Week 34 – 2017



  • Dale at Chip_DFIR returns to blogging and shares his experience using GRR on a test environment.
    Hunting Evilness – GRR

  • Shaun Waterman at Cyberscoop shared the news that “omodo recently announced Comodemia, a program that would make its vast database on more than 120 million malware incidents — and the analytics engines used to mine it for insights — available online for university, government, and nonprofit researchers and educators.”
    Security companies give public free way to sift through malware research

  • Kristina Sisk at Happy Threat Hunting shares a “quick look at creating a detection strategy and how it can include your hunt program.”
    Applying Detection to the Attacker Lifecycle

  • Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ shares a variety of links and lessons learned regarding threat hunting and anomaly detection.
    Homegrown Hunt: You Can Do This!





  • Cellebrite updated their UFED firmware to v6.3, and the corresponding software to v6.3.6. The updates improve device support for physical extraction and lockscreen bypass, iOS ithmb decoding, as well as other improvements, features, and bug fixes. One of the improvements I’m interested in seeing is the suggestions for extraction methods of unsupported devices. If you come across an unsupported device you may be able to perform an extraction using a similar model, or a generic profile that is based on the CPU chip on the device. Now if only Cellebrite updated their support list to have the CPU that the phone uses for easy searching that would make life a bit easier.
    UFED Ultimate & UFED InField v6.3 & UFED Physical Analyzer, UFED Logical Analyzer & Reader 6.3.6 [August 2017]

  • Brian Carrier explains some of the recent updates to Cyber Triage (now at v2.1.4) including “analytics for user activity” and user’s web artefacts. I wasn’t able to locate full release notes for this update.
    Analytics Make User Account Investigations Easier

  • Elcomsoft Phone Breaker v7.0 was released, “adding the ability to extracts saved passwords, payment data and other sensitive information from Apple’s secure online storage, the iCloud Keychain”. Oleg Afonin commented on the latest update and explains iCloud keychain security
    Elcomsoft Phone Breaker 7.0 Extracts Passwords from iCloud Keychain

  • After a lengthy hiatus, First Response have updated CaseNotes, now at version The update modifies the storage file format, as well as adding a spellchecker, a graphical check-list builder, a template editor, as well as other improvements.
    CaseNotes is Back!

  • Ryan Benson announced that Hindsight has been updated to version 2.1.1 with support for Chrome v1-60 and other improvements.
    Hindsight v2.1.1

  • Hopefully should be getting notifications for Magnet Software releases soon, but in the meantime, special thanks to Focus Systems for sharing. Axiom was updated to v1.1.4.6064, and IEF was updated to v6.9.3.7144. The updates include some functional improvements to the tools, as well as improved support for Skype and Android SMS, and bug fixes.
    Magnet Axiom/IEF Updated

  • “A new version of MISP 2.4.79 has been released including an important security fix (persistent XSS on comment field), multiple bug fixes and new functionalities.”
    MISP 2.4.79 released

  • Nir Sofer at Nirsoft updated AlternateStreamView to v1.53 to fix a bug. You can download the latest version here
    Take a look at @nirsoft’s Tweet

  • X-Ways Forensics 19.4 Beta 1 was released, adding an option to “always produce a new item in the search term list, even if the keyword that you are looking for is identical to a previously used keyword or a keyword in the same run”. This is useful if you run the same keyword with different settings.
    X-Ways Forensics 19.4 Beta 1

And that’s all for Week 34! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s