Week 38 – 2017


  • Hideaki Ihara at the Port 139 blog has a few posts on the $INDEX_ROOT NTFS attribute.
    • Firstly, he takes a look at the $INDEX_ROOT NTFS attribute of a file.
      $INDEX_ROOT と $I30
    • Hideaki also has a post about ObjectID’s and how they are affected by moving the file across mediums. I’m wondering the USB drive he used was formatted to NTFS; because that might explain why the object ID didn’t transfer. I did a quick test on my system and moving between directories and other NTFS file systems seemed to maintain the object ID.
      NTFS $OBJECT_ID と Removable
    • Lastly, he shows how to manually parse the $INDEX_ROOT attribute of a file and obtain the ObjectID.
      $ObjId と $O

  • The Blackbag Training Team shares some information about Apples Unified logging. From the looks of the article, reviewing the logs requires a Mac and can use either Terminal or Console. They have also shared the command that examiners would have to run to identify all connected devices stored in the Unified logs.
    Accessing Unified Logs from an Image

  • Oleg Afonin at Elcomsoft explains that the latest Android update (8.0 – Oreo) now allows users to backup their SMS to the cloud (previously this was only Pixel devices). Oleg also runs through the multitude of other data available from an Android cloud backup and data sync, as well as how to force a full cloud backup. He also provides the steps for extracting “SMS text messages from Android 8.0 Oreo backups using Elcomsoft Cloud Explorer 1.40”.
    Android 8.0 Oreo: Your Text Messages Are in the Cloud Now

  • Jim Clausing has converted the mac_robber script to Python. Jim’s version adds the ability to hash files without modifying the access times and includes that in the bodyfile output.
    New tool: mac-robber.py, (Tue, Sep 19th)

  • Jim also shows how to mount a file system on Linux in a way that would allow an examiner to hash the files without updating the last access times.
    Forensic use of mount –bind, (Sun, Sep 24th)

  • The Journal of Digital Investigation for September 2017 (Volume 22) has been released.
    Volume 22 Journal of Digital Investigation

  • The Forensicator has written an article analysing “metadata for the files in Guccifer 2.0’s “Clinton Foundation” file dump (cf.7z), dated July 5, 2016”.
    Guccifer 2.0 CF Files Metadata Analysis

  • Anthony Berglund and Kevin Boyd at FireEye share pywintrace, which is “a flexible wrapper around Windows APIs to accelerate ETW research”
    Introducing pywintrace: A Python Wrapper for ETW

  • Yogesh Khatri at Swift Forensics takes a look at the naming structure of the entries under FXDesktopVolumePositions in the com.apple.finder.plist file. The names contain some random hex data at the end which appear to be the “‘Created date’ of the volume’s root folder (for most but not all the entries!)” in Mac Absolute Time.
    Interpreting volume info from FXDesktopVolumePositions







And that’s all for Week 38! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s