Week 35 – 2017


  • Adam Harrison has started a new blog, 1234n6, and wrote a couple of articles regarding the analysis of volumes with data deduplication enabled.
  • The guys at Cyber Forensicator shared a paper from the Journal of Forensic Sciences by Ayesha Arshad, Waseem Iqbal, and Haider Abbas titled “USB Storage Device Forensics for Windows 10”.
    USB Storage Device Forensics for Windows 10

  • David Dym at EasyMetaData has a post showing the MRUs that Visual Studio uses to store recently accessed files/repositories in the registry.
    Visual Studio registry artifacts – part 2 – MRUs #DFIR

  • Alexis Brignoni at Initialization vectors provides step-by-step instructions for injecting data from an Android device extraction into an Android VM to assist in visualising the data as the user would have seen it. I played around with this during the week and found it immensely helpful.
    Viewing extracted Android app data using an emulator

  • Jamie McQuaid at Magnet Forensics shows how to use Axiom and F-Response Enterprise “to preview or analyze the data on a live system with minimal impact to the user or system”.
    Using F-Response and Magnet AXIOM: Use Case 2 – Preview No Artifacts

  • Dan O’Day has “built a simple GUI (C#) Google Analytics Domain Hash Calculator app” which can be used to “try to figure out which domain [a UTMA value] corresponds to”.
    Google Analytics Domain Hash Calculator

  • Over on my ThinkDFIR site, I shared my Google URL Parsing project from earlier in the year.
    Google URL Parsing with GSERPENT

  • There were a few posts on the Port 139 blog by Hideaki Ihara
    • The first is an article on orphaned files in FAT32 showing how Autopsy presents a file deleted from a folder, and a file deleted off the root of a FAT32 volume.
      FAT32 と犬
    • The second post was regarding FireEye’s report on APT28, however, I didn’t have enough time to decipher what Google Translate gave me, so I’m just linking to it for those interested.
      APT28と HKCU\Environmentキー
    • He reviewed the “New Pacifier APT Components Point to Russian-Linked Turla Group”, report and examines the “six types of automatic activation methods for activating malware” that were reported in Autoruns.
      Turla の自動起動手口
    • Lastly, he examined the autostart technique used by TROJ_ANDROM.SVN
      ANDROM と自動起動(Regsvr32)



  • Mick Douglas at Binary Defense will be hosting a webinar on threat hunting on the 14th September 2017 at 1PM EST.
    Threat Hunting: Strategies for Success

  • Lee Reiber at Oxygen Forensics will be hosting a webinar on “The Forensic Kill Chain”, Thursday, September 7, 2017, at 8 am PDT / 11 am EDT / 4 pm BST
    The Forensic Kill Chain





And that’s all for Week 35! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s