Week 36 – 2017


  • Glenn Edwards Jr at Hidden Illusion has a post on enumerating prefetch filename hashes to brute force the original path of an executable. He also lists various use-cases where this may be helpful.
    Go Prefetch Yourself

  • Jim Hoerricks at Amped Software discusses when someone should seize a DVR and provides some resources for best practices.
    To seize or to retrieve: that is the question

  • There were a few posts by Cyber Forensicator this week
  • Arman Gungor at Metaspike sought to answer the question “is it possible to detect that a user has deleted an attachment from an e-mail prior to producing it”. Arman was able to show that the file size did not update when the attachment was removed (so detection of large size + no attachment would probably highlight it) and that a new Root Entry was added to the end of the file with the date that the attachment was removed (although I’m not sure if this was added from the removal or the saving process). Oddly enough, the attachment wasn’t removed from the e-mail file and could be carved out quite easily which sounds like a bug that may be corrected in future, and explains why the file size doesn’t really reduce the size of the e-mail itself.
    Recovering Removed Email Attachments — Outlook Email Forensics
  • Patrick Siewert at Pro Digital Forensics explains how to use CellHawk from Hawk Analytics to map GPS coordinates exported from a Cellebrite dump. I haven’t got a copy of UFED PA handy to check right now, but I think it’s possible to export GPS data to a KML file and import that into Google Earth/Maps. Pretty sure you can do that in XRY, or at least you used to be able to. Patrick said that he will be diving more into the CellHawk tool, so would be interesting to see it compared with free tools like Google Earth.

    Cellular GPS Evidence: Waze + Cellebrite + CellHawk 

  • Nick Raedts at Raedts.BIZ explains “the differences between deleting a file and wiping a file, and also explain how different drive types (HDD vs SSD) affect the outcome.” The first half of the post also describes the different drives and file systems that examiners will commonly see.

    File deletion vs wiping (HDD vs SSD) 

  • Lionel Faleiro at SandmaxPrime shows how to parse Windows LNK files using PowerForensics.

    PowerForensics – Windows LNK Analysis 

  • SANS shared a sponsored whitepaper by WireX about how to use their platform, Network Forensics Platform, for incident response.

    The Efficiency of Context: Review of WireX Systems Incident Response Platform 

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ links to LiMEaide, “a python application developed by Daryl Bennett that can remotely dump RAM of a Linux client.”

    LiMEaide: remotely dump RAM of a Linux client






  • Brett Shavers has a post on the meaning of the phrase “forensically sound” specifically when applied to evidence. “Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not”. I liked his comparison between processes that “alter” evidence such as an autopsy – capturing RAM is a process and the extraction for that specific case cannot be reproduced, but the process is the important part. From there the analysis is the reproducible (forensically sound?) part.
    “Forensically Sound”.  One of those phrases that is commonly used, misused, unused, and abused.

  • Digital Forensics Corp shared a few articles this week
    • They shared an article by Patrick Siewert on Call Detail Records Analysis
      Call Detail Records Analysis
    • They shared a link to PPEE, which is a PE file explorer.
      PPEE Overview
    • They shared Donato Pasqualicchio‏’s PowerShell cheatsheet
      PowerShell Cheat Sheet
    • They shared a paper by Luca Massarelli, Leonardo Aniello, Claudio Ciccotelli,
      Leonardo Querzoni, Daniele Ucci and Roberto Baldoni on “Android Malware Family Classification Based on Resource Consumption over Time”
      Android Malware Classification
    • They shared a couple of articles on Android app reverse engineering: offensivepentest and evilsocket.

  • Oleg Afonin at Elcomsoft comments on the recent changes to iOS and how it may affect mobile forensics. Users are now required to enter their passcode when pairing their computer; this will have an impact on those that rely on touchID to access the phones they’re examining (my understanding is that whilst passcodes may be protected under the 5th amendment you can may be able to compel someone to “provide a fingerprint” like you would in a forensic procedure). There’s also the introduction of an S.O.S mode that has the feature of restricting unlocking to passcode only. Oleg also advises that Apple has removed notifications from backups and some thoughts on 2FA.
    New Security Measures in iOS 11 and Their Forensic Implications
  • Andrea Little Limbago at Endgame commented on the recent report on Dragonfly released by Symantec.

    The Escalation of Destructive Attacks: Putting Dragonfly in Context 

  • There were a couple of posts on the Forensic Focus blog this week
  • Lee Reiber has a post on LinkedIn lists an example of when extracting data from a drone may be important and how the recent update to Oxygen Forensic Detective can assist. Apparently, this update is a field-first so that’s cool; I recall Paraben supporting extracting data from the DJI app, but if I had any questions I’d probably direct them here.

    Impacting the Digital Forensic Space with Industry Leading Drone Support

  • Action Dan at LockBoxx provides a brief review of “How to Investigate Like a Rockstar: Live a real crisis to master the secrets of forensic analysis” by Sparc Flow. Overall it was a very positive review so I might have to pick this up and have a read (it’s fairly short).

    Book Review: “How to Investigate like a Rockstar”

  • There were a couple of posts on the Magnet Forensics blog this week
  • Yulia Samoteykina at Atola Technology explains Atola’s multi-pass imaging technique, which allows an examiner to skip damaged sections of a drive when it encounters an error. The idea is that on a pass, if errors are encountered, then the program will skip a defined number of blocks in an attempt to read all of the good parts of the drive first. The jump distance is reduced on each subsequent pass. The end result is that you may end up with a large portion of the data quicker, and choose to skip the extraction of the damaged section.

    Multi-pass imaging of damaged drives

  • Richard Wartell at Palo Alto Networks shares pictures of the prizes for the recent LabyREnth CTF challenge.

    LabyREnth CTF 2017: Check Out the Prizes 

  • Scott Roberts continues his learning about ICS/SCADA systems, providing a background of the environment that defenders of these systems will be protecting.

    Crash Override Chronicles: Background 

  • Dave Shackleford at ShackF00 shares his thoughts on the lack of defence-based talks at Blackhat and Defcon. Personally, I think that the better talks are the ones that say “here’s how you attack, and here’s what it looks like/you can protect against it”. I’m not really interested in just the attack methods, because that doesn’t really improve everyone’s security – which was my understanding was the point of the security cons.
    Where are the “Actionable Defense” talks?

  • Megan Hallowell at Champlain College’s Leahy Center for Digital Investigation shares her experience at Enfuse 2017 regarding Jessica Bair’s ransomware presentation.
    Enfuse 2017 Reflection – Megan Hallowell: Tracking Ransomware

  • @Happyasamonkey posed a question on Twitter during the week that led to some interesting discussion surrounding indexing as a matter of course on a job. Generally, most people said that they didn’t index unless they were required to, but the main points that came out of it were. 1) index when the job requires it, but don’t have the box ticked for every job. 2) useful for creating wordlists for password cracking. 3) Myself and another said that if you’ve got the time and resources then you can run additional processing even if you don’t use it, but others disagreed. My point is that if my machine is doing nothing over the weekend then it doesn’t necessarily hurt to have it done if the case may benefit. Especially if the job changes and you need it anyways. Of course, your mileage may vary, and Eric raised a good point about whether you may end up making more work for yourself by additional processing. I guess it depends on the cases you work, because if you do additional processing and find something you didn’t know was there then it can make it worthwhile 4) X-ways simultaneous search is generally faster for individual searches, but of course if your case pivots and you would benefit from an index, Eric shares a tip on how to make it less crash-prone.
    Check out @happyasamonkey’s Tweet

  • @inakiabadia posted a tutorial for developing Volatility plugins
    Check out @inakiabadias Tweet

  • Charles Herring at Witfoo continues his series on people being more important with machines with part two covering algorithms and machine learning and part three covers “how cognition & AI compare & how they can work together.”
    People > Machines (Part Two)


  • Amped Software have released Five Update 9722 with a variety of new features.
    Amped FIVE Update 9722: Genetec Omnicast G64/G64X Support, Full Uncompressed AVI Export Compatibility, Filter Panel Options and much, much more!

  • Arsenal Consulting advised that they have updated HibernationRecon (latest v1.1.0.66) to work with PowerShell ISE, and Arsenal Image Mounter “now resolves [duplicate] volume GUIDs” (v2.3.24). They also announced that their training now comes with a year’s worth of their tools.

    Check out @ArsenalArmed’s Tweet 

  • Eric Zimmerman updated ShellBags Explorer to version, adding new GUIDs, and Shellbag types and extension blocks, as well as updates to SBECmd to process the live registry and recursively look through a given directory for relevant registry files.

    ShellBags Explorer released! 

  • Didier Stevens updated his re-search Python script to v0.0.9, adding the “-x (–hex) [option] to produce hexadecimal output.”

    Update: re-search.py Version 0.0.9 

  • MD5 updated VFC to v4.17.8.25, improving win10 password bypass, and adding an option in the ‘Modify Hardware feature’.

    New VFC4 Update Available to Download Now! 

  • Oxygen Forensic have updated their Detective product to version 9.6 introducing drone support (they specify DJI Phantom 3 and DJI Inspire 1, but it may be others as well), as well as improvements to cloud extractor and “bypass screen lock on a greater variety of Motorola devices and supports simultaneous Android data extraction”.

    Oxygen Forensic® Detective extracts data from drones! 

  • X-Ways Forensic 19.4 was released with a number of new additional improvements upon Beta 2.

    X-Ways Forensics 19.4 

  • Yogesh Khatri at Swift Forensics has developed “an extendible framework (in python) which has plugins to parse different artifacts on a mac”. Interestingly it’s designed to allow examiners to process Macs without a Mac. Very interested to see how this project plays out because a) Mac-only stuff ie disk images, and b) unicode can cause issues on Windows, so always interested to see how that’s handled. Also, more Mac knowledge is always a good thing, it’s a very underserved part of the community…hopefully someone *cough* Sarah *cough* gets their act together and releases a comprehensive book on OSX/MacOS Forensic Analysis.

    Releasing mac_apt – macOS Artifact Parsing Tool

And that’s all for Week 36! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s