    • The third covers the importance of knowing what to do over how to do something – “Learn the individual skills, but also learn when you need to employ those skills and why”.
      Knowing “how-to-do-it” is important, but first you need to know “what-to-do”.

  • The guys at Cyber Forensicator shared a few articles this week
    • They shared a video on using Adlumin to understand lateral movement.
      Understanding lateral movement with Adlumin
    • They advised that Oleg Skulkin and Scar de Courcier’s new book, Windows Forensics Cookbook, has been released and that it’s on sale for a short period of time (although it doesn’t appear that the sale is running anymore).
      Windows Forensics Cookbook for only 10$!
    • They shared a video made by FoneFunShop of the IP Box 3, which appears to be able to brute force iPhone 7 passcodes. I think this is the same device that was doing the rounds on Twitter a few weeks ago that hadn’t been externally confirmed to work. It can be found on the FoneFunShop site here
      IP Box 3 – iPhone 7 Passcode Unlock Tool

  • Marcos at Follow The White Rabbit walks through the use of the file carving utility Foremost.
    My name is #Foremost: I’ve seen things you people wouldn’t believe

  • Nick Raedts at Raedts.BIZ talks about the different types of forensic images, and forensic image formats, as well as the information that should be documented when taking an image of a drive. Nick also briefly mentions write-blockers, duplicators, and live CDs.
    Forensics 101: What is a forensic image?

  • SalvationData will be hosting free online training on their DVR Forensics tool VIP on September 6th, 2017.
    DVR Forensics Online Training (FREE!)

  • Volume 22, Supplement of the Journal of Digital Investigation has been released, which details the papers presented at DFRWS US 2017.
    Volume 22, Supplement

  • Andrea Fortuna at “So Long, and Thanks for All the Fish” shares the various methods of examining and converting dump/crash files using Volatility
    Volatility, my own cheatsheet (Part 7): Analyze and convert crash dumps and hibernation files


  • Arpan Raval at Network Intelligence has a post looking at “behaviour patterns and features of some Windows system processes and how we can embed that knowledge into a ‘rule’ to then identify any process which does not conform to the rule.”
    Threat Hunting for Masquerading Windows Processes

  • Cheryl Biswas at Cyberwatch shared a number of hunting concept diagrams created by Jack Crook. Jack has released a couple more since this post; on Authentication and Data Movement.
    A Hunting We Will Go

  • Andy Moore at MalwareSoup explains how to setup Neo4j visualisation of ELK/Sysmon data. Andy describes the task of visualising “network connections, process creation, image loads, named pipe interactions, etc.” expanding on the work previously done here.
    Sysmon and Neo4j

  • Steve Borosh and Jeff Dimmock at SpecterOps have a post covering “how to monitor a distributed attack infrastructure with rsyslog to help facilitate quicker counter-response actions.”
    Attack Infrastructure Log Aggregation and Monitoring

  • Wesley Riley at Practical Incident Response has a post regarding getting into threat hunting and a methodology to do so.
    Threat Hunting: Experts Not Required

  • Suzanne Moore at Red Canary has a writeup of how one of their customers used the Red Canary tools during a breach.
    Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor

  • Also at Red Canary, Phil Hagen discusses the various types of threat intelligence and provides advice for those looking to build an effective threat intelligence program.
    Common Security Mistake #3: Aimless Use of Threat Intelligence

  • Mark Hofman has a post on the SANS Internet Storm Centre Handler Diaries on an “attack that utilises OWA”, and methods of detecting the behaviour exhibited.
    Outlook Web Access based attacks, (Sat, Aug 12th)

  • Cisco released “GOSINT – the open source intelligence gathering and processing framework.” “GOSINT aggregates, validates, and sanitizes indicators for consumption by other tools like CRITs, MISP, or directly into log management systems or SIEM”.
    Open Source Threat Intel: GOSINT

  • Thomas Bouve at IBM’s Security Intelligence discusses the importance of threat intelligence and then provides some information obtained regarding the Petya campaign. He used  Carbon Black Response during his threat hunting session.
    Threat Hunting Services Are Now a Basic Necessity

  • Jordan Wright at Duo shows how to hunt for malicious npm packages. Jordan shares a “quick Python script to find packages with preinstall, postinstall, or install scripts; find files executed by the script; and search those files for strings that could indicate suspicious activity.”
    Hunting Malicious npm Packages






And that’s all for Week 32! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 32 – 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s