Week 37 – 2017







  • Arsenal Consulting updated their Registry Recon Quick Start guide.
    Check out @Arsenalarmed’s Tweet

  • Blackbag will now provide a USB-C to USB connector for anyone who has purchased Macquisition in the last 30 days and into the future. It’s a shame that they aren’t providing this to people with active subscriptions as well, although to get the best “experience”, I’d suggest a USB-C to USB-C and USB-A hub (like this, but maybe cheaper) since you’re going to want to connect the dongle and a destination drive as well. Alternatively, maybe there’s a way to transfer Macquisition to a 1TB external SSD….something to play with at some point (this may be a breach of the terms of service, so if Blackbag wanted to offer a 1TB SSD version I think people might be interested)
    MacQuisition now includes USB-C Adapter with Purchase

  • Patrick Howell O’Neill at Cyberscoop has a write-up about Berla, the company that produces the car infotainment unit acquisition tool, iVe. Usually I wouldn’t mention this kind of article but I feel it’s important because I’m not sure if people know how much data they may be able to obtain from car systems.
    Meet Berla, the little-known company that can pull smartphone data from your car

  • Dan Pullega tweeted out his thoughts on teaching DFIR – sit them down and walk through your process and explain your logic/reasoning.
    Check out @4n6k’s Tweet

  • DFIR Guy at DFIR.Training has a great post on the distinctions in work and personalities behind the digital forensics, incident response, and e-discovery spaces. This can be helpful for giving advice to people as to where to dive in when they’re looking to get into DFIR.
    For the new kids on the block

  • Preston Miller and Chapin Bryce’s book titled “Python Digital Forensics Cookbook” is now available for pre-order and is due out October 5th.
    Python Digital Forensics Cookbook

  • Scar at Forensic Focus shared her roundup of the past month’s forum posts.
    Forensic Focus Forum Round-Up

  • The guys at H-11 Digital Forensics shared a story about how data from a Fitbit was critical in a murder case…which sounds very similar to the DFRWS IoT challenge.
    Fitbit Used as Key Evidence in Murder Case

  • Adam at Hexacorn updated his EDR sheet to include LimaCharlie
    Updated EDR Sheet – LimaCharlie

  • John Patzakis, Esq. at X1 Discovery explains the impact of the FRE 902(14) on social media evidence and how examiners will most likely be required to use a dedicated extraction product instead of taking screenshots.
    Federal Rule of Evidence 902(14) Will Especially Impact Social Media Evidence Preservation

  • Yulia Samoteykina at Atola Technologies explains how to use the “splitting imaging sessions functionality” that was added to the latest version of Atola Insight Forensic.
    Splitting an imaging session to separate targets

  • Ryan McGeehan provides some information on responding to AWS breaches
    Responding to typical breaches on AWS

  • Felisa Charles at The Leahy Center for Digital Investigation shares her experience at Enfuse 2017; in particular, Jake Williams’ talk on knowing normal to find evil.
    Enfuse 2017 Reflection – Felisa Charles: Know Normal, Find Evil

  • Also from LCDI, Jack Gleason shares his experience at Enfuse 2017 and Julie Lewis’ presentation on social media evidence.
    Enfuse 2017 Reflection – Jack Gleason: Social Media as Digital Evidence

  • Bradley Schatz announced that AFF4 support has been pushed to the Volatility project so we should be seeing that in an upcoming release – if you want it now you’ll have to pull the source.
    Check out @blschatz’s Tweet

  • Charles Herring at WitFoo continues his series on people and machines withpart four covering playbook automation, and part five covers a number of different topics

  • Pieces0310 shared their concern regarding LE being able to force a suspect to look at their new iPhone X to unlock the device and then they “could start to do mobile forensics easily and conveniently”. If we combine what we learnt about the updated iOS from Elcomsoft last week then to perform an extraction, examiners would be required to enter a passcode to verify the trust relationship. A way around this would be to sync the device with the user’s own computer if they still did that, but I imagine that’s rarer than it was when the iPhone first came out. This means that the LE examiner may be able to unlock the device, but the examination won’t necessarily be easy and may require a lot of time, effort, and photographs of the screen.
    The most interesting feature of iPhone X – FaceID – Pieces0310


And that’s all for Week 37! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s